Accepted pdns-recursor 3.3-3+deb7u2 (source amd64) into oldstable

2017-01-16 Thread Jonas Meurer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 16 Jan 2017 19:53:53 +0100 Source: pdns-recursor Binary: pdns-recursor pdns-recursor-dbg Architecture: source amd64 Version: 3.3-3+deb7u2 Distribution: wheezy-security Urgency: high Maintainer: Debian PowerDNS Maintainers

Re: wheezy update for libav

2017-01-16 Thread Hugo Lefeuvre
Hi Diego, > I just released libav 0.8.20 with some more fixes, changelog below. > > Diego > > version 0.8.20: > > - mpegvideo: Fix undefined negative shifts in mpeg_motion_internal (Bug-Id: > 980, CVE-2016-9820) > - mpegvideo: Fix undefined negative shifts in ff_init_block_index (Bug-Id: >

Re: wheezy update for libav

2017-01-16 Thread Diego Biurrun
On Fri, Jan 06, 2017 at 11:32:49AM +0100, Hugo Lefeuvre wrote: > > Could you summarize us the status of your work on the 0.8 branch ? > > I've had a look at the new CVEs reported for libav. I managed to > reproduce CVE-2016-98{21,22} (avconv crashes with segfault), but > cherry picking the

graphicsmagick update

2017-01-16 Thread Antoine Beaupré
Hi, I've looked at updating the graphicsmagick (GM) update to fix the issues outlined in a [recent discussion][1]. The fix to CVE-2016-5240.patch is trivial. I can also confirm the current GM version in wheezy-security segfaults with the POC. I've had difficulties fixing the pending

Accepted otrs2 3.1.7+dfsg1-8+deb7u6 (source all) into oldstable

2017-01-16 Thread Jonas Meurer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 16 Jan 2017 13:45:17 +0100 Source: otrs2 Binary: otrs2 otrs Architecture: source all Version: 3.1.7+dfsg1-8+deb7u6 Distribution: wheezy-security Urgency: high Maintainer: Patrick Matthäi Changed-By:

[SECURITY] [DLA 787-1] otrs2 security update

2017-01-16 Thread Jonas Meurer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: otrs2 Version: 3.1.7+dfsg1-8+deb7u6 CVE ID : CVE-2016-9139 Debian Bug : 843091 A cross-site sripting vulnerability (XSS) was discovered in OTRS, a ticket requesting system for the web. An attacker could trick

Accepted botan1.10 1.10.5-1+deb7u2 (source amd64) into oldstable

2017-01-16 Thread Hugo Lefeuvre
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 12 Jan 2017 16:38:50 +0100 Source: botan1.10 Binary: botan1.10-dbg libbotan-1.10-0 libbotan1.10-dev Architecture: source amd64 Version: 1.10.5-1+deb7u2 Distribution: wheezy-security Urgency: high Maintainer: Ondřej Surý