On Sat, Jul 15, 2017 at 09:06:41PM +0200, Salvatore Bonaccorso wrote:
> Source: php-cas
> Version: 1.3.3-1
> Severity: important
> Tags: security upstream
> Forwarded: https://github.com/Jasig/phpCAS/issues/228
>
> Hi,
>
> the following vulnerability was published for php-cas.
>
> CVE-2017-1
On Fri, Jan 11, 2019 at 09:03:37AM +0100, Salvatore Bonaccorso wrote:
> Source: ceph
> Version: 12.2.10+dfsg1-1
> Severity: important
> Tags: patch security upstream
> Forwarded: http://tracker.ceph.com/issues/37847
>
> Hi,
>
> The following vulnerability was published for ceph.
>
> CVE-2018-168
On Tue, Jan 08, 2019 at 09:36:52PM +0100, Salvatore Bonaccorso wrote:
> Source: libexif
> Version: 0.6.21-5
> Severity: important
> Tags: security upstream
> Control: found -1 0.6.21-2
>
> Hi,
>
> The following vulnerability was published for libexif, for now filling
> primarly for tracking, as t
On Fri, May 11, 2012 at 04:15:46PM +0900, Ryo IGARASHI wrote:
> Package: x11vnc
> Version: 0.9.13-1
> Severity: normal
> Tags: ipv6
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> Dear Maintainer,
>
> After reporting the bug #672435, I try to disable ipv6 settings of x11vnc.
> Accordin
On Fri, Dec 28, 2018 at 05:47:18PM +0100, Bastian Venthur wrote:
> Package: wnpp
> Severity: normal
>
> I intend to orphan the reportbug-ng package. I've been asking for help
> maintaining it years ago without response, so I'm now orphaning it. The
> current
> popcon value is around 300, so it ma
On Mon, Feb 11, 2019 at 03:07:36PM +0100, Chris Lamb wrote:
> [Adding t...@security.debian.org to CC]
>
> Chris Lamb wrote:
>
> > retitle 922027 CVE-2019-6975: Memory exhaustion in
> > django.utils.numberformat.format()
> > severity 922027 grave
> > found 922027 1:1.10.7-2+deb9u3
> > tags 922027
On Sat, Feb 16, 2019 at 11:31:24AM +, Adam D. Barratt wrote:
> On Fri, 2019-02-08 at 21:03 +0100, Moritz Muehlenhoff wrote:
> > This disables the browser plugin (which was broken due to the Firefox
> > Quantum changes), the equivalent change in sid was done in 1.7.1-1.
>
> Unfortunately, we
On Tue, Jul 31, 2018 at 11:29:16AM +0900, Nobuhiro Iwamatsu wrote:
> Package: release.debian.org
> Severity: normal
> Tags: stretch
> User: release.debian@packages.debian.org
> Usertags: pu
>
> Dear stable release manager,
>
> I hereby propose an update for stretch of mruby.
There's a few mo
Hi Ferenc,
On Fri, Aug 03, 2018 at 11:59:08AM +0200, Ferenc Wágner wrote:
> The proposed source debdiff for stretch-security:
>
> I tested the resulting package, it fixed the bug and didn't cause any
> breakage for me.
Ok, sounds good.
> There is a header file change affecting inline function b
On Mon, Feb 26, 2018 at 12:01:35PM +0100, Bernhard Schmidt wrote:
> Package: wnpp
> Severity: normal
>
> Hi,
>
> on behalf of the Debian VoIP team I intent to orphan the package
> h323plus.
>
> It is a reverse dependency of
>
> - gnugk (orphaned in #891509)
> - openam (RM requested in #891508)
On Mon, Jun 04, 2018 at 12:47:48PM -0400, Reinhard Tartler wrote:
> Ok, thanks. That sounds like a good plan!
BTW, I'm not sure if Talos security actually reported these to the
censenta/mongoose upstream project or whether they're doing it
for the security buzz/advertising factor...
I saw that up
retitle 900848 RM: skipfish -- RoM; dead upstream, RC-buggy
reassign 900848 ftp.debian.org
severity 900848 normal
thanks
On Fri, Jun 08, 2018 at 08:41:06AM +0200, bart...@fenski.pl wrote:
> Hey Moritz,
>
> Yeah I think we should remove that package at this point.
> Thanks a lot for taking care of
On Sun, Jun 10, 2018 at 02:59:49PM -0400, Hugo Lefeuvre wrote:
>
> lame 3.99.5+repack1-7+deb8u1 is affected by several vulnerabilities in
> the code used to read the input file. These issues are not present in
> any Debian release after Jessie because the package switched to
> libsndfile to read a
On Thu, Jun 14, 2018 at 02:10:27PM +0100, Chris Lamb wrote:
> Chris Lamb wrote:
>
> > > redis: multiple security issues in Lua scripting
> >
> > This has now been assigned CVE-2018-11219 & CVE-2018-11218.
>
> Security team, oermission to upload the attached to
> stretch-security?
>
> redis (3
On Sat, Jun 16, 2018 at 04:09:04PM +0100, Chris Lamb wrote:
> Hi Moritz,
>
> > For future updates please include the git commit IDs to debian/patches
>
> Sure. I've added commit IDs to the files in debian/patches and
> uploaded redis_3.2.6-3+deb9u1_amd64.changes with those — and no
> other! — cha
On Sun, Nov 26, 2017 at 01:52:04PM +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
>
> On Fri, 2017-11-24 at 23:18 +0100, Moritz Muehlenhoff wrote:
> > I'd like to add a fix for a minor security issue in Python 2.7 to the
> > as a followup update to what's already in spu. debdiff is b
On Thu, Nov 30, 2017 at 11:59:26AM +0100, Raphael Hertzog wrote:
> Hello Moritz,
>
> On Wed, 09 Mar 2016, Moritz Muehlenhoff wrote:
> > (This is a first high level view, the exact requirements can be hashed
> > out later.)
>
> It would be good to go a bit into more details now.
>
> > It would be
On Sat, Jun 23, 2018 at 09:11:14AM +0200, Moritz Muehlenhoff wrote:
> Source: libjpeg9
> Severity: normal
> Tags: security
>
> There have been three reports of minor bugs in libjpeg, which
> ended up getting a CVE ID assigned:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11214
> htt
On Wed, Jun 27, 2018 at 08:18:01PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> > It's a straightforward rebuild. The debdiff against 1:4.0.1-10
> > from buster is very simple (with an additional build conflicts
> > I ran into when preparing the build).
>
> Please go ahead.
Upl
On Sun, Jul 01, 2018 at 06:44:08PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
>
> On Fri, 2018-06-08 at 22:41 +0200, Moritz Muehlenhoff wrote:
> > dosbox is broken in the default setting on a number of systems/DOS
> > binaries
> > (see #857341). This got fixed in unstable back in
On Mon, Dec 25, 2017 at 09:26:58PM +0100, Ludovico Cavedon wrote:
> - #866721 and #866719, which are securirity-related issues. Do you want
> me to reach out to the security team about these first?
Those are marked no-dsa for quite a while, so not needed.
Cheers,
Moritz
Hi,
Sorry for the late reply, busy over the holiday season.
On Mon, Dec 18, 2017 at 12:12:08PM +0100, Raphael Hertzog wrote:
> Hi,
>
> On Sun, 17 Dec 2017, Moritz Mühlenhoff wrote:
> > unattended-upgrades are not an appropriate default. It's okay for a desktop
> > syst
On Sun, Mar 11, 2018 at 02:02:22PM +0100, Rene Engelhard wrote:
> Hi,
>
> On Sun, Mar 11, 2018 at 08:43:32AM +0100, Salvatore Bonaccorso wrote:
> > CVE-2018-7999[0]:
> > | In libgraphite2 in graphite2 1.3.11, a NULL pointer dereference
> > | vulnerability was found in Segment.cpp during a dumbRend
On Wed, Mar 14, 2018 at 12:39:22PM -0300, Henrique de Moraes Holschuh wrote:
> On Wed, 14 Mar 2018, Moritz Muehlenhoff wrote:
> > On Sun, Jan 21, 2018 at 07:47:35AM -0200, Henrique de Moraes Holschuh wrote:
> > > severity 887856 grave
> > > block 887856 by 886998
> > > thanks
> > >
> > > On Sat, 2
On Mon, Mar 19, 2018 at 05:04:17PM +0100, Rene Engelhard wrote:
> I am not going over the .-release procedure for this, I'd have uploaded
> to security, though, but...
>
> I don't think we should special-case our oldest,
> soon-to-be-not-supported release.
Agreed, it doesn't make sense to fix thi
n Thu, Oct 12, 2017 at 11:44:47PM +0200, Sebastian Andrzej Siewior wrote:
>
> this is a remainder about the openssl transition [0]. We really want to
> remove libssl1.0-dev from unstable for Buster. I will raise the severity
> of this bug to serious in a month. Please react before that happens.
E
On Fri, Oct 13, 2017 at 12:52:55AM -0400, Afif Elghraoui wrote:
>
>
> على الخميس 12 تشرين الأول 2017 17:44، كتب Sebastian Andrzej Siewior:
> > Hi,
> >
> > this is a remainder about the openssl transition [0]. We really want to
> > remove libssl1.0-dev from unstable for Buster. I will raise the
On Sat, Oct 13, 2018 at 12:32:16AM +0200, Emmanuel Bourg wrote:
> Le 12/10/2018 à 22:33, Moritz Mühlenhoff a écrit :
>
> > src:tcnetty has been fixed wrt OpenSSL 1.1 and netty-tcnative-1.1 has no
> > reverse dependencies in the archive. Shall we remove it from the archive?
&
On Mon, Oct 15, 2018 at 10:41:25PM +0200, Steinar H. Gunderson wrote:
> On Mon, Oct 15, 2018 at 10:33:11PM +0200, Moritz Muehlenhoff wrote:
> > Ultimately this is up for Michael to decide, as he's dealing with Chromium
> > updates single-handedly.
>
> Agreed.
>
> > Personally I have no reservatio
On Sun, Sep 16, 2018 at 03:48:50PM +, Phil Lavin wrote:
> We have some spare hardware with a H740P installed. Would having access to
> the IDRAC to run some tests help?
Simply install the new kernel and let us know if everything works as expected,
no need for IDRAC access.
The updated kernel
On Sat, Oct 20, 2018 at 10:43:31AM +0100, Adam D. Barratt wrote:
> On Fri, 2018-10-05 at 17:48 -0500, Daniel Kahn Gillmor wrote:
> > I'd like to update the version of GnuPG in debian stable with a
> > series of targeted bugfixes (most of which are backported from
> > upstream).
> [...]
> > I note t
On Fri, Oct 12, 2018 at 08:07:48PM -0400, Afif Elghraoui wrote:
>
>
> على ٣/٢/١٤٤٠ هـ ٤:٣٣ م، كتب Moritz Mühlenhoff:
> > On Fri, Oct 13, 2017 at 12:52:55AM -0400, Afif Elghraoui wrote:
> > >
> > >
> >
> > What's the status? ori hasn
On Sun, Sep 10, 2017 at 01:43:08PM +0200, Vincent Danjean wrote:
> severity 874882 grave
> tag 874882 +help
> thanks
>
> Hi,
>
> Unless someone step up to maintain (debian and upstream) this
> program, I will ask for its removal. Upstream is long dead. I
> kept this program in Debian while th
On Wed, Jul 25, 2018 at 01:30:14PM +0800, David Prévot wrote:
> Package: ftp.debian.org
> Severity: normal
>
> Hi,
>
> Please remove zendframework when you see fit. It seems the letodms stack
> still depends on it, and I don’t know when that will be fixed. #831418
> explains the rationales for th
On Fri, Oct 26, 2018 at 03:24:27PM +0800, Andrew Lee (李健秋) wrote:
> * CVE-2018-12466 probably not affected:
> - This pointed to the same commit in upstream github. And the url
> provided on the CVE listed vulnerable products that doesn't
> contains OBS 2.7.x:
> https://www.securityfoc
On Mon, Oct 22, 2018 at 09:44:27AM +0100, James Cowgill wrote:
> Source: libopenmpt
> Version: 0.2.7025~beta20.1-1
> Severity: important
> Tags: security upstream fixed-upstream
>
> Hi,
>
> Upstream 0.3.13 released a fix for an out of bound read in malformed MED
> files. It affects stretch.
Does
On Mon, Jun 04, 2018 at 11:47:35PM +0200, Andreas Beckmann wrote:
> Source: nvidia-graphics-drivers-legacy-304xx
> Version: 304.137-5
> Severity: serious
> Tags: sid buster upstream wontfix
>
> The 304.xx legacy series is EoL upstream and won't be updated for the
> latest Xorg.
>
> Let's get it o
On Mon, Nov 12, 2018 at 02:36:23PM +, Luca Boccassi wrote:
> On Mon, 2018-11-12 at 13:47 +0100, Andreas Beckmann wrote:
> > On 2018-11-11 13:54, Luca Boccassi wrote:
> > > https://nvidia.custhelp.com/app/answers/detail/a_id/4738
> >
> > So we expect new releases soon. There is already 415.* ..
On Fri, Feb 15, 2019 at 11:21:13AM +0100, Markus Koschany wrote:
> On Wed, 13 Feb 2019 17:43:43 +0100 Salvatore Bonaccorso
> wrote:
> > Source: lucene-solr
> > Version: 3.6.2+dfsg-16
> > Severity: important
> > Tags: security upstream
> > Forwarded: https://issues.apache.org/jira/browse/SOLR-12770
On Tue, Nov 27, 2018 at 01:38:43PM +0100, Jordy Zomer wrote:
> Package: sleuthkit
> Version: 4.2.0-3
> Severity: normal
>
> Dear Maintainer,
>
> An issue was discovered in The Sleuth Kit (TSK) through 4.6.4.
> The "tsk_getu16(hfs->fs_info.endian, &rec_buf[rec_off2])" call in
> hfs_dir_open_meta_
On Fri, Nov 30, 2018 at 10:08:58AM +0100, Salvatore Bonaccorso wrote:
> Source: nasm
> Version: 2.14-1
> Severity: important
> Tags: patch security upstream
> Forwarded: https://bugzilla.nasm.us/show_bug.cgi?id=3392528
>
> Hi,
>
> The following vulnerability was published for nasm.
>
> CVE-2018-
On Sat, Feb 16, 2019 at 10:35:05PM +0500, Andrey Rahmatullin wrote:
> On Sat, Feb 16, 2019 at 12:33:08PM +, Debian Bug Tracking System wrote:
> > Processing commands for cont...@bugs.debian.org:
> >
> > > severity 776246 grave
> > Bug #776246 [librsync1] MD4 collision/preimage attacks (CVE-201
On Thu, Dec 13, 2018 at 08:55:05PM +0100, Moritz Mühlenhoff wrote:
> On Tue, Jun 05, 2018 at 11:12:34PM +0200, Moritz Muehlenhoff wrote:
> > On Sun, Jun 26, 2016 at 12:21:20PM +0200, Kurt Roeckx wrote:
> > > OpenSSL 1.1.0 is about to released. During a rebuild of all pac
On Thu, Jan 10, 2019 at 08:39:36PM +0100, Joost van Baal-Ilić wrote:
> Hi Moritz,
>
> On Thu, Jan 10, 2019 at 08:33:05PM +0100, Moritz Mühlenhoff wrote:
> > On Mon, Nov 05, 2018 at 03:13:08PM +0100, Joost van Baal-Ilić wrote:
> > >
> > > FWIW, this work:
> >
On Wed, Feb 20, 2019 at 02:12:55AM +0500, Andrey Rahmatullin wrote:
> On Tue, Feb 19, 2019 at 10:00:34PM +0100, Moritz Mühlenhoff wrote:
> > If a transition (even though it's marginal in size) isn't an option at this
> > point
> That's not for me to decide. Sho
On Tue, Feb 19, 2019 at 10:30:37PM +0100, Salvatore Bonaccorso wrote:
> Hi,
>
> On Tue, Feb 19, 2019 at 10:09:15PM +0100, Moritz Muehlenhoff wrote:
> > Package: ftp.debian.org
> > Severity: normal
> >
> > Please remove conserver. It hasn't seen an upload since 2016 and
> > was removed from testing
On Fri, Dec 21, 2018 at 07:13:52PM +0100, Salvatore Bonaccorso wrote:
> Source: python-pykmip
> Version: 0.7.0-2
> Severity: important
> Tags: patch security upstream
> Forwarded: https://github.com/OpenKMIP/PyKMIP/issues/430
>
> Hi,
>
> The following vulnerability was published for python-pykmip
On Wed, Feb 20, 2019 at 08:51:16AM +0100, Moritz Muehlenhoff wrote:
> On Wed, Feb 20, 2019 at 12:28:48AM +0100, Sebastian Andrzej Siewior wrote:
> > On 2017-10-12 23:44:37 [+0200], To 859...@bugs.debian.org wrote:
> > > this is a remainder about the openssl transition [0]. We really want to
> > > r
On Tue, Jan 15, 2019 at 10:31:17AM +, Kevin Smith wrote:
> On 27 Dec 2018, at 22:52, Moritz Mühlenhoff wrote:
> >
> > On Fri, Dec 07, 2018 at 01:41:47PM +, Kevin Smith wrote:
> >> Apologies, I’d forgotten that we’d prepared an update from upstream and
> >&g
On Fri, Oct 13, 2017 at 12:24:26AM -0400, Sam Hartman wrote:
> There's a new upstream for moonshot-trust-router that I believe should
> work with openssl 1.1.
> Realistically, I should be able to deal with moonshot-gss-eap #848680
> within a month.
> I think it may be more like two months to deal w
On Fri, May 11, 2018 at 10:20:42PM +0200, Salvatore Bonaccorso wrote:
> Control: retitle -1 libvorbis: CVE-2017-14160 (+ CVE-2018-10392
> CVE-2018-10393)
> Control: tags -1 + fixed-upstream
>
> Hi
>
> This issue (cf. https://gitlab.xiph.org/xiph/vorbis/issues/2330) was
> adressed upstream by
> h
On Thu, Nov 22, 2018 at 09:35:39PM +0100, Salvatore Bonaccorso wrote:
> Source: sysstat
> Version: 12.0.1-1
> Severity: important
> Tags: security upstream
> Forwarded: https://github.com/sysstat/sysstat/issues/196
>
> Hi,
>
> The following vulnerability was published for sysstat.
>
> CVE-2018-1
On Sat, Nov 24, 2018 at 09:07:45PM +0100, Salvatore Bonaccorso wrote:
> Source: sysstat
> Version: 12.0.1-1
> Severity: important
> Tags: security upstream
> Forwarded: https://github.com/sysstat/sysstat/issues/199
>
> Hi,
>
> The following vulnerability was published for sysstat, similar to
> CV
reassign 922806 python-selenium
severity 922806 important
thanks
On Wed, Feb 20, 2019 at 11:19:53PM +0100, Jens- Birger Schlie wrote:
> Package: chromium-driver
> Version: 70.0.3538.110-1~deb9u1
> Severity: grave
> Justification: renders package unusable
>
> Before this worked like a bliss.
>
>
On Wed, Feb 20, 2019 at 05:30:35PM -0500, Sam Hartman wrote:
> Is it possible to remove openssl and make moonshot-trust-router
> uninstallable?
That might be possible, I'll check with the FTP masters.
Cheers,
Moritz
On Thu, Feb 21, 2019 at 11:37:02PM +0100, Sebastian Andrzej Siewior wrote:
> The debian maintainer of this package looks MIA. Nobody spoke up for
> keeping it so far. I'm happy to NMU it so it builds against libssl-dev
> but I see little to no reason for it. I think we have alternatives which
> *ar
On Wed, Dec 19, 2018 at 10:07:59PM -0800, Ben Pfaff wrote:
> On Thu, Dec 20, 2018 at 06:22:14AM +0100, Salvatore Bonaccorso wrote:
> > Source: pspp
> > Version: 1.2.0-2
> > Severity: important
> > Tags: security upstream
> >
> > Hi,
> >
> > The following vulnerability was published for pspp.
> >
severity 921156 important
thanks
On Tue, Feb 19, 2019 at 11:24:47PM -0600, Stephen Gelman wrote:
> On Tue, 12 Feb 2019 09:32:48 +0700 Arnaud Rebillout
> wrote:
> > I looked into this a bit yesterday.
> >
> > As mentioned in the issue upstream at
> > https://github.com/etcd-io/etcd/issues/9353, th
On Fri, Feb 15, 2019 at 07:28:57PM +0100, Cyril Brulebois wrote:
> Right, this also breaks the build of the debian-installer source package
> on amd64 since its build dependencies cannot be satisfied.
Is there an ETA for a fix?
Cheers,
Moritz
Hi Thomas,
On Sun, Mar 31, 2019 at 12:33:45AM +0100, Thomas Goirand wrote:
> If I understand well the problem, the issue is simply that some extra
> Microsoft keys may end up being setup into an Azure Debian instance. I
> don't see this as a very "grave" security issue because:
>
> 1/ Azure users
severity 926043 important
thanks
On Tue, Apr 02, 2019 at 01:56:35PM +0200, Thomas Goirand wrote:
> On 4/2/19 12:46 PM, Moritz Muehlenhoff wrote:
> > On Tue, Apr 02, 2019 at 12:33:10PM +0200, Thomas Goirand wrote:
> >> On 4/1/19 11:44 PM, Moritz Mühlenhoff wrote:
> >>&g
On Fri, Mar 22, 2019 at 05:45:56PM -0300, Lisandro Damián Nicanor Pérez Meyer
wrote:
> El jue., 21 mar. 2019 09:33, Thierry fa...@linux.ibm.com <
> thie...@linux.ibm.com> escribió:
>
> > On Tue, 26 Sep 2017 22:15:12 +0300 Adrian Bunk wrote:
> > > Source: qtwebkit
> > > Version: 2.3.4.dfsg-9.1
>
On Thu, Jan 24, 2019 at 07:02:59AM +0100, Salvatore Bonaccorso wrote:
> Source: lua5.3
> Version: 5.3.3-1.1
> Severity: important
> Tags: security upstream
> Control: found -1 5.3.3-1
>
> Hi,
>
> The following vulnerability was published for lua5.3.
>
> CVE-2019-6706[0]:
> | Lua 5.3.5 has a use-
On Tue, Feb 19, 2019 at 05:39:10PM +0100, Moritz Mühlenhoff wrote:
> On Tue, Nov 27, 2018 at 01:38:43PM +0100, Jordy Zomer wrote:
> > Package: sleuthkit
> > Version: 4.2.0-3
> > Severity: normal
> >
> > Dear Maintainer,
> >
> > An issue was dis
On Sun, Apr 14, 2019 at 09:53:12AM +0200, Ralf Jung wrote:
> Hi Salvatore,
>
> >> A self-compiled upstream 4.20.14 kernel does not show this problem, but the
> >> latest kernel in testing still does.
> >
> > have you tried to isolate the fixing commit for this issue?
>
> No, I have not.
> We are
On Sun, Apr 14, 2019 at 09:20:13PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + moreinfo
>
> On Mon, 2019-03-25 at 22:35 +0100, Moritz Muehlenhoff wrote:
> > How about the following debdiff to address the fallout of
> > the Xul deprecation in icedtea-web (#921748) for the next
> > point upda
On Wed, Apr 10, 2019 at 10:51:33AM -0400, Chris Lamb wrote:
> retitle 926700 cacti: CVE-2019-11025 - XSS in utilities.php
> thanks
>
> Hi all,
>
> I've attached a patch that I intend to upload to jessie LTS. May I
> also prepare an update for stretch based on this?
I doubt this really warrants a
On Tue, Apr 16, 2019 at 10:04:20AM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
>
> On Mon, 2019-04-15 at 22:49 +0200, Moritz Mühlenhoff wrote:
> > On Sun, Apr 14, 2019 at 09:20:13PM +0100, Adam D. Barratt wrote:
> > > Control: tags -1 + moreinfo
> >
Am Wed, Sep 09, 2020 at 12:30:44PM +0200 schrieb Aurelien Jarno:
> control: forcemerge 967938 969926
>
> Hi,
>
> On 2020-09-09 02:58, Bernd Zeimetz wrote:
> > Source: glibc
> > Version: 2.28-10
> > Severity: serious
> > Tags: security upstream patch
> > X-Debbugs-Cc: Debian Security Team
> >
>
Am Mon, May 31, 2021 at 04:31:13PM +0200 schrieb Christoph Berg:
> Re: Moritz Muehlenhoff
> > Package: dacs
> > Severity: important
> > Tags: security
> > X-Debbugs-Cc: Debian Security Team
> >
> > dacs bundles a copy in src/libradius/src/radlib.c:
> > https://www.freebsd.org/security/advisories/
Am Wed, May 19, 2021 at 08:49:01PM +0200 schrieb Paul Gevers:
> Hi,
>
> First off, thanks Adrian for raising the concern. In general, at this
> stage we don't like packages breaking other packages.
This should have been fixed in unstable for a long time, I pinged the maintainer
multiple times eve
debdiff for my NMU.
diff -Nru pillow-8.1.2+dfsg/debian/changelog pillow-8.1.2+dfsg/debian/changelog
--- pillow-8.1.2+dfsg/debian/changelog 2021-04-24 15:51:24.0 +0200
+++ pillow-8.1.2+dfsg/debian/changelog 2021-06-13 18:11:04.0 +0200
@@ -1,3 +1,12 @@
+pillow (8.1.2+dfsg-0.2) unstabl
reopen 718272
thx
Reopening. The reasons are listed in the bug log and were given by
the upstream developers. If you want to provide it to bullseye
stable users, get it into fasttrack.debian.net.
Cheers,
Moritz
Am Fri, Aug 30, 2019 at 07:29:17AM + schrieb Matthias Klose:
> Package: src:opencaster
> Version: 3.2.2+dfsg-1.1
> Severity: normal
> Tags: sid bullseye
> User: debian-pyt...@lists.debian.org
> Usertags: py2removal
>
> Python2 becomes end-of-live upstream, and Debian aims to remove
> Python2 f
Am Tue, Jan 26, 2021 at 04:36:13PM +0100 schrieb Matthias Klose:
> On 12/2/20 5:42 PM, Holger Levsen wrote:
> > On Fri, Nov 20, 2020 at 08:40:22AM +, Holger Levsen wrote:
> >>> Thanks for the upload.
> >> :) note however that "#975016: OpenJDK 15 support state for Bullseye" is
> >> still
> >>
Am Tue, Feb 02, 2021 at 07:15:37PM +0100 schrieb Roland Rosenfeld:
> Package: release.debian.org
> Severity: normal
> Tags: buster
> User: release.debian@packages.debian.org
> Usertags: pu
>
> This fixes CVE-2021-20216 and CVE-2021-20217.
> Since both are tagged " (Minor issue)" in security tr
Source: rust-crossbeam-deque
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for rust-crossbeam-deque.
CVE-2021-32810[0]:
| crossbeam-deque is a package of work-stealing deques for building task
| schedulers when programming
Am Sun, Sep 13, 2020 at 05:44:44PM +0200 schrieb Sascha Steinbiss:
> Hi Moritz,
>
> >> Just an update: Python 3 compatibility is indeed introduced in the latest
> >> upstream version, however, that version also adds some new dependencies
> >> that would need to be packaged and pass NEW. For exam
Am Wed, Aug 25, 2021 at 09:23:37PM +0200 schrieb Salvatore Bonaccorso:
> Source: plib
> Version: 1.8.5-8
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> Forwarded: https://sourceforge.net/p/plib/bugs/55/
> X-Debbugs-Cc: car...@debian.org, Debian Security Team
>
>
Am Sat, Aug 22, 2020 at 01:14:19PM +0200 schrieb Salvatore Bonaccorso:
> Source: software-properties
> Version: 0.96.20.2-2.1
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: car...@debian.org, Debian Security Team
>
> Control: found -1 0.96.20.2-2
> Control: found -1 0.96.20.2-1
>
Am Mon, Apr 19, 2021 at 11:42:54AM +0200 schrieb Moritz Muehlenhoff:
> On Sun, Apr 18, 2021 at 07:21:31PM +0200, Tormod Volden wrote:
> > Yes, I think dropping the set_cap is the easy way out of here. sonar
> > will still be visually pleasing, just not so interesting.
>
> Let's do that for buster/
Am Sun, Jan 10, 2021 at 12:34:35AM +0100 schrieb Moritz Mühlenhoff:
> Am Tue, Oct 27, 2020 at 08:53:28PM +0100 schrieb Salvatore Bonaccorso:
> > Source: openrc
> > Version: 0.42-1
> > Severity: important
> > Tags: security upstream
> > Forwarded: https://github.c
Am Sun, Sep 13, 2020 at 10:42:36PM +0200 schrieb Moritz Muehlenhoff:
> Package: qemu
> Severity: important
> Tags: security
> X-Debbugs-Cc: Debian Security Team
>
> Not fixed upstream yet at this point:
>
> https://www.openwall.com/lists/oss-security/2020/07/02/1
> https://lists.gnu.org/archive/
Am Tue, Sep 25, 2018 at 08:19:13PM +0200 schrieb Yves-Alexis Perez:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On Sun, 28 Feb 2016 12:19:43 +0100 Anders Nylander
> wrote:
>
> > Following the removal of of the USB device, I noticed very high CPU usage
> > being caused by kworker and
Am Thu, Apr 22, 2021 at 09:53:24AM -0700 schrieb Zach Marano:
> Hi, since this package was brought into Debian in ~2018, there have been
> several transformations in the GCE guest software stack and thus the
> current landscape is very different. Google doesn't actually maintain the
> official Debi
Sorry for the late reply, got backlogged in my inbox.
Am Mon, Apr 12, 2021 at 11:18:16AM +0100 schrieb Ximin Luo:
> It looks like these CVEs affect all versions up to 1.52 (which is not yet
> released).
>
> Do you have links to patches fixing these bugs that can be backported to
> 1.48? We've h
Am Mon, Mar 01, 2021 at 10:54:31AM +0100 schrieb Salvatore Bonaccorso:
> Hi Emmanuel,
>
> On Sat, May 30, 2020 at 02:50:32PM +0200, Emmanuel Bourg wrote:
> > Control: severity -1 important
> >
> > Le 22/05/2020 à 22:51, Salvatore Bonaccorso a écrit :
> >
> > > The following vulnerability was pub
Am Mon, Apr 05, 2021 at 09:37:41AM -0700 schrieb tony mancill:
> On Sat, Mar 27, 2021 at 07:52:37PM +0100, Salvatore Bonaccorso wrote:
> > Source: libpdfbox2-java
> > Version: 2.0.22-1
> > Severity: important
> > Tags: security upstream
> > X-Debbugs-Cc: car...@debian.org, Debian Security Team
> >
Am Wed, May 19, 2021 at 08:47:24PM +0200 schrieb Sebastian Ramacher:
> On 2021-05-18 23:38:58 +0200, Moritz Muehlenhoff wrote:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian@packages.debian.org
> > Usertags: rm
> > X-Debbugs-Cc: ebo...@apache.org
> >
> > Please r
Am Wed, May 19, 2021 at 07:39:55PM +0200 schrieb Fabian Grünbichler:
> On May 18, 2021 8:42 pm, Moritz Muehlenhoff wrote:
> > Source: rust-hyper
> > Severity: grave
> > Tags: security
> > X-Debbugs-Cc: Debian Security Team
> >
> > CVE-2021-21299:
> > https://github.com/hyperium/hyper/security/adv
Am Fri, May 21, 2021 at 12:39:42PM +0200 schrieb Alexandre Rossi:
> bullseye : this bug is not RC, so no update.
Security bugs can still be fixed in they are sensibly backportable,
even if not RC. Simply upload to unstable and ask for an unblock.
Cheers,
Moritz
Am Tue, May 25, 2021 at 05:08:33PM +0200 schrieb Marcus Frings:
> Package: leafnode
> Version: 1.11.11-3
> Severity: wishlist
>
> Dear Moritz,
>
> After some years of dormant sleep, leafnode received an update to 1.11.12 in
> 2021.
>
> Please consider the new version to be included in Debian.
Am Wed, Apr 07, 2021 at 09:36:01PM +0200 schrieb Salvatore Bonaccorso:
> Source: syncthing
> Version: 1.12.1~ds1-2
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: car...@debian.org, Debian Security Team
>
>
> Hi,
>
> The following vulnerability was published for syncthing.
>
>
Am Sun, Dec 20, 2020 at 02:15:34PM +0100 schrieb Salvatore Bonaccorso:
> Source: opendmarc
> Version: 1.4.0~beta1+dfsg-3
> Severity: important
> Tags: security upstream
> Forwarded: https://sourceforge.net/p/opendmarc/tickets/237/
> X-Debbugs-Cc: car...@debian.org, Debian Security Team
>
> Contro
Am Sat, Mar 06, 2021 at 09:39:52PM +0100 schrieb Salvatore Bonaccorso:
> Source: python-markdown2
> Version: 2.3.10-1
> Severity: important
> Tags: security upstream
> Forwarded: https://github.com/trentm/python-markdown2/pull/387
> X-Debbugs-Cc: car...@debian.org, Debian Security Team
>
>
> Hi,
Source: libtpms
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for libtpms.
CVE-2021-3623[0]:
out-of-bounds access when trying to resume the state of the vTPM
https://github.com/stefanberger/libtpms/pull/223
https://github
Source: rabbitmq-server
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for rabbitmq-server.
CVE-2021-32719[0]:
| RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server
| prior to version 3.8.18, when a federat
Source: libgrokj2k
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for libgrokj2k.
CVE-2021-36089[0]:
| Grok 7.6.6 through 9.2.0 has a heap-based buffer overflow in
| grk::FileFormatDecompress::apply_palette_clr (called from
| g
Source: libsepol
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for libsepol.
CVE-2021-36084[0]:
| The CIL compiler in SELinux 3.2 has a use-after-free in
| __cil_verify_classperms (called from __cil_verify_classpermissi
Source: kimageformats
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for kimageformats.
CVE-2021-36083[0]:
| KDE KImageFormats 5.70.0 through 5.81.0 has a stack-based buffer
| overflow in XCFImageFormat::loadTileRLE.
https://b
1401 - 1500 of 2628 matches
Mail list logo
