Re: CVE-2015-7557/librsvg packages for wheezy and jessie (was: squeeze update of librsvg?)

2016-03-24 Thread Salvatore Bonaccorso
Hi Santiago, On Fri, Mar 25, 2016 at 12:20:58AM +0100, Santiago Ruano Rincón wrote: > Hi, > > Please, find attached the debdiffs that fix CVE-2015-7557 in wheezy and > jessie. Since this is a no-dsa issue, it could address a next point > release. Thanks for your work! Please have the fix schedul

Re: teaching people to ignore warnings is bad (Re: Archive of squeeze-lts ?)

2016-03-24 Thread Paul Wise
On Fri, Mar 25, 2016 at 7:26 AM, Holger Levsen wrote: > I'm really not sure that teaching people to ignore apt warnings is the > best way to tell them that they need to upgrade. IMO this is mixing two > topics, in a bad way. > > At least I would have appreciated if the signing key would have been

Re: teaching people to ignore warnings is bad (Re: Archive of squeeze-lts ?)

2016-03-24 Thread Markus Koschany
Hi, Am 25.03.2016 um 00:26 schrieb Holger Levsen: > Hi, > > On Thu, Mar 24, 2016 at 07:26:22PM +0100, Markus Koschany wrote: >> squeeze-lts has been archived on archive.debian.org. The warning is >> valid and it reminds people that the support for Squeeze has ended. >> >> If you want to ignore th

teaching people to ignore warnings is bad (Re: Archive of squeeze-lts ?)

2016-03-24 Thread Holger Levsen
Hi, On Thu, Mar 24, 2016 at 07:26:22PM +0100, Markus Koschany wrote: > squeeze-lts has been archived on archive.debian.org. The warning is > valid and it reminds people that the support for Squeeze has ended. > > If you want to ignore this warning you can use the following apt-get option: [...] >

CVE-2015-7557/librsvg packages for wheezy and jessie (was: squeeze update of librsvg?)

2016-03-24 Thread Santiago Ruano Rincón
Hi, Please, find attached the debdiffs that fix CVE-2015-7557 in wheezy and jessie. Since this is a no-dsa issue, it could address a next point release. Cheers, Santiago diff -Nru librsvg-2.36.1/debian/changelog librsvg-2.36.1/debian/changelog --- librsvg-2.36.1/debian/changelog 2013-12-04 2

Re: imagemagick

2016-03-24 Thread Luciano Bello
On Thursday 10 March 2016 13.39.31 Brian May wrote: > I have wheezy packages for testing: > https://people.debian.org/~bam/wheezy/imagemagick/ > > I also have jessie packages for testing: > https://people.debian.org/~bam/jessie/imagemagick/ Sorry for the delay in the answer here. I didn't test t

Re: Archive of squeeze-lts ?

2016-03-24 Thread Antoine Beaupré
On 2016-03-24 13:59:34, Johnathon Tinsley wrote: >>> >>> I'm seeing this when trying to fetch lts packages from >>> archive.debian.org at the moment. Anyone know a good contact for them? >>> >>> E: Release file expired, ignoring >>> http://archive.debian.org/debian/dists/squeeze-lts/Release (invali

Re: Archive of squeeze-lts ?

2016-03-24 Thread Markus Koschany
Am 24.03.2016 um 18:59 schrieb Johnathon Tinsley: >>> >>> I'm seeing this when trying to fetch lts packages from >>> archive.debian.org at the moment. Anyone know a good contact for them? >>> >>> E: Release file expired, ignoring >>> http://archive.debian.org/debian/dists/squeeze-lts/Release (inval

Re: Archive of squeeze-lts ?

2016-03-24 Thread Luke Hall
>> I'm seeing this when trying to fetch lts packages from >> archive.debian.org at the moment. Anyone know a good contact for them? >> >> E: Release file expired, ignoring >> http://archive.debian.org/debian/dists/squeeze-lts/Release (invalid >> since 9d 1h 10min 4s) > Thats expected and won't cha

Re: Archive of squeeze-lts ?

2016-03-24 Thread Johnathon Tinsley
I'm seeing this when trying to fetch lts packages from archive.debian.org at the moment. Anyone know a good contact for them? E: Release file expired, ignoring http://archive.debian.org/debian/dists/squeeze-lts/Release (invalid since 9d 1h 10min 4s) Thats expected and won't change. Time to upgr

Xen security updates on Wheezy

2016-03-24 Thread Antoine Beaupré
(Opening a new thread to clarify topic.) Brian, I have tested the packages you have proided here: https://people.debian.org/~bam/wheezy/xen/amd64/ They seem to hold, although I have yet to test them in production. One thing I noticed is that they don't seem to fix CVE-2015-8104 and CVE-2015-5307

Re: working for wheezy-security until wheezy-lts starts

2016-03-24 Thread Antoine Beaupré
On 2016-03-24 10:48:14, Antoine Beaupré wrote: > 2014-8104 is probably a typo, as it concerns OpenVPN according to the > security tracker. You probably mean CVE-2015-8104... > > I'll look at what that one implies specifically. Oh, I see that you already ported those patches in <87d1qvvzhi@prun

Re: Archive of squeeze-lts ?

2016-03-24 Thread Alexander Wirt
On Thu, 24 Mar 2016, Luke Hall wrote: > Hi, > > I'm seeing this when trying to fetch lts packages from > archive.debian.org at the moment. Anyone know a good contact for them? > > E: Release file expired, ignoring > http://archive.debian.org/debian/dists/squeeze-lts/Release (invalid > since 9d 1

Re: Archive of squeeze-lts ?

2016-03-24 Thread Luke Hall
Hi, I'm seeing this when trying to fetch lts packages from archive.debian.org at the moment. Anyone know a good contact for them? E: Release file expired, ignoring http://archive.debian.org/debian/dists/squeeze-lts/Release (invalid since 9d 1h 10min 4s) On 10/03/16 18:22, Chris Lamb wrote: > H

Re: working for wheezy-security until wheezy-lts starts

2016-03-24 Thread Antoine Beaupré
On 2016-03-21 19:16:24, Brian May wrote: > Brian May writes: > >>> Wonder how many of the CVEs the Ubuntu version fixes. >> >> Will have a look at this now. > > Comparing the changelog with our security tracker (by hand; not sure if > anybody has written a tool to automate this, if not might be a