On Wed, Nov 19, 2014 at 11:45:02PM +0100, Moritz Muehlenhoff wrote:
Source: xen
Severity: grave
Tags: security
Hi,
the following security issues apply to Xen in jessie:
CVE-2014-5146,CVE-2014-5149:
https://marc.info/?l=oss-securitym=140784877111813w=2
CVE-2014-8594:
On Fri, Jan 03, 2014 at 11:30:13PM +0200, Henri Salo wrote:
Package: web2ldap
Version: 1.1.43~dfsg-1
Severity: important
Tags: security, fixed-upstream
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7258
http://www.web2ldap.de/changes-1.1.html
http://secunia.com/advisories/56160
On Thu, Mar 20, 2014 at 01:19:00PM +0100, Moritz Muehlenhoff wrote:
Package: ruby-rack-ssl
Severity: important
Tags: security
Please see
http://www.openwall.com/lists/oss-security/2014/03/19/2
https://github.com/josh/rack-ssl/commit/9d7d7300b907e496db68d89d07fbc2e0df0b487b
Can we please
On Wed, Oct 23, 2013 at 08:04:17AM +0200, Salvatore Bonaccorso wrote:
Hi Julian,
On Wed, Oct 23, 2013 at 01:16:36AM +0200, Julian Taylor wrote:
On 22.10.2013 08:43, Salvatore Bonaccorso wrote:
Hi Julian,
Cc'ing Julian directly as per short discussion on IRC.
On IRC you
On Thu, Jun 19, 2014 at 05:10:35PM +0200, Ondřej Surý wrote:
Control: forwarded -1 https://issues.opendnssec.org/browse/SUPPORT-136
Funny, I have just fixed exactly same bug in ldns.
Will push that forward...
Can you please upload a fix for jessie?
Cheers,
Moritz
--
To
On Fri, Nov 21, 2014 at 08:30:37PM +0100, Niels Thykier wrote:
On 2014-11-21 14:56, Salvatore Bonaccorso wrote:
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Hi Release Team,
Please unblock package dhcpcd5, which
On Fri, May 16, 2014 at 11:17:32AM +1000, Luke Yelavich wrote:
On Fri, Apr 25, 2014 at 10:06:04PM EST, Moritz Muehlenhoff wrote:
Hi,
the details are a bit scarce, can you contact upstream whether the Chrome
developers have contacted them?
severity serious
thanks
This package forks a local copy of the Iceweasel Javascript engine which is
no longer supported with security updates (currently only the ESR24 series
is maintained)
What's the strategy here? Do you plan to backport/triage all Javascript
related
security issues
On Thu, Jan 10, 2013 at 04:47:35PM -0600, Gunnar Wolf wrote:
FWIW the exploit-db webpage points at three different problems, two
XSS and one CSRF. The XSS are not present in collabtive 0.7.6, but the
CSRF is.
I'm getting in touch with the authors right now. Thanks!
On Sat, Nov 15, 2014 at 08:25:41AM +0100, Salvatore Bonaccorso wrote:
Source: kde-runtime
Version: 4:4.8.4-2
Severity: normal
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for kde-runtime.
CVE-2014-8600[0]:
Insufficient Input Validation By
On Tue, Dec 09, 2014 at 08:56:21PM -0600, Gunnar Wolf wrote:
Moritz Mühlenhoff dijo [Tue, Dec 09, 2014 at 10:17:14PM +0100]:
I'm getting in touch with the authors right now. Thanks!
http://collabtive.o-dyn.de/forum/viewtopic.php?f=11t=8479
Gunnar,
is this fixed in the version
On Wed, Nov 26, 2014 at 12:18:13AM +0100, Ángel González wrote:
On 20-11-2014 Mitre wrote:
There is a command injection flaw in lsyncd, a file change monitoring
and synchronization daemon:
https://github.com/axkibe/lsyncd/issues/220
On Sun, Dec 21, 2014 at 03:19:42PM -0500, Michael Gilbert wrote:
package: src:libv8-3.14
severity: grave
tags: security
Hi,
the following vulnerabilities were published for libv8-3.14.
So if I'm understanding the discussion on debian-devel correctly
the libv8 maintainers want to see this
On Mon, Dec 29, 2014 at 12:28:30PM +0100, Bálint Réczey wrote:
Hi Moritz,
2014-12-29 3:01 GMT+01:00 Moritz Mühlenhoff j...@inutil.org:
On Sun, Dec 21, 2014 at 03:19:42PM -0500, Michael Gilbert wrote:
package: src:libv8-3.14
severity: grave
tags: security
Hi,
the following
On Mon, Sep 22, 2014 at 03:56:00PM +0200, Raphael Hertzog wrote:
Hi,
On Mon, 18 Aug 2014, Salvatore Bonaccorso wrote:
On Thu, Aug 14, 2014 at 11:43:32PM +0200, Emmanuel Bourg wrote:
Is there an example available somewhere of a subject improperly parsed
by commons-httpclient/3.1-10.2?
On Fri, Jan 09, 2015 at 10:57:13PM +0100, Christian Hofstaedtler wrote:
AFAICT there is no publicly available patch, and upstream is more or
less dead.
Redmine's patched redcloth3 looks very different from the current
redcloth 4.x sources, so I have my doubts if forward porting this
is
On Tue, Jan 20, 2015 at 09:47:26PM +0100, Yves-Alexis Perez wrote:
* The potential invalid writes in modules/services_discovery/sap.c and
modules/access/ftp.c were not fixed as I did not provide a
trigger. Note, that the code looks very similar to the confirmed bug
in
On Sun, Jan 18, 2015 at 10:24:30AM +, Ben Hutchings wrote:
Source: oss4
Version: 4.2-build2006-2
Severity: critical
Tags: security
In kernel/drv/oss_usb/oss_usb.c:
OSS maintainers,
did you forward this upstream?
Cheers,
Moritz
--
To UNSUBSCRIBE, email to
On Mon, Jan 26, 2015 at 01:41:54PM +0100, Kilian Krause wrote:
Hi Moritz,
On Mon, Jan 26, 2015 at 12:28:00PM +0100, Moritz Mühlenhoff wrote:
On Mon, Dec 22, 2014 at 10:33:50PM +0100, Kilian Krause wrote:
Package: fex
Version: 20140917-1
Severity: serious
Tags: security patch
On Fri, Jan 23, 2015 at 02:26:06PM +0100, Raphael Hertzog wrote:
On Wed, 21 Jan 2015, Raphael Hertzog wrote:
Some notes:
- the final upload will include the bug closure of #775375
- there's a small tweak of a Suggests dependency, it was not intended for
jessie but I don't see how it can
On Sat, Dec 27, 2014 at 02:27:29PM +0100, Laurent Bigonville wrote:
On Sat, 20 Dec 2014 08:18:29 +0100 Salvatore Bonaccorso
car...@debian.org wrote:
Hi,
Hello,
the following vulnerability was published for libssh.
CVE-2014-8132[0]:
Possible double free on a dangling pointer
On Wed, Jan 14, 2015 at 05:25:02AM +0100, Holger Levsen wrote:
control: severity -1 important
Hi Alexander,
On Dienstag, 13. Januar 2015, Alexander Cherepanov wrote:
pxz sets the mode of an output file to be the same as the one of an
input file but does it only after compression is
On Mon, Jan 05, 2015 at 01:47:40AM +1100, Russell Sim wrote:
Moritz Muehlenhoff j...@debian.org writes:
Source: libgit2
Severity: important
Tags: security
libgit2 is also affected by the recent git vulnerability:
http://openwall.com/lists/oss-security/2014/12/18/21
Thanks for the
On Mon, Jan 26, 2015 at 09:07:19PM +0530, Ritesh Raj Sarraf wrote:
On 01/21/2015 01:23 PM, Moritz Muehlenhoff wrote:
In the past someone from upstream posted the upstream commits to the
bug log, maybe you can contact them for more information so that we
can merge the isolated fixes into the
On Fri, Jan 30, 2015 at 11:17:49AM +0100, Axel Beckert wrote:
Hi Moritz,
Moritz Mühlenhoff wrote:
On Tue, Jan 27, 2015 at 12:34:09PM +0100, Axel Beckert wrote:
Moritz Mühlenhoff wrote:
I think it's sufficient if we fix this in a point update, can you take
care of that?
Do
On Wed, Jan 14, 2015 at 03:13:04PM +0100, Moritz Muehlenhoff wrote:
Package: chicken
Severity: important
Tags: security
Hi,
please see http://www.openwall.com/lists/oss-security/2015/01/12/3
for details.
This has been assigned CVE-2014-9651.
What's the status?
Cheers,
Moritz
reassign 775591 docker.io
thanks
On Sat, Jan 17, 2015 at 10:43:23PM +, Ben Hutchings wrote:
Control: reassign -1 docker
Control: retitle -1 Docker should support overlayfs as alternative to aufs
On Sat, 2015-01-17 at 21:45 +0200, Török Edwin wrote:
Package: src:linux
Version:
On Tue, Dec 30, 2014 at 08:13:08AM -0800, tony mancill wrote:
On 12/30/2014 05:18 AM, Emmanuel Bourg wrote:
Here are the relevant commits to backport:
Always ignore case when forbidding .git in ObjectChecker
https://github.com/eclipse/jgit/commit/07612a6
Disallow .git. and .gitspace
On Sat, Jan 17, 2015 at 12:34:51AM +0100, Kurt Roeckx wrote:
On Sat, Jan 17, 2015 at 12:12:44AM +0100, Moritz Muehlenhoff wrote:
Package: elfutils
Version: 0.159-4
Severity: important
Tags: security
Please see
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9447
for
On Tue, Feb 05, 2013 at 05:56:15PM +0100, Arne Wichmann wrote:
Hi, just for information: [1] suggests that exploits for one of 340[456]
may be out in the wild.
Moreover I did not find an upstream glibc-bug about this yet. Is there one?
[1]
On Wed, Dec 31, 2014 at 04:41:29PM +0100, Kurt Roeckx wrote:
On Wed, Dec 31, 2014 at 02:00:23PM +, Adam D. Barratt wrote:
Control: tags -1 + moreinfo
On Wed, 2014-12-31 at 13:52 +0100, Kurt Roeckx wrote:
I would like to disable SSLv3 by default in wheezy.
Do we know how well
On Mon, Feb 16, 2015 at 12:12:02AM +0100, László Böszörményi (GCS) wrote:
Hi all,
On Thu, Feb 12, 2015 at 4:50 PM, j...@debian.org wrote:
It would be great if you (or any co-maintainer) would initially
take care of the open icu security issues in jessie/sid (with
a minimal upload to sid
On Sat, Feb 14, 2015 at 03:41:21PM +0100, Luciano Bello wrote:
Package: nvi
Severity: important
Tags: security patch
The security team received a report from the CERT Coordination Center that
the
Henry Spencer regular expressions (regex) library contains a heap overflow
vulnerability.
On Sat, Feb 14, 2015 at 10:09:09PM +, Colin Watson wrote:
On Sat, Feb 14, 2015 at 03:40:31PM +0100, Luciano Bello wrote:
The security team received a report from the CERT Coordination Center that
the
Henry Spencer regular expressions (regex) library contains a heap overflow
On Fri, Feb 13, 2015 at 12:28:28AM +0100, Markus Koschany wrote:
Control: tags -1 moreinfo
On Thu, 12. Feb 23:13 Moritz Muehlenhoff j...@debian.org wrote:
Package: byzanz
Severity: important
Tags: security
Hi,
this was reported by Red Hat:
On Tue, Jan 27, 2015 at 09:53:45AM +, Gianfranco Costamagna wrote:
Hi Moritz, please read carefully this thread :)
Could you please check back with upstream on CVE-2015-0377 and CVE-2015-0418?
jessie is not affected, and wheezy has already the patch on this thread
the two CVEs are
On Mon, Jan 26, 2015 at 09:14:55PM +0530, Ritesh Raj Sarraf wrote:
On 01/26/2015 09:07 PM, Ritesh Raj Sarraf wrote:
On 01/21/2015 01:23 PM, Moritz Muehlenhoff wrote:
In the past someone from upstream posted the upstream commits to the
bug log, maybe you can contact them for more information
On Sun, Jan 05, 2014 at 06:34:55PM +, Dominic Hargreaves wrote:
Source: movabletype-opensource
Version: 5.2.7+dfsg-1
Severity: serious
Justification: maintainer
Support of MTOS by upstream (at least in the English speaking community)
is now very sketchy. The security update announced
On Thu, Jan 22, 2015 at 06:00:54PM +0100, Christoph Berg wrote:
Re: To Debian Bug Tracking System 2015-01-22
20150122161925.ga23...@msg.df7cb.de
Source: xymon
Version: 4.3.17-1
Severity: grave
Tags: security patch pending
web/acknowledge.c uses a string twice in a format string,
On Tue, Jan 27, 2015 at 12:34:09PM +0100, Axel Beckert wrote:
Hi Moritz,
Moritz Mühlenhoff wrote:
I think it's sufficient if we fix this in a point update, can you take
care of that?
Do you think of Jessie or Wheezy? As far as I can see, Wheezy is
not affected:
https
On Tue, Dec 30, 2014 at 12:29:35PM +0100, Matthias Klose wrote:
forgot to mention that there are no regression in the binutils testsuite on
all
release architectures, and that there are no regression in the gcc-4.8 and
gcc-4.9 testsuites on all release architectures.
Did someone from the
On Mon, Dec 22, 2014 at 10:33:50PM +0100, Kilian Krause wrote:
Package: fex
Version: 20140917-1
Severity: serious
Tags: security patch upstream pending confirmed jessie
As upstream has released a new version of the fex package which closes a
security issue and there is no CVE assigned,
On Wed, Jan 07, 2015 at 02:25:49PM +0100, Noël Köthe wrote:
tags 774769 + upstream
forwarded 774769 https://github.com/lavv17/lftp/issues/116
thanks
Hello Marcin,
Am Mittwoch, den 07.01.2015, 12:39 +0100 schrieb Marcin Szewczyk:
From the src/SSH_Access.cc file:
47: const char
for me.
For details please see https://bugs.gentoo.org/show_bug.cgi?id=534118
Cheers,
Moritz
--
Moritz Mühlenhoff
Open Source Software Engineer
Univention GmbH
be open.
Mary-Somerville-Str.1
28359 Bremen
Tel. : +49 421 22232-0 [.]
Fax : +49 421 22232-99
muehlenh...@univention.de
http
On Tue, Jan 06, 2015 at 01:13:25PM -0700, Troy Heber wrote:
tag upstream
thanks
Upstream has pushed patches to the repo but has not yet done a release
yet.
Hi,
since jessie is frozen, only a targeted security fix
would be allowed by the release team anyway. Can you
please prepare one?
On Wed, Sep 17, 2014 at 09:10:39AM +, Thijs Kinkhorst wrote:
Package: security-tracker
Severity: wishlist
Hi,
In the overview per-package, the tracker currently shows for each CVE
name about seven columns: squeeze, squeeze-security, squeeze-lts, wheezy,
wheezy-security, jessie, sid.
On Mon, Mar 02, 2015 at 03:37:03PM -0300, Lisandro Damián Nicanor Pérez Meyer
wrote:
On Monday 02 March 2015 18:20:22 Moritz Muehlenhoff wrote:
On Mon, Mar 02, 2015 at 07:32:11PM +0300, Dmitry Shachnev wrote:
clone -1 -2
reassign -2 libqt5gui5 5.3.2+dfsg-4
thanks
On Mon, 02 Mar
On Tue, Feb 17, 2015 at 10:02:37PM +0100, Moritz Muehlenhoff wrote:
Package: potrace
Version: 1.11-2
Severity: grave
Tags: security
Hi,
please see https://bugzilla.redhat.com/show_bug.cgi?id=955808
Could you report this upstream?
A CVE ID has been requested, but not yet assigned:
On Tue, Mar 17, 2015 at 12:56:36PM +0100, Stéphane Aulery wrote:
Hello Ben,
Le samedi 14 mars 2015 à 11:13:15, Ben Wong a écrit :
The fbgs wrapper for fbi is great for viewing PDF files from the Linux
console, however it shows them in black and white by default. There is a
command
On Tue, Mar 17, 2015 at 08:17:03AM +0800, Paul Wise wrote:
On Tue, 2015-03-17 at 00:03 +0100, Raphael Hertzog wrote:
I also noticed that we have nowhere data that says that an
issue is undetermined... maybe those issues should be entirely dropped?
I don't understand why we have that
On Tue, Mar 17, 2015 at 01:09:44PM +0100, Moritz Mühlenhoff wrote:
On Tue, Mar 17, 2015 at 08:17:03AM +0800, Paul Wise wrote:
On Tue, 2015-03-17 at 00:03 +0100, Raphael Hertzog wrote:
I also noticed that we have nowhere data that says that an
issue is undetermined... maybe those issues
On Mon, Mar 09, 2015 at 03:08:39PM +0300, Sergei Golovan wrote:
tags 780100 + patch
thanks
Hi Moritz,
On Mon, Mar 9, 2015 at 1:29 PM, Moritz Muehlenhoff j...@inutil.org wrote:
Hi,
please see
https://www.sektioneins.de/en/advisories/advisory-012015-xss-tcllib-html-textarea.html
On Wed, Mar 04, 2015 at 09:46:20AM +0100, Ivo De Decker wrote:
Hi,
On Fri, Feb 13, 2015 at 05:52:36PM +0100, Moritz Muehlenhoff wrote:
please remove oss4 from jessie. There's been no maintainer
followup since a month (plus no action back then we Ben
initially reported it to the
On Fri, Feb 13, 2015 at 05:55:46PM +0100, Moritz Muehlenhoff wrote:
Package: rsync
Version: 3.1.1-2+b1
Severity: important
Tags: security
This was assigned CVE-2014-9512:
http://xteam.baidu.com/?p=169
Patch is here:
On Sat, Feb 21, 2015 at 08:10:11AM -0500, Eric Sharkey wrote:
On Sat, Feb 21, 2015 at 3:35 AM, Salvatore Bonaccorso car...@debian.org
wrote:
Btw, please do not upload to security-master without prior
coordination with the security-team, see
On Mon, Mar 30, 2015 at 06:30:57AM +0200, Salvatore Bonaccorso wrote:
Source: musl
Version: 1.1.5-1
Severity: grave
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for musl.
CVE-2015-1817[0]:
stack-based buffer overflow in ipv6 literal
On Fri, Mar 27, 2015 at 11:26:35AM +0300, Michael Tokarev wrote:
26.03.2015 16:47, Moritz Muehlenhoff wrote:
Source: qemu
Severity: important
Tags: security
Hi Michael,
two security issues in qemu (you're probably aware, but let's track this
through a bug):
Yes indeed, I've
tags 699754 moreinfo
thanks
On Tue, Feb 05, 2013 at 11:14:05AM +0100, Joost van Baal-Ilić wrote:
Hi,
I hope to get this bug squashed, soonish.
On Mon, Feb 04, 2013 at 04:43:22PM +0100, Thijs Kinkhorst wrote:
Package: release-notes
Severity: normal
Tags: wheezy
Hi Joost,
Control: tags 774669 + patch
Control: tags 774669 + pending
Anibal,
I've prepared an NMU for cpio (versioned as 2.11+dfsg-4.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Cheers,
Moritz
diff -Nru cpio-2.11+dfsg/debian/changelog
On Wed, Feb 25, 2015 at 05:17:28PM -0300, Marcelo Jorge Vieira wrote:
Hello Security team,
I fixed the CVE-2008-7313 and CVE-2014-5008 in the libphp-snoopy
package.
The current libphp-snoopy package is 1.2.4-2 and it is the same for
squeeze, wheezy, jessie and sid.
As the Snoopy
On Sun, Mar 01, 2015 at 09:18:39PM +, Colin Watson wrote:
On Sun, Mar 01, 2015 at 08:21:17PM +, Colin Watson wrote:
On Sun, Mar 01, 2015 at 01:21:32PM +0100, Moritz Muehlenhoff wrote:
This has been assigned CVE-2015-2157:
On Sat, Feb 21, 2015 at 08:58:13PM +0100, Stig Sandbeck Mathisen wrote:
Moritz Muehlenhoff j...@debian.org writes:
On Sat, Jan 17, 2015 at 12:09:51AM +0100, Moritz Muehlenhoff wrote:
Package: puppet-module-puppetlabs-stdlib
Severity: important
Tags: security
Hi,
please see
On Wed, Feb 25, 2015 at 02:27:47PM +0100, Christoph Egger wrote:
Hi!
I would like to upload to stable security for this kernel crash / DoS
vulnerability. Patch for -8 is below, -9 is the same modulo version
numbers.
Please upload for kfreebsd-9.
For kfreebsd-8 we've skipped previous
On Wed, Feb 04, 2015 at 09:45:26AM +0100, Moritz Muehlenhoff wrote:
Package: php5
Severity: important
Tags: security
Justification: user security hole
Hi,
CVE-2015-1351:
https://bugs.php.net/bug.php?id=68677
On Wed, Feb 04, 2015 at 09:45:26AM +0100, Moritz Muehlenhoff wrote:
Package: php5
Severity: important
Tags: security
Justification: user security hole
Hi,
CVE-2015-1351:
https://bugs.php.net/bug.php?id=68677
On Mon, Mar 09, 2015 at 03:00:27PM +0100, Emmanuel Bourg wrote:
Thank you for the report Moritz.
According to the Bugzilla report the issue happens when BCrypt.gensalt()
is called with the value 31. jenkins is the only package using this
library and it calls this method with no parameter
On Mon, Mar 09, 2015 at 11:08:57PM +0100, Moritz Muehlenhoff wrote:
Package: opus-tools
Version: 0.1.9-1
Severity: important
Tags: security
Hi,
CVE-2014-9638 and CVE-2014-9639 for vorbis-tools also affect opus-tools,
please see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776086
for
On Thu, Apr 02, 2015 at 04:20:06PM +0200, John Paul Adrian Glaubitz wrote:
On 04/02/2015 12:57 PM, John Paul Adrian Glaubitz wrote:
Attaching a debdiff with the proposed changes to the kde-workspace
source package which will add systemd support to kdm.
Attaching a cleaned up revision the
On Sun, Mar 29, 2015 at 07:30:55PM -0700, Tom Lee wrote:
Hey Niels,
Understood. Hard to see exactly what's going on here because we seem to be
falling afoul of https://lists.debian.org/debian-devel/2014/04/msg00322.html.
Do you happen to know if there's another way to get access to
On Fri, Feb 20, 2015 at 09:25:56PM -0500, Eric Sharkey wrote:
On Thu, Feb 19, 2015 at 5:38 AM, Moritz Muehlenhoff j...@inutil.org wrote:
Upstream fix is here:
http://sourceforge.net/p/libmspack/code/217
Since unstable has a more recent version than testing, could you make
a targeted
On Fri, Apr 03, 2015 at 07:04:23PM +0200, Mike Gabriel wrote:
Package: caja
Version: 1.8.2-3
Followup-For: Bug #781608
Control: severity -1 serious
Control: forwarded -1 https://github.com/mate-desktop/caja/issues/398
Dear Kees, dear Debian Security Team,
@Kees: Thanks for bringing up
tOn Thu, Apr 23, 2015 at 10:03:02PM +0100, Jonathan Wiltshire wrote:
Control: tag -1 moreinfo
On Fri, Apr 17, 2015 at 05:23:39PM +0200, Moritz Muehlenhoff wrote:
Please unblock package openjdk-7. It fixes multiple security
issues. ATM the build failed on mips (that was sorted
out with a
On Sun, Apr 26, 2015 at 11:57:43AM +0100, Jonathan Wiltshire wrote:
On Fri, Apr 17, 2015 at 05:21:05PM +0200, Moritz Muehlenhoff wrote:
Please unblock package chromium-browser. It fixes multiple
security issues (and would also need some aging at this
point)
Should this be progressed to
On Wed, Apr 22, 2015 at 09:48:01PM +0200, Moritz Muehlenhoff wrote:
Package: virtualbox
Version: 4.3.18-dfsg-3
Severity: important
Hi,
virtualbox doesn't work on Broadwell CPUs; all VMs fail to start no
matter what the user configures in the VM settings.
This was reported upstream at
Andreas Cadhalpun wrote:
But having mysql-5.5 and mariadb-10.0 in jessie is apparently no
problem, despite previous claims. What's the difference?
To properly migrate over a daemon they need to co-exist for a stable
release, while a lib does not. Stretch will only have one of them.
How do
On Wed, Apr 29, 2015 at 08:33:07PM +0200, Andreas Cadhalpun wrote:
Having both for a year along each other will only waste people's time. Now
at the beginning of the release cycle is the time to make a decision,
not by dragging things into a year as of today. Picking one of the two
won't
On Mon, May 04, 2015 at 07:38:24AM -0400, Scott Kitterman wrote:
On Sunday, May 03, 2015 11:25:39 AM you wrote:
Package: ftp.debian.org
Severity: normal
Hi,
please remove squid. It has been replaced by squid3 (672156)
and is already not part of jessie, so let's also remove it
from
On Mon, Apr 13, 2015 at 11:31:18AM +0200, Raphaël Hertzog wrote:
Package: ftp.debian.org
Severity: normal
Hello,
squeeze-security (on security.debian.org) contains packages which were
dropped from squeeze (on main archive) because they are no longer
supported. They should thus be also
On Tue, Apr 14, 2015 at 03:44:37PM +0200, Cyril Brulebois wrote:
I doubt we'll change anything in templates at this point (strings need
to be translated), but we already have:
https://www.debian.org/releases/testing/amd64/ch02s02.html
On Fri, Apr 03, 2015 at 09:05:17AM +0200, John Paul Adrian Glaubitz wrote:
On 04/02/2015 10:15 PM, Moritz Mühlenhoff wrote:
My patch from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754314
retains the kdmrc customisation currently present in the sysvinit script;
maybe you can fold
On Thu, Apr 09, 2015 at 07:06:06PM +0300, Michael Tokarev wrote:
9 апреля 2015 г. 18:42:13 GMT+03:00, Salvatore Bonaccorso car...@debian.org
пишет:
Hi Michael, Mortiz,
Small update for CVE-2015-1779: so the patches commited upstream are:
Yes, thanks, I've seen the commits the other day,
On Wed, Feb 25, 2015 at 07:57:31PM +0100, Stig Sandbeck Mathisen wrote:
Control: tags -1 + patch confirmed
Moritz Muehlenhoff j...@inutil.org writes:
Moritz Muehlenhoff wrote:
Package: facter
Severity: important
Tags: security
Please see
On Fri, Jun 05, 2015 at 03:58:23AM +0200, Daniele Tricoli wrote:
Hello,
On Sunday 31 May 2015 12:00:17 Moritz Mühlenhoff wrote:
What's the status?
Sorry for the delay! I cherry picked and adapted the patch for pyjwt
version in Jessie. I worked on this branch:
https://anonscm.debian.org
On Wed, Jun 10, 2015 at 09:41:48AM +0100, Edmund Grimley Evans wrote:
Source: elinks
Version: 0.12~pre6-8
Tags: patch
It failed to build on arm64:
https://buildd.debian.org/status/package.php?p=elinkssuite=sid
Mysteriously, I couldn't reproduce the build failure in my chroot.
However,
On Wed, Jun 10, 2015 at 10:22:03AM +0100, Edmund Grimley Evans wrote:
Your patch seems to have been made against the debian/rules file
from jessie, but it has been migrated to dh in 0.12~pre6-7.
I wonder how that happened. Perhaps I'm using a tardy mirror.
Well, referring to
On Fri, Jun 19, 2015 at 02:07:10PM +0200, Guido Günther wrote:
Hi,
On Tue, Jun 16, 2015 at 06:26:31AM +0200, Salvatore Bonaccorso wrote:
Hi,
A second CVE was assigned for a further issue:
http://www.openwall.com/lists/oss-security/2015/06/16/4
(CVE-2015-4588).
Attached debdiff
On Wed, Jun 10, 2015 at 05:00:27PM +0200, Thomas Goirand wrote:
On 06/10/2015 12:23 PM, László Böszörményi (GCS) wrote:
On Wed, Jun 10, 2015 at 10:42 AM, Salvatore Bonaccorso
car...@debian.org wrote:
On Wed, Jun 10, 2015 at 09:10:56AM +0200, László Böszörményi (GCS) wrote:
Just checked.
On Tue, Jun 09, 2015 at 12:48:58AM +0200, Andreas Beckmann wrote:
Package: elinks
Version: 0.12~pre6-7
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts
Hi,
an upgrade test with piuparts revealed that your package installs files
over existing symlinks and possibly
On Mon, May 04, 2015 at 09:25:13AM +0200, Jakub Wilk wrote:
Package: elinks
Version: 0.12~pre6-6
User: debian...@lists.debian.org
Usertags: adequate obsolete-conffile
Sorry for the late reply, this fell through the cracks of my inbox.
elinks_0.12~pre6-6 no longer ships the
On Fri, Jun 05, 2015 at 12:17:56PM +0200, Moritz Mühlenhoff wrote:
On Fri, Jun 05, 2015 at 03:58:23AM +0200, Daniele Tricoli wrote:
Hello,
On Sunday 31 May 2015 12:00:17 Moritz Mühlenhoff wrote:
What's the status?
Sorry for the delay! I cherry picked and adapted the patch for pyjwt
On Wed, Jun 03, 2015 at 10:03:42AM +0200, Werner Koch wrote:
On Wed, 3 Jun 2015 08:05, gni...@fsij.org said:
Thank you. I think it makes sense.
I don't think so. GnuPG uses a locking mechanism to avoid that several
instances of gpg and friends start gpg-agent. Thus watching the socket
On Mon, May 25, 2015 at 11:21:26AM -0700, Andrew Ayer wrote:
On Wed, 20 May 2015 06:39:06 +
ow...@bugs.debian.org (Debian Bug Tracking System) wrote:
On Wed, May 20, 2015 at 05:58:55PM +1200, VeNoMouS wrote:
Seriously, how long do we have to wait on this to be fixed...
On Mon, Apr 13, 2015 at 04:25:24PM +0200, Daniele Tricoli wrote:
On Saturday 11 April 2015 14:50:19 Luke Faraone wrote:
However, the package is vulnerable to the other issue:
- If the secretKey was expected to be a RSA public key, but the attacker
changed the header to indicate a
On Thu, Jun 11, 2015 at 01:01:35AM +0200, Thomas Goirand wrote:
Could you please allow me to upload the package to the security FTP,
even without a DSA? Dealing with the release team to update software for
security is often frustrating because it takes too long (because they
are busy, and they
On Tue, May 19, 2015 at 09:36:45AM +, Gianfranco Costamagna wrote:
Hi Debian security team, can we please followup with the two uploads then?
I'm attaching the two debdiffs,
Ok, please upload. Jessie needs to be build with -sa since virtualbox is
new in jessie-security.
I'll take care of
On Sun, Jun 21, 2015 at 02:56:36PM +0200, Hilko Bengen wrote:
* Salvatore Bonaccorso:
Did you had a chance to get more details on it?
,[ http://seclists.org/bugtraq/2015/Jun/53 ]
| Elasticsearch versions 1.0.0 - 1.5.2 are vulnerable to an engineered
| attack on other applications on
reassign 794323 ftp.debian.org
retitle 794323 RM: xmail
thanks
On Sat, Aug 01, 2015 at 01:31:37PM +0200, Moritz Muehlenhoff wrote:
Package: xmail
Severity: serious
The last upstream release in was 2010, that's also when the last
maintainer upload occured. It has longstanding RC bugs and
On Wed, Jul 08, 2015 at 11:32:14AM +0200, Fabian Greffrath wrote:
Package: flashplugin-nonfree
Version: 1:3.6.1
Severity: wishlist
Hi there,
while trying to keep track if the critical security holes that are
discovered in Flashplayer regularly, it would help if this package
provided a
On Tue, Aug 18, 2015 at 08:08:01PM +0200, Andreas Cadhalpun wrote:
Hi Moritz,
On 16.08.2015 14:27, Moritz Muehlenhoff wrote:
It was decided to switch to ffmpeg for stretch and it's now in
testing.
Please remove libav from testing (or rather from unstable unless
someone wants to
On Wed, Aug 19, 2015 at 05:00:53PM +0200, Guido Günther wrote:
Hi,
On Wed, Aug 19, 2015 at 04:53:46PM +0200, Moritz Muehlenhoff wrote:
Source: libvirt
Severity: normal
Tags: security
This was assigned CVE-2015-5160:
501 - 600 of 2504 matches
Mail list logo
