Re: On (semi-)automated testing and improved workflow of LTS uploads

2019-07-11 Thread Guido Günther
Hi, On Thu, Jul 11, 2019 at 11:15:34AM +, Mike Gabriel wrote: [..snip..] > Personally, I think that using Salsa for this, adds an extra layer of > complexity to the uploading workflow, because we have to pump all packages > that we want to fix in LTS through GitLab. On the plus side of salsa/g

Re: libvirt / CVE-2019-3886

2019-04-08 Thread Guido Günther
Hi, On Mon, Apr 08, 2019 at 05:50:46PM +1000, Brian May wrote: > Patch for Jessie version attached. Patch is applied by hand from > https://www.redhat.com/archives/libvir-list/2019-April/msg00339.html I don't think this is needed for jessie since the corresponding function in qemu was implemented

Re: Switch CVE triaging week?

2018-09-17 Thread Guido Günther
Hi, On Mon, Sep 17, 2018 at 12:51:38PM +0200, Ola Lundqvist wrote: > Hi Guido and Markus > > Markus: I saw that you had added yourself this week. That is fine with > me. I have assigned myself to next week that Guido left instead. Let > me know if you want me to take both weeks instead. > > Guido

Re: Switch CVE triaging week?

2018-09-17 Thread Guido Günther
Hi, On Sun, Sep 16, 2018 at 09:43:34PM +0200, Ola Lundqvist wrote: > Hi Markus, Chris, Guido and Thorsten > > Today I realized that I have planned for LTS CVE triaging exactly the > week that I'm going to move to a new house. Not the best planning > maybe. Well I did not know that I had to move wh

Re: qemu in jessie

2018-06-30 Thread Guido Günther
On Sat, Jun 30, 2018 at 05:42:37PM +0200, Santiago R.R. wrote: > Dear security team, > > I am working on the jessie package of qemu (the first time I work on > it), and I notice it hasn't been updated in jessie since May 2017. > There were various stretch updates since then, and I wonder if the >

Re: libvorbis request for comments

2018-04-25 Thread Guido Günther
Hi Antoine, On Thu, Apr 19, 2018 at 12:32:35PM -0400, Antoine Beaupré wrote: > Hi, > > I have taken a look at the libvorbis issues pending in wheezy (and > accidentally in jessie) and backported a few patches. The result is > here, as usual, for testing: > > https://people.debian.org/~anarcat/deb

Re: Don't upload LTS versions without plan for (old)stable too (was: Re: Wheezy update of irssi?)

2018-03-08 Thread Guido Günther
Hi Holger, On Thu, Mar 08, 2018 at 02:42:47PM +, Holger Levsen wrote: [..snip..] > > So, for my own packages: You are free to LTS upload them anytime you > > want to, but ONLY if you are also willing to check that the things get > > fixed in our main supported releases, too. > > While I total

LTS Activity Report for January 2018

2018-02-09 Thread Guido Günther
Hi, during January I worked 6 of the allocated 8 hours. During this time I did the following: * One week of LTS frontdesk * Triaged some XEN CVEs and handled the communication with Credativ. * Prepared thunderbird 52.6.0 for wheezy resulting in DLA-1262-1 * After discussion with Moritz added s

Re: LTS security update transmission

2018-01-18 Thread Guido Günther
Hi Abhijith, On Thu, Jan 18, 2018 at 01:53:08AM +0530, Abhijith PA wrote: > Hello. > > I prepared LTS security updates for transmission. Please review and upload. > debdiff -http://188.226.198.239/transmission_2.52_wheezy.debdiff > package: > https://mentors.debian.net/debian/pool/main/t/transmis

Fixing CVE-2017-3144 in isc-dhcp in Wheezy?

2018-01-16 Thread Guido Günther
re it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of isc-dhcp updates for the LTS releases. Thank you very much. Guido Günther, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this

LTS Activity Report for December 2017

2018-01-02 Thread Guido Günther
Hi, during December I worked 13.5 of the allocated 13.5 hours (11h + 2.5h from previous months) on LTS. During this time I did the following: * libvorbis: The plan was to get this resolved in December but although the fixes for CVE-2017-14632 and CVE-2017-14633 were applied upstream now my pat

Security tracker git migration

2017-12-28 Thread Guido Günther
Hi, since I'm not sure who's on the security-tracker list: Salvatore posted some patches for the git migration: https://lists.debian.org/debian-security-tracker/2017/12/msg00030.html Cheers, -- Guido

Re: Call for testing: thunderbird 52.5.2

2017-12-28 Thread Guido Günther
Hi Emilio, On Tue, Dec 26, 2017 at 10:28:36AM +0100, Emilio Pozuelo Monfort wrote: > Hi Guido, > > On 24/12/17 19:22, Guido Günther wrote: > > Hi, > > please test the new thunderbird packages: > > > > https://people.debian.org/~agx/thunderbird-lts/ &g

Call for testing: thunderbird 52.5.2

2017-12-24 Thread Guido Günther
Hi, please test the new thunderbird packages: https://people.debian.org/~agx/thunderbird-lts/ This time around there are thunderbird specific security issues: https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/ Cheers, -- Guido signature.asc Description: PGP signature

Re: Contact maintainers via bts [was Re: Debconf 2017 LTS BoF Summary]

2017-12-20 Thread Guido Günther
Hi, On Wed, Nov 29, 2017 at 08:26:52PM +0100, Guido Günther wrote: > Hi, > On Wed, Aug 09, 2017 at 07:11:16AM -0400, Roberto C. Sánchez wrote: > > Hi Guido & LTS/Security folks, > > > > Thanks very much for publishing this summary. Since I was not able to > >

Re: [SECURITY] [DLA 1208-1] reportbug update

2017-12-16 Thread Guido Günther
Hi Markus, On Fri, Dec 15, 2017 at 08:02:25PM +0100, Markus Koschany wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Package: reportbug > Version: 6.4.4+deb7u2 > Debian Bug : 878088 > > Reportbug, a tool designed to make the reporting of bugs in Debian > easier,

Call for testing: upcoming xen security update 4.1.6.lts1-11~test2

2017-12-14 Thread Guido Günther
Hi, credativ prepared a new Xen update to fix several CVEs including Hypvervisor DoS. It would be great if you could give it some more testing: https://korte.credativ.com/~fge/xen/ The Cheers, -- Guido

Re: reportbug: please inform security and lts teams about security update regressions

2017-12-10 Thread Guido Günther
Hi, On Sun, Dec 10, 2017 at 01:35:43PM +0100, Salvatore Bonaccorso wrote: > Hi Guido, > > On Sun, Dec 10, 2017 at 12:59:05PM +0100, Guido Günther wrote: > > Hi, > > On Sun, Dec 10, 2017 at 12:51:38PM +0100, Salvatore Bonaccorso wrote: > > > Hi > > > > &g

LTS Activity Report for November 2017

2017-12-10 Thread Guido Günther
Hi, during November I worked 14 of the allocated 16.5 hours (11h + 5.5h from previous months) on LTS. During this time I did the following: * libvorbis: Developed patches for CVE-2017-14632, CVE-2017-11333 (the later one needs a fix in sox (and other packages) too). I did not release a DLA yet

Re: reportbug: please inform security and lts teams about security update regressions

2017-12-10 Thread Guido Günther
Hi, On Sun, Dec 10, 2017 at 12:51:38PM +0100, Salvatore Bonaccorso wrote: > Hi > > On Sun, Dec 10, 2017 at 10:00:55AM +0100, Salvatore Bonaccorso wrote: > > Hi > > > > Cc'ing explicitly Guido and Raphael, who commented before. > > > > On Sat, Dec 09, 2017 at 03:25:14PM +0100, Markus Koschany wro

Re: [PATCH] report-vuln: allow to invoke mailer

2017-12-01 Thread Guido Günther
Hi, On Thu, Nov 30, 2017 at 10:36:13AM +0100, Guido Günther wrote: > This allows to invoke the mailer directly like > > bin/report-vuln -M ... > > the default behaviour is unchanged. > --- > Helps at least me to get out bug mails quicker. I went ahead and committed t

Call for testing: thunderbird

2017-11-30 Thread Guido Günther
Hi, please test the new thunderbird packages: https://people.debian.org/~agx/icedove-lts/ This is based on what will end up in sid soonish but it might be good to know that everything looks good for wheezy already since there were some packaging changes. Cheers, -- Guido

Re: testing libxml2 for Wheezy LTS

2017-11-30 Thread Guido Günther
Hi, On Tue, Nov 28, 2017 at 10:27:13PM +0100, Thorsten Alteholz wrote: > Hi everybody, > > I uploaded version 2.8.0+dfsg1-7+wheezy11 of libxml2 to: > > https://people.debian.org/~alteholz/packages/wheezy-lts/libxml2/ > > Please give it a try and tell me about any problems you met. I've tested t

[PATCH] report-vuln: allow to invoke mailer

2017-11-30 Thread Guido Günther
This allows to invoke the mailer directly like bin/report-vuln -M ... the default behaviour is unchanged. --- Helps at least me to get out bug mails quicker. bin/report-vuln | 95 - 1 file changed, 54 insertions(+), 41 deletions(-) d

Re: [PATCH 3/3] report-vuln: Support generation of mail headers

2017-11-29 Thread Guido Günther
Hi, On Wed, Nov 29, 2017 at 08:25:49PM +0100, Salvatore Bonaccorso wrote: > Hi Guido, > > On Wed, Nov 29, 2017 at 04:49:41PM +0100, Guido Günther wrote: > > Hi, > > On Wed, Nov 29, 2017 at 04:24:54PM +0100, Salvatore Bonaccorso wrote: > > > Hi Guido, > > &g

CVE-2017-14988 in openexr

2017-11-29 Thread Guido Günther
Hi security team, looking at the above CVE I wonder if this shouldn't be no-dsa (postponed). The memory is allocated during new which can fail and there's basically no sane default to cap the reservation at a sane value. Running with 'ASAN_OPTIONS=allocator_may_return_null=1' gives a convert:

Contact maintainers via bts [was Re: Debconf 2017 LTS BoF Summary]

2017-11-29 Thread Guido Günther
> On Wed, Aug 09, 2017 at 12:17:36AM -0300, Guido Günther wrote: > > > > * BTS is the canonical place for communication about the bug so the idea > > is to change bin/contact-maintainer to use the BTS this would avoid > > double communication from security and lts team

Re: [PATCH 3/3] report-vuln: Support generation of mail headers

2017-11-29 Thread Guido Günther
Hi, On Wed, Nov 29, 2017 at 04:24:54PM +0100, Salvatore Bonaccorso wrote: > Hi Guido, > > On Wed, Nov 29, 2017 at 01:48:02PM +0100, Guido Günther wrote: > > Address the bts already and put the CVEs in the subject. > > > > --- > > This can be further improved rega

Re: [PATCH 1/3] report-vuln: Use spaces instead of tabs

2017-11-29 Thread Guido Günther
Hi, On Wed, Nov 29, 2017 at 04:10:17PM +0100, Salvatore Bonaccorso wrote: > Hi Guido, > > On Wed, Nov 29, 2017 at 01:45:47PM +0100, Guido Günther wrote: > > --- > > Hi, > > report-vuln has a mixture of tabs and spaces which made changing it hard > > so I changed e

[PATCH 3/3] report-vuln: Support generation of mail headers

2017-11-29 Thread Guido Günther
Address the bts already and put the CVEs in the subject. --- This can be further improved regards temp id handling, providing a better subject in case of only a single CVE, etc. but already makes like simpler. O.k. to apply? bin/report-vuln | 22 +++--- 1 file changed, 15 insert

[PATCH 2/3] report-vuln: don't fail if description_from_list return None

2017-11-29 Thread Guido Günther
If no description was found None is returned. This fixes Traceback (most recent call last): File "bin/report-vuln", line 237, in main() File "bin/report-vuln", line 234, in main gen_text(pkg, cve, affected=args.affected, blanks=args.blanks, severity=args.severity, cc=args.cc, cclist=

[PATCH 1/3] report-vuln: Use spaces instead of tabs

2017-11-29 Thread Guido Günther
--- Hi, report-vuln has a mixture of tabs and spaces which made changing it hard so I changed everyting to spaces. O.k. to apply? Cheers, -- Guido bin/report-vuln | 292 1 file changed, 146 insertions(+), 146 deletions(-) diff --git a/bin

Open libvorbis CVEs

2017-11-24 Thread Guido Günther
Dear xiph maintainers, As part of fixing the open CVEs of vorbis in LTS I looked at: * CVE-2017-14633 https://gitlab.xiph.org/xiph/vorbis/issues/2329 As far as I understadn things the maximum number of channels is hardcoded in vorbis: https://github.com/xiph/vorbis/blob/master/lib/back

Updates to LTS/Development

2017-11-24 Thread Guido Günther
Hi, I've updated LTS/Development in the wiki a bit: - document "postponed" and "ignored" - clarify about security isssues in LTS affecting LTS+1, LTS+2 and sid as well. https://wiki.debian.org/LTS/Development?action=diff&rev2=151&rev1=150 I'd welcome any feedback, corrections. Cheers, -- Gu

Re: RFC: Peculiar dependency change in graphicsmagick

2017-11-10 Thread Guido Günther
Hi, On Fri, Nov 10, 2017 at 04:29:09PM -0500, Roberto C. Sánchez wrote: > On Fri, Nov 10, 2017 at 10:22:51PM +0100, Markus Koschany wrote: > > > > It's more like a handling error. When I use gbp like that: > > > > ARCH=amd64 git-buildpackage --git-dist=wheezy > > > > the build will fail in debia

Re: RFC: Peculiar dependency change in graphicsmagick

2017-11-10 Thread Guido Günther
Hi Markus, On Fri, Nov 10, 2017 at 10:22:51PM +0100, Markus Koschany wrote: > Hi Guido, > > Am 10.11.2017 um 21:34 schrieb Guido Günther: > > Hi apo, > > On Fri, Nov 10, 2017 at 08:17:33PM +, Chris Lamb wrote: > >> Hi, > >> > >> Well spotted

Re: RFC: Peculiar dependency change in graphicsmagick

2017-11-10 Thread Guido Günther
Hi apo, On Fri, Nov 10, 2017 at 08:17:33PM +, Chris Lamb wrote: > Hi, > > Well spotted! > > > Please disregard. I have discussed this with apo in IRC. Everything is > > in order with the packages I built and I will be uploading them shortly. > > As I was curious, I checked IRC — for poster

Re: Call for testing: upcoming xen security update

2017-11-10 Thread Guido Günther
Hi Hyacinthe, On Fri, Nov 10, 2017 at 11:19:37AM +0100, Hyacinthe Cartiaux wrote: > Hi, > > Quickly tested on a devel server (replica of our production set up), > everything works: > > * paravirtualization mode only > * 2 network bridges > * pygrub > * 2 domU under Jessie > * 8 domU under Wheezy

Call for testing: upcoming xen security update

2017-11-09 Thread Guido Günther
Hi, credativ prepared a new Xen update to fix several CVEs. It would be great if you could give it some more testing: https://korte.credativ.com/~fge/xen/ Cheers, -- Guido

LTS Activity Report for October 2017

2017-11-08 Thread Guido Günther
Hi, during October I worked 6.5 of the allocated 12 hours on LTS. During this time I did the following: * Triaged several qemu CVEs marking the unimportant ones as no-dsa and released DLA-1128-1 and DLA-1129-1 for qemu/qemu-kvm to fix CVE-2017-14167 and CVE-2017-15038. * Tested the dnsmasq pac

Re: Wheezy update of icedove?

2017-10-31 Thread Guido Günther
Hi, On Mon, Oct 30, 2017 at 09:29:13AM +0100, Moritz Mühlenhoff wrote: > On Mon, Oct 30, 2017 at 08:06:27AM +0100, Guido Günther wrote: > > I've seen preparation mails for Stretch and Jessie. Is there anything > > missing that I can help with? > > The stretch version i

Re: Wheezy update of icedove?

2017-10-30 Thread Guido Günther
Hi Carsten, On Fri, Oct 20, 2017 at 01:06:09PM +0200, Guido Günther wrote: > Hi Carsten, > On Tue, Oct 17, 2017 at 09:05:38PM +0200, Carsten Schoenert wrote: > > Am 15.10.2017 um 23:24 schrieb Guido Günther: > > > Hi Carsten, > > > On Sun, Oct 15, 2017 at 09:46:15PM

Re: KRACK update for wheezy

2017-10-23 Thread Guido Günther
Hi Antoine, (trimming the cc: list a bit) On Mon, Oct 23, 2017 at 07:43:49PM -0400, Antoine Beaupré wrote: > Hi, > > I have looked at backporting the "KRACK" patches down into wheezy. I'm a > little concerned about the results: I don't have a good grasp of WPA2 > and particularly of the wpa_suppl

Re: Wheezy update of icedove?

2017-10-20 Thread Guido Günther
Hi, On Fri, Oct 20, 2017 at 01:10:56PM +0200, Moritz Muehlenhoff wrote: > On Fri, Oct 20, 2017 at 01:06:09PM +0200, Guido Günther wrote: > > Thanks. Looks good here on Wheezy. Any idea when the versions for Jessie > > and Stretch will be done? Wheezy was a straight rebuild

Re: Wheezy update of icedove?

2017-10-20 Thread Guido Günther
Hi Carsten, On Tue, Oct 17, 2017 at 09:05:38PM +0200, Carsten Schoenert wrote: > Am 15.10.2017 um 23:24 schrieb Guido Günther: > > Hi Carsten, > > On Sun, Oct 15, 2017 at 09:46:15PM +0200, Carsten Schoenert wrote: > >> Hello Ola, > >> > >> Am 15.10.2017 um

Re: Wheezy update of icedove?

2017-10-15 Thread Guido Günther
Hi Carsten, On Sun, Oct 15, 2017 at 09:46:15PM +0200, Carsten Schoenert wrote: > Hello Ola, > > Am 15.10.2017 um 13:59 schrieb Ola Lundqvist: > > Sounds good! I have updated dla-needed.txt now. > > I uploaded all thunderbird related packages within a new source package > named thunderbird to NEW

Re: Wheezy update of icedove?

2017-10-14 Thread Guido Günther
Hi, On Sat, Oct 14, 2017 at 07:23:45PM +0200, Ola Lundqvist wrote: > Dear maintainers, > > The Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of icedove: > https://security-tracker.debian.org/tracker/source-package/icedove > > Would you like

Re: CVE-2017-15185/mp3splt (was: Re: CVE-2017-11735 in mp3split / libvorbis)

2017-10-12 Thread Guido Günther
Hi, On Tue, Oct 10, 2017 at 03:30:53PM +1030, Ron wrote: > On Mon, Oct 09, 2017 at 09:56:01PM +0200, Guido Günther wrote: > > Hi Salvatore, > > On Mon, Oct 09, 2017 at 09:33:42PM +0200, Salvatore Bonaccorso wrote: > > > Hi > > > > > > On Sun, Oct 01, 201

Re: CVE-2017-15185/mp3splt (was: Re: CVE-2017-11735 in mp3split / libvorbis)

2017-10-09 Thread Guido Günther
Hi Salvatore, On Mon, Oct 09, 2017 at 09:33:42PM +0200, Salvatore Bonaccorso wrote: > Hi > > On Sun, Oct 01, 2017 at 12:07:11AM +0200, Guido Günther wrote: > > > and I'll check with Salvatore if it's appropriate to inform oss-security > > once we got a n

Re: Call for testing: db

2017-10-06 Thread Guido Günther
Hi, On Thu, Oct 05, 2017 at 10:53:26AM +0200, Emilio Pozuelo Monfort wrote: > On 29/09/17 20:55, Guido Günther wrote: > > Hi, > > On Wed, Sep 27, 2017 at 06:48:07PM +0200, Emilio Pozuelo Monfort wrote: > >> Hi, > >> > >> I've prepared fix

Re: Call for testing: dnsmasq security update

2017-10-05 Thread Guido Günther
Hi Ben, On Thu, Oct 05, 2017 at 05:31:09PM +0100, Ben Hutchings wrote: > I've prepared a security update for dnsmasq in wheezy, fixing the > relevant CVEs: > > * CVE-2017-14491: DNS heap buffer overflow > * CVE-2017-14492: DHCPv6 RA heap overflow > * CVE-2017-14494: Infoleak handling DHCPv6

LTS Activity report for September 2017

2017-10-02 Thread Guido Günther
Hi, during September I worked 10 of the allocated 11 hours on LTS. During this time I did the following: * Prepared and tested an enigmail update to work with recent Thunderbird (DLA-1086-1) * Released the DLAs for Thunderbird and tcpdump prepared in August (DLA-1087-1, DLA-1090-1) * Fixed i38

Re: CVE-2017-11735 in mp3split / libvorbis

2017-09-30 Thread Guido Günther
Hi Ron, On Sun, Oct 01, 2017 at 06:53:51AM +1030, Ron wrote: > On Sat, Sep 30, 2017 at 08:17:50PM +0200, Guido Günther wrote: > > Hi Ron, > > Looking at > > > > > > https://anonscm.debian.org/cgit/users/ron/mp3splt.git/commit/?id=18f018cd774cb931116ce06

Re: CVE-2017-11735 in mp3split / libvorbis

2017-09-30 Thread Guido Günther
Hi Salvatore, On Sat, Sep 30, 2017 at 09:29:16PM +0200, Salvatore Bonaccorso wrote: > Hi Guido, > > On Sat, Sep 30, 2017 at 08:17:50PM +0200, Guido Günther wrote: > > Security team, if the CVE is in mp3splt not libvorbis do we need to give > > back the CVE and request a new o

CVE-2017-11735 in mp3split / libvorbis

2017-09-30 Thread Guido Günther
Hi Ron, Looking at https://anonscm.debian.org/cgit/users/ron/mp3splt.git/commit/?id=18f018cd774cb931116ce06a520dc0c5f9443932 do you really mean CVE-2017-11333¹? Isn't this CVE-2017-11735²? Both where reported in the same message. I can confirm that this fixes CVE-2017-11735 for me. Security

Re: for LTS

2017-09-30 Thread Guido Günther
Hi, On Sat, Sep 30, 2017 at 11:03:13AM +0200, Moritz Muehlenhoff wrote: > Hi, > when we're marking issues as for the suites supported > by the security team and if that issue is also marked in wheezy > (or whatever is LTS at the time), ok to also mark the LTS suite as > or do you want to do dea

Re: Call for testing: db

2017-09-29 Thread Guido Günther
Hi, On Wed, Sep 27, 2017 at 06:48:07PM +0200, Emilio Pozuelo Monfort wrote: > Hi, > > I've prepared fixes for CVE-2017-10140 which affects src:db (5.1), src:db4.7 > and > src:db4.8 in wheezy. Of those, the most important one is src:db, which is the > one with actual reverse dependencies. However

Re: NMU debsecan for wheezy

2017-09-27 Thread Guido Günther
Hi, On Mon, Sep 25, 2017 at 01:50:32PM +0200, Florian Weimer wrote: > * Guido Günther: > > > I'd like to update debsecan in Wheezy to fix #842428 with the attached > > debdiff and put out a corresponding DLA. O.k. ? > > Sure, please go ahead. Thanks for doing this. Uploaded, Thanks! -- Guido

NMU debsecan for wheezy

2017-09-25 Thread Guido Günther
+1,11 @@ +debsecan (0.4.16+nmu2) unstable; urgency=medium + + * Update tracker URL. +Based on upstream commit 0fca4c0af14fdd2fab74982985dd2387df3af26c +(Closes: #842428) + + -- Guido Günther Mon, 25 Sep 2017 13:33:12 +0200 + debsecan (0.4.16+nmu1) unstable; urgency=low * Non-maintainer upload.

Re: Adding autopkgtests for CVEs

2017-09-25 Thread Guido Günther
Hi, On Mon, Sep 25, 2017 at 08:24:05AM +0100, Chris Lamb wrote: > Hi Guido, > > > Great! Could you tag these as "ease-lts" so we see bugs adding > > autopkgtests at a glimpse: > > What does "ease" here mean? "to ease s.th." == "to make s.th. simpler" or isn't this correct usage of the verb? Che

Re: Adding autopkgtests for CVEs

2017-09-25 Thread Guido Günther
Hi Chris, On Mon, Sep 25, 2017 at 08:08:19AM +0100, Chris Lamb wrote: > Hi -lts, > > I recently had some success adding an autopkgtest for a CVE and > thought I might share: > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=874059;filename=874059.diff.txt;msg=29 > > You generate t

Please test new samba packages

2017-09-22 Thread Guido Günther
Hi, I've uploaded new samba packages to fix 2 CVEs to https://people.debian.org/~agx/debian-lts/ Please give them a try. Cheers, -- Guido

Re: Wheezy update of tcpdump?

2017-09-15 Thread Guido Günther
Hi, On Thu, Sep 14, 2017 at 08:00:45PM +0200, Romain Francoise wrote: > Hi, > > On Thu, Sep 14, 2017 at 02:24:19PM +0200, Guido Günther wrote: > > This gives a 404 and the Vcs-Git doesn't have it either. Can you git > > push your changes? I can then test it on a live wh

Re: Wheezy update of tcpdump?

2017-09-14 Thread Guido Günther
Hi Romain, On Sun, Sep 10, 2017 at 04:12:34PM +0200, Romain Francoise wrote: > Hi, > > On Fri, Sep 08, 2017 at 08:50:40PM +0200, Ola Lundqvist wrote: > > If that workflow is a burden to you, feel free to just prepare an > > updated source package and send it to debian-lts@lists.debian.org > > (via

Call for testing: upcoming xen security update

2017-09-14 Thread Guido Günther
Hi, credativ prepared a new Xen update to fix several CVEs. It would be great if you could give it some more testing: https://korte.credativ.com/~fge/xen/ Cheers, -- Guido

Re: wheezy-security: New enigmail not showing up in arch Packages.gz

2017-09-11 Thread Guido Günther
Hi Ansgar, On Mon, Sep 11, 2017 at 10:38:00PM +0200, Ansgar Burchardt wrote: > Hi, > > Salvatore Bonaccorso writes: > > Explicitly adding ftp-masters (not sure if they just were bcc'ed) and > > full quoting below. AFAICT, the old packages need to be decrufted: > > The old arch-dep enigmail packag

wheezy-security: New enigmail not showing up in arch Packages.gz

2017-09-07 Thread Guido Günther
Dear ftp-masters, I had to upload a new enigmail to wheezy-security to unbreak it with recent thunderbird. Old enigmail (2:1.8.2-4~deb7u2) was arch any while the new one is arch all (2:1.9.8.1-1~deb7u1). This somehow makes the new version now show up as available. It shows correctly here: http

Re: Accepted icedove 1:52.3.0-4~deb7u1 (source amd64 all) into oldoldstable

2017-09-06 Thread Guido Günther
Hi, On Wed, Sep 06, 2017 at 08:15:17PM +0200, Pascal Hambourg wrote: > Hello, > > The new icedove packages are not available for i386 yet. > If I understand correctly > > the i386 build failed. Yept, noticed already.

LTS Activity report for August 2017

2017-09-03 Thread Guido Günther
Hi, during August I worked 10 of the allocated 10 hours on LTS. During this time I did the following: - Triaged 10+ Xen XSAs and forwarded the results to credativ so they can prepare an updated package. - Triaged sevaral qemu CVEs and released DLA-1070-1 and DLA-1071-1 to fix the ones that af

Re: thunderbird/icedove packages up for test

2017-08-31 Thread Guido Günther
Hi, On Thu, Aug 31, 2017 at 03:26:14PM -0300, Lucas Kanashiro wrote: > Hi Guido, > > I installed your thunderbird packages in my wheezy VM and tried to do the > basic stuff (configure an account, create folder to filter emails, receive > and send emails, create tasks and use the calendar) and ever

thunderbird/icedove packages up for test

2017-08-31 Thread Guido Günther
Hi, please give the thunderbird packages https://people.debian.org/~agx/icedove-lts/ a try. I'll add a new enighmail soonish since the current version conflicts with the one in Wheezy. Cheers, -- Guido

Re: [pkg-gnupg-maint] Fixing CVE-2017-7526 in for wheezy / jessie

2017-08-28 Thread Guido Günther
Hi Niibe-san, On Tue, Aug 29, 2017 at 09:57:51AM +0900, NIIBE Yutaka wrote: > Hello, Guido, > > Guido Günther wrote: > > I just looked into fixing CVE-2017-7526 for gnupg in wheezy. Based on > > https://dev.gnupg.org/D438 I backported what I deemed are the necessary > &

Fixing CVE-2017-7526 in for wheezy / jessie

2017-08-28 Thread Guido Günther
ncy=medium + + * Backport fixes for CVE-2017-7526 from STABLE-BRANCH-1-4 branch + + -- Guido Günther Mon, 28 Aug 2017 11:59:38 +0200 + gnupg (1.4.12-7+deb7u8) wheezy-security; urgency=high * Non-maintainer upload by the Debian LTS Team. diff --git a/debian/patches/security/CVE-2017-7526-rsa-Ad

wireshark CVEs in Jessie/Wheezy

2017-08-28 Thread Guido Günther
Hi Balint, looking at https://security-tracker.debian.org/tracker/source-package/wireshark we have some CVEs open in Wheezy. Since Jessie ships the same version I wanted to check that you're not already working (or planning to work) on an update to avoid duplicate work. If not I'd start looki

Re: [tracker] New sub-states for issues tagged no-dsa

2017-08-11 Thread Guido Günther
Hi, On Fri, Aug 11, 2017 at 09:01:37PM +0200, Sébastien Delafond wrote: > After some discussion about what no-dsa really means, I've added 2 new > sub-states to the tracker, and they can be used as follows: > > CVE-2018-10012345 >- foo (bug #9876543) >[stretch] - shadow (Minor

Re: Debconf 2017 LTS BoF Summary

2017-08-09 Thread Guido Günther
Hi, On Wed, Aug 09, 2017 at 03:05:31PM +0200, Sébastien Delafond wrote: > On Aug/09, Markus Koschany wrote: > > I intend to submit a patch for reportbug to implement the first part > > of this idea. It basically asks an additional question before the > > question about bccing multiple e-mail addres

Debconf 2017 LTS BoF Summary

2017-08-08 Thread Guido Günther
Hi, here's a short summary from the BoF; * A internal review of the first commits to the security-tracker for new LTS team members by other LTS team members would be good. IMHO we should just do that. * The Security team requests help with keeping the list at https://security-tracker.debia

Re: LTS team Bof at Debconf

2017-08-08 Thread Guido Günther
Hi, On Mon, Aug 07, 2017 at 03:47:41PM -0400, Roberto C. Sánchez wrote: > On Mon, Aug 07, 2017 at 04:36:40PM -0300, Guido Günther wrote: > > Hi, > > On Mon, Aug 07, 2017 at 08:13:24PM +0200, Sébastien Delafond wrote: > > > On Aug/07, Roberto C. Sánchez wrote: > > &g

Re: LTS team Bof at Debconf

2017-08-07 Thread Guido Günther
Hi, On Mon, Aug 07, 2017 at 08:13:24PM +0200, Sébastien Delafond wrote: > On Aug/07, Roberto C. Sánchez wrote: > > Would there be a willingness to allow remote participation via > > laptop+webcam? > > I don't know *how* it could be done, but Salvatore certainly would most > definitely be intereste

Re: LTS team Bof at Debconf

2017-08-07 Thread Guido Günther
Hi, On Sun, Aug 06, 2017 at 10:07:31PM -0300, Guido Günther wrote: > Hi, > Looking at the Debconf program I don't see a BoF scheduled for either > the LTS nor the Security Team. Looking at last year's > > https://lists.debian.org/debian-lts/2016/07/msg00173.html >

LTS team Bof at Debconf

2017-08-06 Thread Guido Günther
Hi, Looking at the Debconf program I don't see a BoF scheduled for either the LTS nor the Security Team. Looking at last year's https://lists.debian.org/debian-lts/2016/07/msg00173.html we have tackled some of the points but others (DEP-8) are still open and we've already been discussing thin

LTS Activity report for July 2017

2017-07-27 Thread Guido Günther
Hi, during July I worked 10 of the allocated 10 hours on LTS. During this time I did the following: - fix CVE-2017-11103 (Orpheus' Lyre) in heimdal resulting in DLA-1027-1 - look at CVE-2017-11103 in samba4 (not affected) - test new bind9 packages prepared by Thorsten Altenholz - one week of CVE t

Re: Wheezy update of krb5?

2017-07-24 Thread Guido Günther
Hi Ben, On Mon, Jul 24, 2017 at 03:17:27PM -0500, Benjamin Kaduk wrote: > On Sat, Jul 22, 2017 at 06:47:25PM +0200, Guido Günther wrote: > > Dear maintainer(s), > > > > The Debian LTS team would like to fix the security issues which are > > currently open in the Wheezy

Wheezy update of libgd2?

2017-07-22 Thread Guido Günther
r test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of libgd2 updates for the LTS releases. Thank you very much. Guido Günther, on behalf of the Debian LTS team. PS: A member of the LTS

Wheezy update of krb5?

2017-07-22 Thread Guido Günther
he updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of krb5 updates for the LTS releases. Thank you very much. Guido Günther, on behalf of the Debian LTS team. PS: A member of the LTS team m

Wheezy update of rbenv?

2017-07-22 Thread Guido Günther
Thank you very much. Guido Günther, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-neede

Re: should ca-certificates certdata.txt synchronize across all suites?

2017-07-21 Thread Guido Günther
Hi, On Fri, Jul 21, 2017 at 11:03:22PM +0200, Moritz Mühlenhoff wrote: > On Fri, Jul 21, 2017 at 09:51:45AM -0400, Antoine Beaupré wrote: > > On 2017-07-20 18:15:00, Philipp Kern wrote: > > > On 07/17/2017 09:41 PM, Antoine Beaupré wrote: > > >> Let's not jump the gun here. We're not shipping NSS i

cacti CVE-2017-1000031

2017-07-21 Thread Guido Günther
Hi security team, I looked at CVE-2017-131 yesterday. After failing to exploit it via a SQL injection getting "validation errors". I then contacted the maintainer Paul Gevers and he replied promptly that this looks like a duplicate of CVE-2014-4002. Do you agree that this can be marked as not a

Re: Wheezy update of freeradius?

2017-07-20 Thread Guido Günther
do > > On Thu, Jul 20, 2017 at 6:25 PM, Guido Günther wrote: > > > Dear maintainer(s), > > > > The Debian LTS team would like to fix the security issues which are > > currently open in the Wheezy version of freeradius: > > https://security-tracker.

Wheezy update of freeradius?

2017-07-20 Thread Guido Günther
r test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of freeradius updates for the LTS releases. Thank you very much. Guido Günther, on behalf of the Debian LTS team. PS: A member of the LTS

Wheezy update of gsoap?

2017-07-20 Thread Guido Günther
he updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of gsoap updates for the LTS releases. Thank you very much. Guido Günther, on behalf of the Debian LTS team. PS: A member of the LTS team m

Wheezy update of memcached?

2017-07-19 Thread Guido Günther
r test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of memcached updates for the LTS releases. Thank you very much. Guido Günther, on behalf of the Debian LTS team. PS: A member of th

Re: samba4 package didn't bundle Heimdal

2017-07-14 Thread Guido Günther
Hi Andrew, On Thu, Jul 13, 2017 at 09:17:57PM +1200, Andrew Bartlett wrote: > https://security-tracker.debian.org/tracker/CVE-2017-11103 > > Back when samba4 (which has been eviscerated to a client) was a > package, it linked against the system heimdal. > > You can see this because it depends on

Please test heimdal packages

2017-07-13 Thread Guido Günther
vice name validation. +(Closes: #868208) + + -- Guido Günther Thu, 13 Jul 2017 09:56:50 +0200 + heimdal (1.6~git20120403+dfsg1-2) unstable; urgency=low * Enable libcap-ng-dev only on Linux. Fixes FTBFS on kfreebsd-* and diff --git a/debian/patches/CVE-2017-11103-Orpheus-Lyre-

Re: testing bind9 for Wheezy LTS

2017-07-13 Thread Guido Günther
On Tue, Jul 11, 2017 at 10:22:03PM +0200, Thorsten Alteholz wrote: > Hi everybody, > > I uploaded version 9.8.4.dfsg.P1-6+nmu2+deb7u17 of bind9 to: > > https://people.debian.org/~alteholz/packages/wheezy-lts/bind9/amd64/ > > Please give it a try and tell me about any problems you met. It would b

Re: should ca-certificates certdata.txt synchronize across all suites?

2017-07-07 Thread Guido Günther
On Fri, Jul 07, 2017 at 03:57:35PM +0200, Philipp Kern wrote: > On 07/06/2017 08:01 PM, Antoine Beaupré wrote: > > In looking at fixing #858539 (blocking WoSign and StartCom, in CC) for > > wheezy, I noticed the issue was also pending in jessie. Furthermore, the > > idea originally raised by pabs[1

LTS Activity report for June 2017

2017-07-06 Thread Guido Günther
Hi, during June I worked 9 of the allocated 9 hours on LTS. During this time I did the following: - Spent the second half of a week with LTS frontdesk duties. - Prepared a new debian-security-support package for wheezy, stretch and sid. The jessie update is prepared and pending review. - qemu-kv

Re: [Pkg-puppet-devel] Wheezy update of puppet?

2017-06-27 Thread Guido Günther
On Tue, Jun 27, 2017 at 12:52:52PM -0400, Antoine Beaupré wrote: > On 2017-06-27 11:53:24, Antoine Beaupré wrote: > > Are you sure of this? From what I can tell agents haven't been sending > > YAML in a long time. If I understand things correctly, facts are sent in > > a format defined by the `pref

Please test thunderbird packages

2017-06-23 Thread Guido Günther
Hi, I've uploaded new thunderbird packages here: https://people.debian.org/~agx/icedove-lts/ Since this includes the switch to GTK+3 some more testing won't hurt. Note that this likely won't be the final package since upstream is looking into some gmail related fixes. Depending on when this w

Re: tiff and CVE-2016-10095

2017-06-06 Thread Guido Günther
Hi Raphael, On Tue, Jun 06, 2017 at 12:05:14PM +0200, Raphael Hertzog wrote: > Hi, > > On Fri, 02 Jun 2017, Guido Günther wrote: > > > but it's not worth arguing and providing that in jessie might be useful > > > for > > > building building custom tools s

  1   2   3   4   >