Re: working for wheezy-security until wheezy-lts starts

On Tue, Mar 01, 2016 at 07:15:28AM +, Mike Gabriel wrote: [..snip..] > >>Issues that are unfixed in wheezy but fixed in squeeze: > >>* aptdaemon-> CVE-2015-1323 > >>* cakephp -> TEMP-000-698CF7 > >>* dhcpcd -> CVE-2012-6698 CVE-2012-6699 CVE-2012-6700

Re: working for wheezy-security until wheezy-lts starts

Hi Guido, On Mo 29 Feb 2016 21:54:11 CET, Guido Günther wrote: * prepare a fixed package * test the package * send a .debdiff to t...@security.debian.org * wait for feedback and ideally permission to upload to wheezy-security That's what I'm doing at the moment (sending the debdiff

maintainer feedback on CVE-2014-8350 (smarty3)

Hi all, I have just looked at what it needs to fix CVE-2014-8350 for smarty3 [1]. Unfortunately, the fix [2] from between 3.1.20 and 3.1.21 is not trivial to backport to wheezy's 3.1.10 version. The packages that depend on smarty3 in Debian wheezy are these: o gosa + its plugins o

[SECURITY] [DLA 445-1] squid3 security update

Package: squid3 Version: 3.1.6-1.2+squeeze6 CVE ID : CVE-2016-2569 CVE-2016-2571 Debian Bug : 816011 Several security issues have been discovered in the Squid caching proxy. CVE-2016-2569 Squid wrongly checked boundaries of String data, making it possible for

Re: Wiki update LTS/Using and EOL announcement

Hi Markus, On 29-02-16 21:56, Markus Koschany wrote: > If it helps I could remove the "Debian 7 Wheezy" part and write > "we recommend that you upgrade your systems". That fully resolves the issue I was having with the text. Paul signature.asc Description: OpenPGP digital signature

Re: Wiki update LTS/Using and EOL announcement

Am 29.02.2016 um 20:27 schrieb Paul Gevers: > Hi Markus, > > On 29-02-16 20:25, Matus UHLAR - fantomas wrote: >> you only can upgrade to wheezy directly. upgrade accross versions is not >> supported. > > I know, but that is not what I meant. I meant (and wrote), upgrade via > wheezy. Hi Paul,

Re: working for wheezy-security until wheezy-lts starts

Hi, On Mon, Feb 29, 2016 at 03:25:46PM +, Mike Gabriel wrote: > For this, we can run bin/lts-needs-forward-port.py from the secure-testing > repo and see what issues we fixed in squeeze and port those fixes to the > package version in wheezy-security. Package updates must be coordinated with >

Re: Wiki update LTS/Using and EOL announcement

Hi Markus, On 29-02-16 20:25, Matus UHLAR - fantomas wrote: > you only can upgrade to wheezy directly. upgrade accross versions is not > supported. I know, but that is not what I meant. I meant (and wrote), upgrade via wheezy. Paul signature.asc Description: OpenPGP digital signature

Re: Wiki update LTS/Using and EOL announcement

On 29-02-16 12:35, Markus Koschany wrote: We recommend that you upgrade your systems to Debian 7 "Wheezy". On 29.02.16 19:59, Paul Gevers wrote: /me wonders, do we really recommend that? I would say we recommend our users to upgrade to the current stable (via Wheezy), no? And wheezy-lts is

Accepted squid3 3.1.6-1.2+squeeze6 (source all amd64) into squeeze-lts

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 29 Feb 2016 20:02:20 +0100 Source: squid3 Binary: squid3 squid3-dbg squid3-common squidclient squid-cgi Architecture: source all amd64 Version: 3.1.6-1.2+squeeze6 Distribution: squeeze-lts Urgency: medium Maintainer: Luigi

Re: Wiki update LTS/Using and EOL announcement

Hi Markus, On 29-02-16 12:35, Markus Koschany wrote: > We recommend that you upgrade your systems to Debian 7 "Wheezy". /me wonders, do we really recommend that? I would say we recommend our users to upgrade to the current stable (via Wheezy), no? And wheezy-lts is there for those that can't or

[SECURITY] [DLA 444-1] php5 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: php5 Version: 5.3.3.1-7+squeeze29 CVE ID : CVE-2015-2305 CVE-2015-2348 CVE-2015-2305 Integer overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) alpha3.8.g5 on

working for wheezy-security until wheezy-lts starts

Hi all, as of today, the Debian squeeze LTS support will cease and squeeze will finally enter the archived archives of Debian. .oO( /me gets out his handkerchief ...) As (paid) LTS contributor you may wonder what to do next, esp. until the official Debian wheezy LTS support period starts

[SECURITY] [DLA 443-1] bsh security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: bsh Version: 2.0b4-12+deb6u1 CVE ID : CVE-2016-2510 A remote code execution vulnerability was found in BeanShell, an embeddable Java source interpreter with object scripting language features. CVE-2016-2510:

Re: Unsupported packages for Wheezy LTS

Am 29.02.2016 um 15:17 schrieb Raphael Hertzog: > On Thu, 19 Nov 2015, Moritz Mühlenhoff wrote: >> Another package which needs to be sorted out is the support for >> Java. wheezy has both openjdk-6 and openjdk-7 (jessie has only >> -7 and stretch will also only have one version). > > I asked our

[SECURITY] [DLA 442-1] lxc security update

Package: lxc Version: 0.7.2-1+deb6u1 CVE ID : CVE-2013-6441 CVE-2015-1335 Debian Bug : #800471 Brief introduction CVE-2013-6441 The template script lxc-sshd used to mount itself as /sbin/init in the container using a writable bind-mount. This update

Re: Unsupported packages for Wheezy LTS

On Thu, 19 Nov 2015, Moritz Mühlenhoff wrote: > Another package which needs to be sorted out is the support for > Java. wheezy has both openjdk-6 and openjdk-7 (jessie has only > -7 and stretch will also only have one version). I asked our current sponsors about OpenJDK 6 and none asked us to

[SECURITY] [DLA 441-1] pcre3 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: pcre3 Version: 8.02-1.1+deb6u1 Debian Bug : 815921 HP's Zero Day Initiative has identified a vulnerability affecting the pcre3 package. It was assigned ZDI id ZDI-CAN-3542. A CVE identifier has not been assigned yet.

Accepted bsh 2.0b4-12+deb6u1 (source all i386) into squeeze-lts

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 29 Feb 2016 12:59:05 +0100 Source: bsh Binary: bsh bsh-gcj bsh-doc bsh-src Architecture: source all i386 Version: 2.0b4-12+deb6u1 Distribution: squeeze-lts Urgency: high Maintainer: Debian Java Maintainers

Accepted lxc 0.7.2-1+deb6u1 (source amd64) into squeeze-lts

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Fri, 04 Dec 2015 16:17:06 +0100 Source: lxc Binary: lxc Architecture: source amd64 Version: 0.7.2-1+deb6u1 Distribution: squeeze-lts Urgency: medium Maintainer: Guido Trotter Changed-By: Mike Gabriel

Re: Wiki update LTS/Using and EOL announcement

Am 28.02.2016 um 18:12 schrieb Holger Levsen: > Hi Markus, > > On Sonntag, 28. Februar 2016, Markus Koschany wrote: >> I have updated https://wiki.debian.org/LTS/Using to prepare for the >> switch to Wheezy LTS. What do you think about sending an EOL >> announcement to debian-lts-announce on