Re: potrace

Hugo Lefeuvre writes: >> This is the potrace 0.14 diff, which supposedly resolves CVE-2016-8685 >> and CVE-2016-8686 (which was previously described as not a bug in >> #843861). >> >> Unfortunately, it is somewhat large... >> >> https://github.com/skyrpex/potrace/commit/b3fce824046abcc0465deb55

Wheezy update of eglibc?

Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of eglibc: https://security-tracker.debian.org/tracker/source-package/eglibc Would you like to take care of this yourself? If yes, please follow the workflow we have defin

Re: potrace

Hi Brian, > It looks like the bm_new() function, referenced by CVE-2016-8686 has > been refactored. In particular the size calculation has been moved to a > getsize function. > > Unfortunately the description of CVE-2016-8686 is vague - "A crafted > image, through a fuzz testing, causes the memor

Re: potrace

Hugo Lefeuvre writes: > I think this is a crafted file. > > By the way, where did you find the reproducer ? I can't find it > anywhere. It was sent on the oss-security list as an attachment, but the HTML archive strips attachments. http://www.openwall.com/lists/oss-security/2016/10/10/1 So I h

Wheezy update of rzip?

Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of rzip: https://security-tracker.debian.org/tracker/source-package/rzip Would you like to take care of this yourself? If yes, please follow the workflow we have defined h

Wheezy update of binutils?

Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of binutils: https://security-tracker.debian.org/tracker/source-package/binutils Would you like to take care of this yourself? If yes, please follow the workflow we have d

Claimed issues in data/dla-needed.txt (bind9, icu, jasper)

Hey Thorsten, You currently have the following packages claimed in data/dla-needed.txt, some of them for over 3 weeks: bind9 icu jasper Could you spare a few moments to update data/dla-needed.txt with "NOTE"s as to their current status? Many thanks in advance. :) Regards, -- ,''`

Re: Wheezy update of binutils?

On 09.05.2017 22:53, Chris Lamb wrote: > Dear maintainer(s), > > The Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of binutils: > https://security-tracker.debian.org/tracker/source-package/binutils > > Would you like to take care of this yo

Re: Claimed issues in data/dla-needed.txt (bind9, icu, jasper)

On Tue, May 09, 2017 at 09:57:25PM +0100, Chris Lamb wrote: > Hey Thorsten, > > You currently have the following packages claimed in data/dla-needed.txt, > some of them for over 3 weeks: > > bind9 > icu > jasper > > Could you spare a few moments to update data/dla-needed.txt with "NOTE"s >

LTS Report for April 2017

For April I had 21 hours available. I spent 16.5 as follows: - samba: CVE-2017-2619: final package preparation, review, and upload - ghostscript: CVE-2017-8291: prepare, test, and upload package - imagemagick: begin review of latest batch of CVEs - icu: CVE-2017-7867, CVE-2017-7868: Assist Th