Re: No DLA for xen, librsvg, libidn?

2016-05-19 Thread Brian May
Antoine Beaupré writes: > I wonder if some of that stuff should be automated. I am fairly new with > the security process, how often do mistakes like this happen anyways? > > And how hard would it be to automate this? I would suggest a move useful thing to automate would

Re: No DLA for xen, librsvg, libidn?

2016-05-19 Thread Chris Lamb
> Inline signing is not mandatory (I use MIME-signing with mutt) but > there are enough cases where MIME-signing does not work properly I've also found MIME-signing to be unreliable so I now use inline-signing by default when posting to debian-lts-announce. (My tip is to BCC your personal email

[SECURITY] [DLA 482-1] libgd2 security update

2016-05-19 Thread Chris Lamb
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: libgd2 Version: 2.0.36~rc1~dfsg-6.1+deb7u3 CVE ID : CVE-2015-8874 Debian Bug : 824627 It was discovered that there was a stack consumption vulnerability in the libgd2 graphics library which allowed remote

Re: No DLA for xen, librsvg, libidn?

2016-05-19 Thread Raphael Hertzog
On Wed, 18 May 2016, Antoine Beaupré wrote: > On 2016-05-18 03:45:57, Raphael Hertzog wrote: > > On Tue, 17 May 2016, Antoine Beaupré wrote: > >> It would be great to have better consistency here. > > > > Yes, just like we ensure that we get an Accepted mail before sending the > > DLA, we must

Re: what to do with LTS-backports?

2016-05-19 Thread Rhonda D'Vine
Hi, * Holger Levsen [2016-05-19 13:45:56 CEST]: > appearantly some maintainers don't want to support backports in > wheezy-backports anymore, saying wheezy is oldstable now (und > unsupported by Debian proper, "just" maintained by the Debian LTS team.) That's fine

Re: what to do with LTS-backports?

2016-05-19 Thread Holger Levsen
On Thu, May 19, 2016 at 11:45:56AM +, Holger Levsen wrote: > Alternativly, the backports maintainers would need to agree to maintain > those backports for two more years. which should be rather easy by uploading the jessie version to wheezy-backports and following up with backporting jessie

what to do with LTS-backports?

2016-05-19 Thread Holger Levsen
Hi, appearantly some maintainers don't want to support backports in wheezy-backports anymore, saying wheezy is oldstable now (und unsupported by Debian proper, "just" maintained by the Debian LTS team.) In a way, that's a fair stand, as when they agreed to support the backport for the life time

Re: NSS and logjam in wheezy (CVE-2015-4000)

2016-05-19 Thread Salvatore Bonaccorso
Hi Guido, On Thu, May 19, 2016 at 08:11:37AM +0200, Guido Günther wrote: > On Wed, May 18, 2016 at 03:12:23PM -0400, Antoine Beaupré wrote: > > On 2016-03-29 16:28:36, Antoine Beaupré wrote: > > > On 2016-03-26 04:33:29, Guido Günther wrote: > > >> Thanks for reviewing this! I was about to look

Re: NSS and logjam in wheezy (CVE-2015-4000)

2016-05-19 Thread Guido Günther
On Wed, May 18, 2016 at 03:12:23PM -0400, Antoine Beaupré wrote: > On 2016-03-29 16:28:36, Antoine Beaupré wrote: > > On 2016-03-26 04:33:29, Guido Günther wrote: > >> Thanks for reviewing this! I was about to look into more recent nss > >> issues after handling dhcpcd but since you're at it, go