On 2022-09-05 18:47, Utkarsh Gupta wrote:
Hello,
Now that buster is LTS and no longer officially supported, should the
-backports pocket be closed? AFAIK, buster just receives the security
uploads by the -security pocket and shouldn't have -backports open
anymore. I hope I am not mistaken or mis
On Mon, 2022-09-05 at 21:38 +0200, Ola Lundqvist wrote:
> I agree that it is good to fix the pcs package, but shouldn't we fix
> the default umask in general?
> I would argue that the default umask is insecure.
bookworm login sets new user home directories to secure permissions:
$ grep -E 'HO
Hello,
Now that buster is LTS and no longer officially supported, should the
-backports pocket be closed? AFAIK, buster just receives the security
uploads by the -security pocket and shouldn't have -backports open
anymore. I hope I am not mistaken or missing anything?
FTR, packages are still ente
Hi fellow Debian LTS and Debian Security memebers
When triaging the packages for LTS I looked into the package pcs. I saw
that it was already added to DSA needed so I have added it to DLA needed as
well. However when reading the correction for it I started to think that
the vulnerability may not b
[[resending with different mail address due couple of MTA rejections]]
On 05/09/22 06:28 PM, Abhijith PA wrote:
> Hey,
>
> On 05/09/22 06:09 PM, Utkarsh Gupta wrote:
> > Hi Abhijith,
> >
> > On Sat, Sep 3, 2022 at 5:04 PM Abhijith PA wrote:
> > > CVE-2022-32224
> > >
> > > When serialized
Hi Abhijith,
On Sat, Sep 3, 2022 at 5:04 PM Abhijith PA wrote:
> CVE-2022-32224
>
> When serialized columns that use YAML (the default) are
> deserialized, Rails uses YAML.unsafe_load to convert the YAML data
> in to Ruby objects. If an attacker can manipulate data in the
> databa
