On 2020-11-09 14:04:02, Sylvain Beucler wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> - -
> Debian LTS Advisory DLA-2441-1debian-lts@lists.debian.org
> https://www.debian.org/lts/security/
On 2019-02-21 18:18:06, Holger Levsen wrote:
> Hi Antoine,
>
> On Mon, Feb 18, 2019 at 04:10:47PM -0500, Antoine Beaupré wrote:
>> But my little finger tells me there are many DLAs still missing from the
>> website. So even if/when the above MR does get merged, more entries w
Hi all,
Here's my early LTS report. The TL;DR: is:
* website work
* python-gpg
* golang
* libarchive
* netmask
* libreoffice
* enigmail
# Website work
I again worked on the website this month, doing one more mass import
([MR 53][]) which was finally merged by Holger Levsen, after I [fixe
On 2019-02-01 20:58:28, Holger Levsen wrote:
> On Fri, Feb 01, 2019 at 01:58:04PM -0500, Antoine Beaupré wrote:
[...]
> can you please put that on wiki.d.o/LTS/Development?!
This is now done. I added a new section to the wiki
https://wiki.debian.org/LTS/Devel
On 2019-02-18 09:27:37, Russ Allbery wrote:
> Does this plan sound good to everyone? I'll follow up with the proposed
> diffs for stable and oldstable.
Works for me (LTS), although I won't be the one performing the upgrade
(I've unclaimed the package for other reasons).
Thanks for your work!
A.
On 2019-02-14 10:08:40, Russ Allbery wrote:
> Roman Medina-Heigl Hernandez writes:
>
>> Added Russ (rssh maintainer).
>
>> I cannot probe it but I guess chances are high that the issue is present
>> both in stable and oldstable (I cannot find a good reason to filter
>> different commands: solution
> https://www.debian.org/security/lts/
> MIME-Version: 1.0
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: 8bit
>
> As discussed in https://bugs.debian.org/859122 DLAs and DSAs will be
> separated in different supages. This needs adaption for the URL
&
On 2019-02-09 11:39:18, Elena ``of Valhalla'' wrote:
> On 2019-02-07 at 11:44:45 -0500, Antoine Beaupré wrote:
>> Hi,
>>
>> Recently, python-gnupg was triaged for maintenance in Debian LTS, which
>> brought my attention to this little wrapper around Gnu
On 2019-02-09 14:39:50, Holger Levsen wrote:
> Hi Laura,
>
> many many thanks for your work on this, including and especially this
> writeup!
>
> some comments below, where I dont say anything I mean 'yay"! :)
>
> On Sat, Feb 09, 2019 at 03:55:44AM +0100, Laura Arjona Reina wrote:
>> * The /lts/sec
On 2019-02-09 03:55:44, Laura Arjona Reina wrote:
> Hello all
>
> Holger Levsen merged the generated DLAs and I've worked to create the
> /lts tree to show them separated from the DSA. I have moved to this new
> /lts folder the DLAs from years 2014, 2015 and 2016 that we had already,
> and remove t
On 2019-02-11 10:57:20, Holger Levsen wrote:
> hi,
>
> I've just unclaimed faad2 and systemd as the last documented activity on these
> packages was more than two weeks ago...
>
> If you intend to continue working on them, please just reclaim them and
> update the note.
Hehe... "arroseur arrosé" a
On 2019-02-07 18:32:39, Markus Koschany wrote:
> Please do not CC me. I am subscribed.
>
> Am 07.02.19 um 18:23 schrieb Antoine Beaupré:
> [...]
>> Well, I don't think we should make such calls without announcing it and
>> documenting the new workflow clearly, first
On 2019-02-07 17:58:48, Markus Koschany wrote:
> Hello,
>
> Am 07.02.19 um 17:32 schrieb Antoine Beaupré:
> [...]
>> Am I missing something here? Did we change this practice, or is this an
>> oversight?
>
> I have been part of the team for three years now, from my
On 2019-02-07 16:48:56, Holger Levsen wrote:
> On Thu, Feb 07, 2019 at 11:44:45AM -0500, Antoine Beaupré wrote:
>> But maybe, instead, we should just mark it as unsupported in
>> debian-security-support and move on. There are few packages depending on
>> it, in jessie:
On 2019-02-07 11:44:45, Antoine Beaupré wrote:
> https://dev.gentoo.org/~mgorny/articles/evolution-uid-trust-extrapolation.html
> https://blogs.gentoo.org/mgorny/2019/01/29/identity-with-openpgp-trust-model/
Oops, that second link should have been:
https://dev.gentoo.org/~mgorny/articles/
Hi,
Recently, python-gnupg was triaged for maintenance in Debian LTS, which
brought my attention to this little wrapper around GnuPG that I'm
somewhat familiar with.
Debian is marked as "vulnerable" for CVE-2019-6690 in Jessie and Stretch
right now, with buster and sid marked as fixed, as you can
Hi,
I was under the impression that we were supposed to contact maintainers
when we add packages to dla-needed.txt, as part of the triage work. That
is, at least, the method documented here:
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
Confident that people doing the triage
On 2019-02-06 23:42:12, Chris Lamb wrote:
> Hi Antoine,
>
>> all golang Debian packages are (as elsewhere) statically compiled
>> and linked so we'd need to rebuild all the rdeps
>
> Hm. Can we avoid /all/ the rdeps? I mean, grep the rdeps for ones
> that use this library?
Yeah, that's what I was
On 2019-02-06 22:17:26, Chris Lamb wrote:
> It was discovered that there was a denial of service vulnerability
> or possibly even the ability to conduct private key recovery
> attacks within in the elliptic curve cryptography handling in the
> Go programming language libraries.
Hello Chris!
Have
On 2019-02-06 21:52:35, Guilhem Moulin wrote:
> Hi anarcat,
>
> On Wed, 06 Feb 2019 at 14:13:23 -0500, Antoine Beaupré wrote:
>> 4. issue a DLA when the package is accepted
>
> I wouldn't mind if you or another LTS team member were talking care of
> this one :-)
On 2019-02-06 01:59:58, Guilhem Moulin wrote:
> Dear LTS team,
Hi Guilhem!
> A buffer overflow vulnerability was recently found in the netmask
> package (a small utility that helps determining network masks):
>
> https://github.com/tlby/netmask/issues/3
>
> The Security Team argued that the v
Hi,
It looks like no advisory was sent out for this upload.
I noticed this while auditing the website for missing advisories. Yu'll
be happy to know that with the current patchset, this is the only older
advisory missing until the 2018 gap due to the mailing list crash. :)
See also:
https://sals
Hello,
Here's my report for January.
## sbuild regression
My first stop this month was to notice a problem with sbuild from
buster running on jessie chroots ([bug #920227][]). After discussions
on IRC, where fellow Debian Developers basically fabricated me a patch
on the fly, I sent [merge reque
On 2019-02-03 22:09:20, Ola Lundqvist wrote:
> If someone have an idea on how I may have screwed this up myself I'm happy
> to know. :-)
After a quick glance, this might be gmail obsessing over DMARC. Typical
problems all mailing lists providers have suffered since this infamous
standard came up -
Hi,
I've reviewed both patches and they look sane. I did some smoke tests on
the package (installed it and mariadb in a VM) and it seems to run
okay. I also did an naive attempt at exploiting CVE-2018-19970 but
couldn't succeed, which can either mean I failed or the flaw is
fixed. :)
Good job,
A
I'm looking at the update process for DLAs on the main website again. In
#859122, I've mentioned that I have, again, updated the MR to include
all DLAs up to DLA-1657-1. The www team folks tell me they will review
that this weekend.
But that mass-import process is kind of clunky: every time I need
On 2018-12-19 18:05:36, Antoine Beaupré wrote:
> The DLAs are visible here:
>
> https://www-staging.debian.org/security/2018/dla-1580
>
> One thing that's unclear is how the entries get added to the main list
> in:
>
> https://www-staging.debian.org/security/201
On 2019-01-22 15:21:19, Daniel Kahn Gillmor wrote:
> On Tue 2019-01-22 14:44:50 -0500, Antoine Beaupré wrote:
>> I'm not sure we should remove *both* enigmail and thunderbird from
>> jessie. I understand there are problems with the a.m.o version, but then
>> that's s
On 2018-12-20 14:30:49, Daniel Kahn Gillmor wrote:
> fwiw, i agree with jmm that encouraging users to upgrade to stable is
> the best outcome here. The question is, what are we doing to the folks
> who (for whatever reason) can't make that switch.
>
> On Thu 2018-12-20 17:01:30 +0100, Moritz Mühle
On 2018-12-27 14:16:22, Holger Levsen wrote:
> Hi Abhijith, Antoine,
>
> I just ran "./bin/review-update-needed --lts --unclaim 1814400 --exclude
> linux linux-4.9" today and it unclaimed pdns/pdns-recursor as the last
> NOTE entries were more than 3 weeks ago. However Abhijith wrote here:
>
> On S
[Ugh. Sorry about that last email, the markup was terrible - I
copy-pasted from Emacs' markdown mode which ellipsises links... Here's a
better formatted one.]
## Enigmail / GnuPG 2.1 backport
I've spent a significant amount of time working on the Enigmail
backport for a third consecutive month. I
Hi!
This is my monthly report, published on the mailing list as I haven't
found time to do my personal report on my blog in over a month now...
## Enigmail / GnuPG 2.1 backport
I've spent a significant amount of time working on the Enigmail
backport for a third consecutive month. I first
[publi
On 2018-12-20 14:30:49, Daniel Kahn Gillmor wrote:
> fwiw, i agree with jmm that encouraging users to upgrade to stable is
> the best outcome here. The question is, what are we doing to the folks
> who (for whatever reason) can't make that switch.
>
> On Thu 2018-12-20 17:01:30 +0100, Moritz Mühle
On 2018-12-19 18:05:36, Antoine Beaupré wrote:
> On 2018-12-19 11:09:10, Antoine Beaupré wrote:
>> On 2018-12-19 14:58:29, Holger Levsen wrote:
>>> On Wed, Dec 19, 2018 at 09:52:19AM -0500, Antoine Beaupré wrote:
>>>> > I also note #859122
On 2018-12-19 11:09:10, Antoine Beaupré wrote:
> On 2018-12-19 14:58:29, Holger Levsen wrote:
>> On Wed, Dec 19, 2018 at 09:52:19AM -0500, Antoine Beaupré wrote:
>>> > I also note #859122 is not marked 'patch'.
>>> fixed.
>>
>> :)
>>
>
On 2018-12-19 21:22:21, Emilio Pozuelo Monfort wrote:
> Hi Antoine,
>
> On 19/12/2018 18:25, Antoine Beaupré wrote:
>> On 2018-12-19 17:03:26, Holger Levsen wrote:
>>> On Wed, Dec 19, 2018 at 11:40:07AM -0500, Antoine Beaupré wrote:
>>> [...]
>>> I've
On 2018-12-19 17:03:26, Holger Levsen wrote:
> On Wed, Dec 19, 2018 at 11:40:07AM -0500, Antoine Beaupré wrote:
> [...]
> I've now also re-read this thread (for the 2nd time today..) and first
> I'd like to notice that all the concerns were only brought up in the
> last
On 2018-12-18 14:34:06, Emilio Pozuelo Monfort wrote:
[...]
> Looking at a jessie -> jessie-new diff, I see that several -dbg packages are
> gone in your backports.
Yes. That's because they were switched to dbgsym in stretch, but that
mecanism wasn't supported in jessie. I did a "fast" backport
On 2018-12-19 16:21:46, Holger Levsen wrote:
> Hi Antoine, dkg,
>
> On Sat, Dec 15, 2018 at 01:09:39PM +0100, Moritz Mühlenhoff wrote:
>> On Fri, Dec 14, 2018 at 09:08:42AM +0100, Emilio Pozuelo Monfort wrote:
>> > However given the impact of these library updates, I was wondering
>> > if we have c
On 2018-12-19 14:58:29, Holger Levsen wrote:
> On Wed, Dec 19, 2018 at 09:52:19AM -0500, Antoine Beaupré wrote:
>> > I also note #859122 is not marked 'patch'.
>> fixed.
>
> :)
>
>> >> I've requested access as an individual, for what that&#
On 2018-12-19 14:44:02, Holger Levsen wrote:
> Hi Antoine,
>
> On Tue, Dec 11, 2018 at 10:15:15AM -0500, Antoine Beaupré wrote:
[...]
> I also note #859122 is not marked 'patch'.
fixed.
[...]
>> I've requested access as an individual, for what that's w
On 2018-12-14 09:08:42, Emilio Pozuelo Monfort wrote:
> On 13/12/2018 21:14, Antoine Beaupré wrote:
>> Hi,
>>
>> This is the latest update in the Thunderbird / Enigmail changes that are
>> happening in jessie. I have built a series of test packages, partly from
>&g
Hi,
This is the latest update in the Thunderbird / Enigmail changes that are
happening in jessie. I have built a series of test packages, partly from
stretch (gnupg2, enigmail) and partly from backports (libassuan,
libgcrypt, libgpg-error, npth) and uploaded them here:
https://people.debian.org/~
Gah. Forgot to fix the CC here as well, sorry for the noise.
On 2018-12-11 10:05:53, Antoine Beaupré wrote:
> On 2018-12-10 17:44:51, Mike Gabriel wrote:
>> Hi,
>>
>> I'd like to discuss the possible pathways for getting FreeRDP fixed in
>> Debian jes
On 2018-11-20 15:30:21, Holger Levsen wrote:
> On Mon, Nov 19, 2018 at 07:07:26PM -0500, Antoine Beaupré wrote:
>> The process broke down a while back, and reasons don't matter. We need
>> to figure out how to fix this.
>>
>> So I opened #859122 to import the
On 2018-12-10 17:44:51, Mike Gabriel wrote:
> Hi,
>
> I'd like to discuss the possible pathways for getting FreeRDP fixed in
> Debian jessie LTS (and Debian stretch, too).
>
> Last week I talked to Bernhard Miklautz (one of the FreeRDP upsteam
> maintainers and the actual packager of FreeRDPv2
On 2018-12-03 20:40:08, Ben Hutchings wrote:
[...]
> I don't see this as an acceptable option for LTS. We could maybe add a
> xen-4.8 package if it was popular in jessie-backports, but that doesn't
> excuse us from having to support 4.4.
As I was repeatedly told during my work on Enigmail / Gnu
On 2018-11-28 22:44:52, Moritz Muehlenhoff wrote:
> On Wed, Nov 28, 2018 at 12:59:11PM +0100, Peter Dreuw wrote:
>> Hi out there,
>> Another option would be backporting the Xen
>> 4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10 (and following) package from
>> Stretch to Jessie.
>
> What would be the point
On 2018-11-26 21:20:14, Holger Levsen wrote:
> On Mon, Nov 26, 2018 at 04:04:48PM -0500, Antoine Beaupré wrote:
>> Did you try "--exclude linux linux 4.9"? That should work.
>
> doh, it does. Thanks! (Though I think thats somewhat unusual... but meh.)
that's the
On 2018-11-26 20:48:07, Holger Levsen wrote:
> On Fri, Nov 23, 2018 at 11:06:43AM -0500, Antoine Beaupré wrote:
>> $ ./bin/review-update-needed --exclude linux linux-4.9 --lts --unclaim 3w
>> [...]
>> Editing file to unclaim: salt
>>
>> I've pushed that, I
On 2018-11-22 21:00:15, Holger Levsen wrote:
> On Thu, Nov 22, 2018 at 11:54:16AM -0500, Antoine Beaupré wrote:
>> Right. That's the one I had in mind as well. :)
>
> :)
>
>> So how *do* we make that "whitelist"? Commandline param? And what will
>&
On 2018-11-22 17:32:09, Holger Levsen wrote:
> On Thu, Nov 22, 2018 at 10:54:41AM -0500, Antoine Beaupré wrote:
>> On 2018-11-20 12:55:16, Daniel Kahn Gillmor wrote:
>> > All that said, i don't think that upgrading jessie to the versions of
>> > these libraries
line param? And what will
it list? Packages? People? Package/people combination?
Before you answer, consider that all entries are manually maintained and
I sometimes write my name "Antoine Beaupre", "Antoine Beaupré" or
"anarcat" depending on what I remember I used last,
On 2018-11-20 16:06:53, Holger Levsen wrote:
> hi,
>
> this reply is mostly about using the tool itself, see below. I will now write
> another mail about the results from using it...
>
[...]
> So, third, what did "./bin/review-update-needed --unclaim --lts" do? Too
> much, so I ran (in a sid schr
On 2018-11-20 12:55:16, Daniel Kahn Gillmor wrote:
> All that said, i don't think that upgrading jessie to the versions of
> these libraries that are in debian stretch will break jessie. I do wish
> we had more substantive autopkgtest-style coverage in jessie, so that we
> could feel more confiden
On 2018-11-20 15:19:45, Ben Hutchings wrote:
> On Mon, 2018-11-19 at 15:48 -0500, Antoine Beaupré wrote:
>> On 2018-11-13 22:02:45, Ben Hutchings wrote:
>> > On Tue, 2018-11-13 at 12:31 -0500, Daniel Kahn Gillmor wrote:
>> > > On Mon 2018-11-12 15:16:3
Hi!
Many of you probably already know this website and its precious RSS
feed:
https://www.debian.org/security/
Few of you might already know that DLAs are *supposed* to show up in
there as well, and did for a while. For example, here's a few DLAs in
2014:
https://www.debian.org/security/2014/
An early report, this month, as I've ran out of work hours earlier than
expected...
GnuPG & Enigmail
To get Enigmail working properly with the Thunderbird upload from last
week, we need GnuPG 2.1 in jessie. I [backported GnuPG 2.1][] to Debian
jessie directly, using work already
On 2018-11-19 22:32:17, Alexander Wirt wrote:
> I can't stress thos often enough. Jessie-backports doesn't exist anymore.
> They are unsupported for months and I do really hope that they get archived
> soon.
I'm sorry I implied we might use backports for this. I didn't mean to: I
mean we should t
On 2018-11-13 22:02:45, Ben Hutchings wrote:
> On Tue, 2018-11-13 at 12:31 -0500, Daniel Kahn Gillmor wrote:
>> On Mon 2018-11-12 15:16:39 -0500, Antoine Beaupré wrote:
>>
>> > * libgcrypt20 (part of GnuTLS, 1.6 -> 1.7)
>>
>> libgcrypt is not a part of Gnu
Hi,
As I'm running out of time to work on this problem for the month, I
figured I would at least try to wrap up the conversation we had on the
topic here so we can find a solution to move forward on.
The current situation is that I have a backport of GnuPG 2.1 available
for testing here:
htt
Hi,
Tl;DR: partial fixes for systemd issues pending upload, test packages at
usual location.
I've been working for the last two days on backporting the four pending
CVEs for systemd. Those are:
CVE-2018-1049 In systemd prior to 234 a race condition exists between .mount
and ...
CVE-2018-15688
On 2018-11-13 18:41:47, Emilio Pozuelo Monfort wrote:
> I can think of two options:
>
> 1) Ship them in a private dir (e.g. /usr/lib/gnupg2/), and link them to those
> libs. Then ld should add an RPATH, otherwise an LD_LIBRARY_PATH hack could be
> used.
>
> 2) Statically link the libraries into gp
On 2018-11-13 13:24:39, Ben Hutchings wrote:
> On Mon, 2018-11-12 at 15:16 -0500, Antoine Beaupré wrote:
>> Hi,
>>
>> So I've been looking at Enigmail again, after a long journey helping
>> people in stable getting that stuff fixed. It's pretty obvious the
Hi,
So I've been looking at Enigmail again, after a long journey helping
people in stable getting that stuff fixed. It's pretty obvious there's
no way to upload that without first doing a GnuPG 2.1 backport into
jessie.
That, it turns out, requires *four* more source package
backports. Fortunatel
On 2018-11-11 23:03:07, Emilio Pozuelo Monfort wrote:
> On 11/11/2018 15:47, Antoine Beaupré wrote:
>> On 2018-11-11 13:21:05, Emilio Pozuelo Monfort wrote:
>>> Hi Antoine,
>>>
>>> On 09/11/2018 20:37, Antoine Beaupré wrote:
>>>> On 2018-11-05
On 2018-11-11 13:21:05, Emilio Pozuelo Monfort wrote:
> Hi Antoine,
>
> On 09/11/2018 20:37, Antoine Beaupré wrote:
>> On 2018-11-05 16:26:44, Emilio Pozuelo Monfort wrote:
>>> Hi,
>>>
>>> On 30/10/2018 16:46, Antoine Beaupré wrote:
>>>> Which
On 2018-11-05 16:26:44, Emilio Pozuelo Monfort wrote:
> Hi,
>
> On 30/10/2018 16:46, Antoine Beaupré wrote:
>> Which brings us to Thunderbird (and Firefox) themselves. The last I
>> heard of this is that LLVM was NEW in jessie. I wrote Emilio to see if
>> he needed
On 2018-11-06 10:57:12, Holger Levsen wrote:
> On Tue, Nov 06, 2018 at 02:25:37PM +0700, Daniel Kahn Gillmor wrote:
>> On Tue 2018-10-30 11:46:35 -0400, Antoine Beaupré wrote:
>> > 5. backport the required GnuPG patchset from stretch to jessie
>> fwiw, i don't see how
Hi,
As discussed with the SpamAssassin (SA) maintainer, we are following
upstream's advice of upgrading to the latest 3.4.2 release in jessie.
There's a stable update pending in stretch (#912198) which served as a
basis for this upload. I've kept to the strict minimal set of changes
but also incl
Hi,
In the last month, I have work with dkg (in CC) to see how to
(ultimately) deal with the end of life of Firefox and Thunderbird ESR as
we know them in jessie. He has been hard at work updating GnuPG in
stable (#910398) so that Enigmail works with that older version of GnuPG
without introducing
On 2018-10-29 09:50:41, Moritz Muehlenhoff wrote:
> On Sun, Oct 28, 2018 at 10:19:34PM -0700, Noah Meyerhans wrote:
>> On Mon, Oct 22, 2018 at 11:23:50AM -0400, Antoine Beaupré wrote:
>> > Ping! Any update here? Do you want us to help with the jessie or stretch
>> > upd
Last call for testing on this, I'll upload the 3.3.30 package on Monday
if there's no objection until then.
On 2018-10-23 14:00:14, Antoine Beaupré wrote:
> Hi,
>
> After the lengthy discussion[1] regarding the pending security issues in
> GnuTLS (CVE-2018-10844, CVE-2018
On 2018-10-26 13:02:57, Thadeu Lima de Souza Cascardo wrote:
>> > 5) Is that not true anymore with Extended LTS and CIP?
>>
>> Sorry, what is not true? #4? If so, I think people should *still*
>> install the latest supported Debian release (stable or stretch right
>> now) and not LTS or ELTS, when
On 2018-10-26 10:26:09, Thadeu Lima de Souza Cascardo wrote:
> On Wed, Oct 24, 2018 at 09:30:46AM +0800, Paul Wise wrote:
>> On Wed, Oct 24, 2018 at 4:15 AM Sean Whitton wrote:
>> >
>> > On Tue 23 Oct 2018 at 05:06PM +0200, Markus Koschany wrote:
>> > >
>> > > In short: Make it very clear if you wa
On 2018-10-23 14:03:37, Peter Dreuw wrote:
> The testing packages are available here:
>
> https://share.credativ.com/~pdr/xen-test/
One more thing about those... The .deb packages are provided completely
without signatures. I understand that the site is protected by HTTPS,
but it is customary to
On 2018-10-24 19:33:45, Peter Dreuw wrote:
> Am 24.10.18 um 17:24 schrieb Antoine Beaupré:
>> On 2018-10-23 14:03:37, Peter Dreuw wrote:
>>> Hello, everyone,
>>>
>>> I prepared another set of fixes based on the current Xen package on
>>>
On 2018-10-24 11:24:28, Antoine Beaupré wrote:
> On 2018-10-23 14:03:37, Peter Dreuw wrote:
>> Hello, everyone,
>>
>> I prepared another set of fixes based on the current Xen package on
>> jessie-security (4.4.4lts2-0+deb8u1, DLA-1549).
>>
>> These fixes
On 2018-10-23 14:03:37, Peter Dreuw wrote:
> Hello, everyone,
>
> I prepared another set of fixes based on the current Xen package on
> jessie-security (4.4.4lts2-0+deb8u1, DLA-1549).
>
> These fixes include
>
> CVE-2017-15595 / xsa 240
> CVE-2017-15593 / xsa 242
> CVE-2017-15592 / xsa 243
>
On 2018-10-23 19:26:32, Ben Hutchings wrote:
> On Tue, 2018-10-23 at 14:00 -0400, Antoine Beaupré wrote:
>> Hi,
>>
>> After the lengthy discussion[1] regarding the pending security issues in
>> GnuTLS (CVE-2018-10844, CVE-2018-10845, CVE-2018-10846), I have
>>
Ah, and I pushed my changes here:
https://salsa.debian.org/debian/gnutls/tree/gnutls28_jessie_3.3.30+
A.
--
We should act only in such away that if everyone
else acted as we do, we would accept the results.
- Emmanuel Kant
Hi,
After the lengthy discussion[1] regarding the pending security issues in
GnuTLS (CVE-2018-10844, CVE-2018-10845, CVE-2018-10846), I have
determined it might be simpler to just upgrade to the latest upstream
3.3.x version for which upstream is still providing updates. Upstream
agrees with the a
Hi Steve!
On 2018-10-23 04:26:18, Steve McIntyre wrote:
> So I'm worried that those of us who have *not* volunteered to support
> LTS are being pressured into spending our time on it anyway. What can
> we do to fix that? How/where do we clarify for our users (and
> developers!) what LTS means, and
at it was easy to check how complicated a backport would
> be. If we conclude that it is complicated (patches do not apply and it is
> clear that code need to be re-written) then I think we can consider going
> for 3.3.30 instead. What do you think?
>
> // Ola
>
> On Mon, 22
On 2018-09-25 16:03:45, Antoine Beaupré wrote:
> On 2018-09-19 19:16:32, Noah Meyerhans wrote:
>> On Wed, Sep 19, 2018 at 08:26:28PM +0200, Ola Lundqvist wrote:
>>> The Debian LTS team would like to fix the security issues which are
>>> currently open in the Whe
On 2018-10-18 11:26:04, Ola Lundqvist wrote:
> Hi
>
> Sorry for the late reply. We can consider updating to the 3.3.30, but I
> suggest you first check how easy it is to backport it.
What do you mean exactly? Backporting it is about as hard as figuring
out how hard it would be to backport, no? :)
I contacted three parties to try and settle this:
* the original authors of the paper
* the GnuTLS upstream
* the RedHat security team
The original authors "still stand behind what is written in the paper"
and believe only a constant-time implementation is the proper fix. They
point to BoringS
On 2018-09-27 10:51:25, Antoine Beaupré wrote:
> So thinking about this again, I see three options:
>
> 1. Make Enigmail work with GnuPG 2 in Debian and ship the result in
> jessie-securtiy. As mentioned above, I think this has huge
> implications and risks breaking unrelat
On 2018-09-27 17:27:46, Markus Koschany wrote:
> Am 27.09.18 um 17:12 schrieb Antoine Beaupré:
> [...]
>> I wonder what that was all about...
>>
>> Was the solution for stretch finally to remove enigmail from stable and
>> use backports?
>
> AFAIK he hasn'
On 2018-09-27 17:05:08, Markus Koschany wrote:
> Am 27.09.18 um 04:52 schrieb Antoine Beaupré:
> [...]
>> Enigmail's work, then, might be better targeted at helping the folks in
>> stretch, although I do wonder how we could possibly upgrade GnuPG 2
>> (required to
On 2018-09-26 22:52:01, Antoine Beaupré wrote:
> So one problem we have with maintaining the post-XUL programs like
> Thunderbird and Firefox is not only backporting the build toolchain, but
> also the leaf dependencies.
>
> Enigmail, for example, is broken since Thunderbird 60 la
So one problem we have with maintaining the post-XUL programs like
Thunderbird and Firefox is not only backporting the build toolchain, but
also the leaf dependencies.
Enigmail, for example, is broken since Thunderbird 60 landed in stretch:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909000
On 2018-09-15 12:04:02, Hugo Lefeuvre wrote:
> Hi,
>
> I have just prepared a Jessie security update for 389-ds-base, addressing
> CVE-2018-14624. I will go through the test procedure myself, however I am
> not a 389-ds user, so it might be good if someone more experienced with
> this LDAP server c
On 2018-09-19 19:16:32, Noah Meyerhans wrote:
> On Wed, Sep 19, 2018 at 08:26:28PM +0200, Ola Lundqvist wrote:
>> The Debian LTS team would like to fix the security issues which are
>> currently open in the Wheezy version of spamassassin:
>> https://security-tracker.debian.org/tracker/CVE-2018-1178
On 2018-09-06 15:42:41, Joey Hess wrote:
> Antoine Beaupré wrote:
>> I'm now more confident the patchset is complete. There are one tiny bit
>> I'm still slightly unsure of. In Command.Reinject.perform, there was a
>> `boolSystem "mv"` call lying around
On 2018-09-02 17:08:09, Brian May wrote:
> Antoine Beaupré writes:
>
>> What do you think? Should we push this forward?
>
> I am somewhat concerned that by fixing this we might be breaking
> something. Even if it is 100% broken behaviour, maybe some application
> dep
On 2018-08-31 16:18:39, Antoine Beaupré wrote:
> On 2018-08-31 21:30:14, Ola Lundqvist wrote:
>> Hi Antoine
>>
>> Thank you for the input this is valuable. I have some comments below.
>>
>> On Fri, 31 Aug 2018 at 21:03, Antoine Beaupré
>> wrote:
>&g
On 2018-08-31 21:30:14, Ola Lundqvist wrote:
> Hi Antoine
>
> Thank you for the input this is valuable. I have some comments below.
>
> On Fri, 31 Aug 2018 at 21:03, Antoine Beaupré wrote:
>>
>> On 2018-08-31 13:29:29, Ola Lundqvist wrote:
>> > Hi all LTS c
On 2018-08-29 12:24:30, Brian May wrote:
> Antoine Beaupré writes:
>
>> Brian, are you sure you're getting those failures in jessie? Which
>> architecture? Here my tests were done in a VirtualBox VM using an up to
>> date Debian jessie amd64 box.
>
> My tests we
On 2018-08-29 12:23:54, Brian May wrote:
> Antoine Beaupré writes:
>
>> On 2018-08-08 17:35:52, Brian May wrote:
>>> If I got this right, we cannot use $(xyz) unless the value of xyz is
>>> trusted. Otherwise executing $(xyz) can result in the execution of cod
1 - 100 of 435 matches
Mail list logo
