Am Mon, Aug 12, 2024 at 03:10:06PM -0300 schrieb Santiago Ruano Rincón:
> Hi,
>
> El 08/08/24 a las 12:10, Sylvain Beucler escribió:
> > Hello Security Team,
> >
> > python2.7 was marked unsupported in bullseye.
> >
> > We recently noted that pypy[v2] (included up to bullseye) and jython (all
>
Am Thu, Aug 08, 2024 at 09:31:31PM +0200 schrieb Salvatore Bonaccorso:
> So the package can be safely removed I would say and so my proposal
> would be to ask for removal of iotjs in the last bullseye point
> release.
>
> What do you think?
Agreed, that sounds best.
Cheers,
Moritz
Hi Adrian,
> attached are proposed debdiffs for updating gtkwave to 3.3.118 in
> {bookworm,bullseye,buster}-security for review for a DSA
> (and as preview for buster).
Thanks!
> General notes:
>
> I checked a handful CVEs, and they were also present in buster.
> If anyone insists that I check
Am Fri, Jun 23, 2023 at 09:59:45PM +0200 schrieb Anton Gladky:
> Thank you all for your replies!
>
> @Moritz, could you please create an issue with a
> the possible proposal, how it should look like?
Sure, filed as #1039606
Thanks,
Moritz
Am Thu, Jun 02, 2022 at 01:03:36PM +0200 schrieb Moritz Muehlenhoff:
> On Tue, May 31, 2022 at 05:42:00AM +, Mike Gabriel wrote:
> > Hi Moritz, Salvatore, Sylvain,
> >
> > On Mo 30 Mai 2022 20:04:14 CEST, Moritz Mühlenhoff wrote:
> >
> > > Am Sun, May
Am Wed, Apr 05, 2023 at 02:49:01PM +0200 schrieb Philipp Kern:
> I suppose there has been a long-standing assumption that non-free does not
> get security support, so non-free{,-firmware} is not actually autobuilt for
> -security suites right now. And maintainers uploaded binaries manually with
> t
Am Thu, Sep 29, 2022 at 11:03:57AM +0200 schrieb Moritz Muehlenhoff:
> On Thu, Sep 29, 2022 at 09:09:29AM +0200, Emilio Pozuelo Monfort wrote:
> > On 28/09/2022 23:54, Ola Lundqvist wrote:
> > > Hi Sylvain
> > >
> > > Took me a month to get down here in the email backlog. I think your
> > > reason
Am Wed, Aug 03, 2022 at 11:54:28AM +0200 schrieb Sylvain Beucler:
> Hi,
>
> I think the following stretch EOL entries also apply to buster, because the
> rationale still applies to the buster versions:
> - libspring-java https://lists.debian.org/debian-lts/2021/12/msg8.html
For Spring we need
Am Fri, Aug 05, 2022 at 11:48:43AM +0200 schrieb Raphael Hertzog:
> Hello,
>
> On Wed, 03 Aug 2022, Sylvain Beucler wrote:
> > OpenStack: we tend not to support openstack beyond upstream's support, but
> > I'm having a hard time associating the components version with OpenStack's
> > major version
Am Sun, May 29, 2022 at 09:36:43AM +0200 schrieb Salvatore Bonaccorso:
> While this is discouraged in general, we could opt here for this, to
> avoid that ckeditor3 might get additional users outside of
> php-horde-editor.
This would also mean that only those bits of ckeditor3 which are actually
u
reassign 995368 uwsgi
thanks
Am Fri, Oct 01, 2021 at 04:16:05PM +0200 schrieb Josef Kejzlar, wpj s.r.o.:
> I can confirm this regression.
> After unattended security upgrades got applied during the night, all
> our applications stopped working.
>
> There is wrong request path sent to uwsgi server
Am Fri, Jun 11, 2021 at 01:39:46AM +0530 schrieb Utkarsh Gupta:
> Hello,
>
> On Thu, Jun 10, 2021 at 11:50 PM Moritz Mühlenhoff wrote:
> > True that, but keep in kind that this update will only reach buster
> > users with the point relese on 2021-06-19.
>
> Right. S
Am Thu, Jun 10, 2021 at 12:49:10PM +0530 schrieb Utkarsh Gupta:
> Hi Emilio,
>
> On Thu, Jun 10, 2021 at 12:46 PM Emilio Pozuelo Monfort
> wrote:
> > > * Non-maintainer upload by the LTS team.
> > > * Add patch to fix CVE-2021-33477 (Closes: #989041)
> >
> > This now has a higher version
Am Sat, Apr 24, 2021 at 10:43:57AM +0200 schrieb Emilio Pozuelo Monfort:
> On 23/04/2021 14:16, Xavier wrote:
> > +deb8u1 ? Shouldn't it be +deb9u1 ?
>
> Yes, it was a copy/paste error, I fixed it subsequently in the
> security-tracker and the website. I'm not sure a follow-up announcement is
> ne
Am Sat, Apr 17, 2021 at 05:42:11PM +0200 schrieb Sylvain Beucler:
> Hi,
>
> On 17/04/2021 14:44, Holger Levsen wrote:
> > On Fri, Apr 16, 2021 at 03:47:49PM +0200, Moritz Mühlenhoff wrote:
> > > > These source package sets comes to mind:
> > > > - node-*
&
Am Fri, Apr 16, 2021 at 11:05:35AM +0200 schrieb Sylvain Beucler:
> Hi Security Team,
>
> I'm proposing a couple changes in debian-security-support and I'd welcome
> your review :)
>
> 1) Match ecosystems
> https://bugs.debian.org/986333
> https://salsa.debian.org/debian/debian-security-support/-
Am Thu, Feb 25, 2021 at 05:30:05PM +0100 schrieb Sylvain Beucler:
> - This problem is similar/related to tracking embedded code copies.
> See https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/2
> With one difference: there's no reference source package.
Not reallly, embedded code copi
On Wed, Dec 16, 2020 at 10:28:47AM +0200, Adrian Bunk wrote:
> On Wed, Dec 16, 2020 at 07:36:19AM +0100, Ola Lundqvist wrote:
> > Hi LTS team
> >
> > I have checked two of the pluxml issues
> > CVE-2020-18184
> > This vulnerability is questioned upstream.
> >...
> > The question is how this shoul
On Tue, Nov 10, 2020 at 07:56:30PM +0200, Otto Kekäläinen wrote:
> Hello!
>
> > >> During the 10.5 packaging cycle I have tested building backports for
> > >> every commit (see e.g.
> > >> https://salsa.debian.org/mariadb-team/mariadb-10.5/-/pipelines/191851).
> > >> The galera-4 dependency is alr
[Adding debian-devel to the list]
On Sun, Aug 02, 2020 at 06:21:30PM +0200, Moritz Mühlenhoff wrote:
> > We are at this point again. ESR 68 will be EOL on September 22nd, when 78.3
> > comes out. We have some time still, but if we want FF and TB to keep being
> > supported, we&
On Tue, Jul 28, 2020 at 10:17:35PM +0200, Emilio Pozuelo Monfort wrote:
> Hi,
>
> On 21/08/2019 07:45, Salvatore Bonaccorso wrote:
> > Hi Holger, hi Emilio,
> >
> > [dropping debian-devel list]
> >
> > On Mon, Aug 19, 2019 at 11:01:13PM +0200, Moritz Mühl
On Wed, Jul 08, 2020 at 12:45:08PM +0200, Sylvain Beucler wrote:
> Hi,
>
> - buster update
>
> I now "up-ported" my stretch work at:
> https://www.beuc.net/tmp/debian-lts/rails-buster/
> + added the redis side of CVE-2020-8165
What do you mean with up-ported? Applying a patch made for an older r
On Thu, Jul 02, 2020 at 08:24:42PM +0200, Markus Koschany wrote:
> Sorry, but I was assuming that the official end of oldstable is on July
> 18 when Debian 9.13 is released.
>
> https://lists.debian.org/debian-lts/2020/06/msg00049.html
That syncs up potentially missing builds and creates the "fin
On Tue, Jun 09, 2020 at 12:05:33PM +0200, Sylvain Beucler wrote:
> Do you plan to send a DSA? I prepared the following text:
DSA has been released!
Cheers,
Moritz
On Fri, Jun 05, 2020 at 02:27:50PM +0200, Sylvain Beucler wrote:
> Hi Security Team,
>
> On 05/06/2020 09:23, Sylvain Beucler wrote:
> > On 04/06/2020 20:41, Salvatore Bonaccorso wrote:
> >> On Mon, May 25, 2020 at 07:47:56PM +0200, Moritz Mühlenhoff wrote:
> >&g
On Fri, May 15, 2020 at 03:49:10PM +0200, Thomas Goirand wrote:
> On 5/15/20 3:12 PM, Sylvain Beucler wrote:
> > Hi Thomas,
> >
> > On 14/05/2020 19:08, Thomas Goirand wrote:
> >> I released an update of Keystone for a quite serious problem related to
> >> ec2 credentials where a user can become a
On Mon, May 25, 2020 at 10:22:50AM +0200, Sylvain Beucler wrote:
> Hi Security Team,
>
> What is your view on updating mysql-connector-java 5.1.42->5.1.49 for
> Stretch?
We can update to 5.1.49, yes. We've had to update it to new 5.1.x
releases in the past and I don't remember any issues. The fac
On Mon, Mar 30, 2020 at 10:26:35AM -0400, Roberto C. Sánchez wrote:
> 2. Leave the change set intact with both functional changes, and:
> a. mention only CVE-2020-10938 in debian/changelog and the
>associated advisories
I think that one makes the most sense, it's common that related c
On Fri, Feb 21, 2020 at 01:37:14PM -0500, Roberto C. Sánchez wrote:
> On Fri, Feb 21, 2020 at 05:56:33PM +, Holger Levsen wrote:
> > Roberto,
> >
> > On Fri, Feb 21, 2020 at 12:33:12PM -0500, Roberto C. Sánchez wrote:
> > > I have recently begun working on updates to xen in jessie.
> >
> > h
On Thu, Feb 06, 2020 at 07:35:57PM +0100, Julien Cristau wrote:
> On Thu, Feb 06, 2020 at 07:00:02PM +0100, Julien Cristau wrote:
> > Hi,
> >
> > I'm about to upgrade the security upload host (suchon.d.o) from stretch
> > to buster. That is going to cause (most likely short) outages during the
>
On Thu, Jan 30, 2020 at 10:41:56PM +, Holger Levsen wrote:
> On Thu, Jan 30, 2020 at 07:41:32PM +, Holger Levsen wrote:
> > I'll upload 2019.12.12~deb9u2 then which is lower than what's in
> > buster-pu currently and will be in buster soon. (2019.12.12~deb10u1)
>
> uploaded now.
>
> (once
On Thu, Aug 29, 2019 at 09:36:39AM +0200, Moritz Mühlenhoff wrote:
> Adding the radare2 uploaders to CC.
>
> On Fri, Aug 16, 2019 at 11:23:05PM +0200, Markus Koschany wrote:
> > >> + NOTE: 20190816: Affected by CVE-2019-14745. Vulnerable code is in
> > >> + N
On Fri, Aug 30, 2019 at 09:17:32AM +0200, Raphael Hertzog wrote:
> Hi,
>
> On Fri, 30 Aug 2019, Pirate Praveen wrote:
> > Fast Track repo works exactly like current backports except the packages
> > are added from unstable (or experimental during transitions and freeze)
> > as they cannot go to te
Adding the radare2 uploaders to CC.
On Fri, Aug 16, 2019 at 11:23:05PM +0200, Markus Koschany wrote:
> >> + NOTE: 20190816: Affected by CVE-2019-14745. Vulnerable code is in
> >> + NOTE: libr/core/bin.c. Many no-dsa issues in Jessie and Stretch. Should
> >> we
> >> + NOTE: continue the current
On Mon, Aug 19, 2019 at 02:27:09PM +0200, Hugo Lefeuvre wrote:
> Hi,
>
> I just had a look at xymon's vulnerabilities in jessie, stretch and buster.
>
> Upstream claims some of these issues to be exploitable, among others the XSS
> vulnerability. I plan to address at least this one in jessie.
>
On Sun, Apr 14, 2019 at 12:14:04PM +0200, Hugo Lefeuvre wrote:
> Dear Piotr, security team,
>
> I am currently working on CVE-2019-10906 and CVE-2016-10745, trying to
> decide if preparing an LTS upload for these issues is worth the trouble.
>
> These issues seem to absolutely break the jinja2 sa
On Tue, Apr 09, 2019 at 05:16:47PM +1000, Brian May wrote:
> Guido Günther writes:
>
> > I don't think this is needed for jessie since the corresponding function
> > in qemu was implemented in 4.8.0.
>
> Sounds like it won't hurt to leave this in, in any case...
>
> > qemuDomainGetTime is prese
On Thu, Mar 14, 2019 at 01:57:37PM +0100, Alexander Wirt wrote:
> On Thu, 14 Mar 2019, Arthur de Jong wrote:
>
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> >
> >
> > Hi,
> >
> > In jessie backports there is currently a 4.9 kernel (4.9.110-3+debu5~deb8u1)
> > which is based on stret
On Wed, Jan 30, 2019 at 03:02:53PM +0100, Markus Koschany wrote:
> The truth is the -dSafer option gives a false sense of security even in
> the latest release and we will probably continue to see more of those
> issues.
Obviously, any deployment which processes documents should use additional
har
On Wed, Jan 30, 2019 at 01:24:40PM +0100, Markus Koschany wrote:
> Hi,
>
> Am 30.01.19 um 13:07 schrieb Emilio Pozuelo Monfort:
> [...]
> > I would appreciate some testing and/or feedback.
>
> I have done most of the backporting work for the previous
> vulnerabilities of Ghostscript. I don't reco
On Sat, Dec 22, 2018 at 01:02:06PM +0530, Abhijith PA wrote:
> Hello.
>
>
> I am currently working on pdns[1] and pdns-recursor's[2] security issues
> and which are marked as no-DSA, postponed. Last month I picked it up as
> I had some time remaining. Upstream patch is available for the remaining
On Thu, Dec 20, 2018 at 02:30:49PM -0500, Daniel Kahn Gillmor wrote:
> we're not talking about "all kinds of core libraries" -- we're talking
> about a very selected subset.
Which are used by core system services like systemd, which makes them
core libraries.
> > EOLing enigmail seems the only se
On Wed, Dec 19, 2018 at 05:03:26PM +, Holger Levsen wrote:
> I mostly worried that you didnt test all dependent packages and that we
> essentially might break those when trying to support a package no
> customer has expressed need for. But then I also suppose such breakage
> could be fixed...
On Fri, Dec 14, 2018 at 09:08:42AM +0100, Emilio Pozuelo Monfort wrote:
> However given the impact of these library updates, I was wondering
> if we have considered to just mark enigmail as EOL in jessie? Obviously if we
> can keep supporting stuff we should do that, but as you say these library
>
On Wed, Dec 12, 2018 at 03:46:10PM +, Mike Gabriel wrote:
> Hi Moritz,
>
> On Di 11 Dez 2018 22:15:33 CET, Moritz Mühlenhoff wrote:
>
> > On Tue, Dec 11, 2018 at 04:42:17PM +, Mike Gabriel wrote:
> > > From my understanding the potential remote code executio
On Thu, Nov 08, 2018 at 10:51:37AM +, Mike Gabriel wrote:
> Hi Moritz,
>
> On Di 06 Nov 2018 17:14:35 CET, Moritz Mühlenhoff wrote:
>
> > On Fri, Sep 28, 2018 at 08:32:25PM +0200, Markus Koschany wrote:
> > > Package: poppler
> > > X-Debbugs-CC: t..
On Tue, Dec 11, 2018 at 04:42:17PM +, Mike Gabriel wrote:
> From my understanding the potential remote code executions that are
> mentioned in the CVE descriptions are triggered by a malign server and the
> code executions then happen on the client side.
Thanks for background.
Security issues
On Mon, Dec 10, 2018 at 05:44:51PM +, Mike Gabriel wrote:
> Hi,
>
> I'd like to discuss the possible pathways for getting FreeRDP fixed in
> Debian jessie LTS (and Debian stretch, too).
debian-security@ldo is not the proper contact address, I've fixed
the recipient list.
> Last week I talked
On Fri, Sep 28, 2018 at 08:32:25PM +0200, Markus Koschany wrote:
> Package: poppler
> X-Debbugs-CC: t...@security.debian.org
> Severity: important
> Tags: security
>
> Hi,
>
> The following vulnerability was published for poppler.
>
> CVE-2018-16646[0]:
> | In Poppler 0.68.0, the Parser::getObj(
On Sat, Aug 18, 2018 at 08:17:22PM +0200, Markus Koschany wrote:
> Hello Christoph,
>
> I just noticed that we ship two versions of PostgreSQL in Jessie, 9.1
> and 9.4. Do you plan to release future security updates for 9.1 as well?
> Do you prefer that we take care of it or shall we mark 9.1 as E
On Sun, Jun 10, 2018 at 02:45:41PM +0200, Moritz Mühlenhoff wrote:
> On Sat, Jun 09, 2018 at 08:38:15PM -0400, Hugo Lefeuvre wrote:
> > Contact security team and prepare Jessie update 3.99.5+repack1-7+deb8u2
> > together with Fabian Greffrath, test it and submit it to the secu
On Sat, Jun 09, 2018 at 08:38:15PM -0400, Hugo Lefeuvre wrote:
> Contact security team and prepare Jessie update 3.99.5+repack1-7+deb8u2
> together with Fabian Greffrath, test it and submit it to the security
> team. Still waiting for their approval for upload.
We _clearly_ told you that thi
On Sat, May 26, 2018 at 09:40:58AM +0200, Raphael Hertzog wrote:
> Hi,
>
> On Sat, 26 May 2018, Moritz Muehlenhoff wrote:
> > It's not appropriate anyway for an official Debian announcement. LTS
> > itself is already a grayish area, but advertising a service which
> > solely prepares package upd
On Fri, May 04, 2018 at 09:20:54AM +0200, Raphael Hertzog wrote:
> Hello Marc,
>
> On Thu, 03 May 2018, Marc SCHAEFER wrote:
> > Probably that a downgrade of the clamav suite would solve the problem;
> > however
> > there is something wrong in the coherency between wheezy LTS and jessie,
> > don
On Fri, May 04, 2018 at 09:44:21AM +0200, Emilio Pozuelo Monfort wrote:
> Perhaps given that
> Marshall is clearly marked as unsafe for untrasted data, we should follow
> jessie/stretch and mark this as no-dsa.
Exactly.
Also Ocaml uses static linking so the update would only fix ocaml itself,
but
On Fri, Mar 30, 2018 at 10:15:41AM +0530, Abhijith PA wrote:
> Drop rene@, jmm@, 892...@bugs.debian.org.
>
>
> On Tuesday 20 March 2018 01:47 AM, Moritz Mühlenhoff wrote:
> > On Mon, Mar 19, 2018 at 05:04:17PM +0100, Rene Engelhard wrote:
> >> I am not going over the .
On Mon, Mar 19, 2018 at 05:04:17PM +0100, Rene Engelhard wrote:
> I am not going over the .-release procedure for this, I'd have uploaded
> to security, though, but...
>
> I don't think we should special-case our oldest,
> soon-to-be-not-supported release.
Agreed, it doesn't make sense to fix thi
On Sun, Feb 25, 2018 at 08:54:06AM -0500, Roberto C. Sánchez wrote:
> Hi all,
>
> Please see my rather long-winded summary of the current state of the
> gcc-4.6/gcc-4.7 update. The bottom line is that I am looking for opions
> and/or guidance for how to proceed.
Why 4.6 _and_ 4.7? Only the compil
On Sun, Feb 18, 2018 at 01:39:13AM +, Ben Hutchings wrote:
> On Thu, 2018-02-15 at 20:56 +0100, Moritz Muehlenhoff wrote:
> > On Thu, Feb 15, 2018 at 12:33:12PM +0100, Raphael Hertzog wrote:
> > > On IRC I learned that Moritz Muehlenhoff (jmm) started the work of
> > > bakcporting retpoline to
On Thu, Feb 08, 2018 at 07:35:13PM +0100, Ola Lundqvist wrote:
> Hi Brian
>
> Do you think we can be considered as "product owner"? Maybe we can try
> to request access anyway.
These are both known to upstream and under investigation/patch
development, simply wait for them to make an announcement
Antoine Beaupré wrote:
> So, regarding the first two (and similar), someone needs to teach those
> folks about proper security tracking here... ;) Should I contact them
> directly?
Who in particular? Node and Snyk? Sure, go ahead.
Cheers,
Moritz
On Thu, Jan 25, 2018 at 09:41:46AM +0100, Salvatore Bonaccorso wrote:
> I'm actually not super-excited if non-MITRE feeds are automatically
> merged. MITRE CVE database is our master-reference.
Yeah, let's not do that.
Cheers,
Moritz
On Tue, Jan 23, 2018 at 11:41:57AM +0100, Lars Tangvald wrote:
> I can't find much of anything that has changed from 5.5 to 5.6 in terms of
> default behavior, except for NO_ENGINE_SUBSTITUTION being the default
> sql_mode
> (https://dev.mysql.com/doc/refman/5.6/en/sql-mode.html#sqlmode_no_engine_
On Tue, Nov 14, 2017 at 04:48:48PM +0100, Raphael Hertzog wrote:
> Package: libreoffice
> Claimed-By: Emilio Pozuelo
> Claimed-Date: 2017-05-31 17:29 (166 days ago)
There's some data error, CVE-2017-12607 and CVE-2017-12608 were only
disclosed on Oct 27.
Cheers,
Moritz
On Mon, Oct 30, 2017 at 08:06:27AM +0100, Guido Günther wrote:
> I've seen preparation mails for Stretch and Jessie. Is there anything
> missing that I can help with?
The stretch version is in NEW due to the rename and needs FTP master
processing. jessie is ready.
Cheers,
Moritz
On Fri, Sep 29, 2017 at 06:56:32PM +0200, Salvatore Bonaccorso wrote:
> Hi Antoine,
>
> On Thu, Sep 28, 2017 at 01:53:06PM -0400, Antoine Beaupré wrote:
> > Hi again,
> >
> > I reached out to joeyh to see how we could backport git-annex security
> > patches to wheezy. He responded by sharing the
On Sun, Sep 24, 2017 at 04:01:27PM +0200, Hugo Lefeuvre wrote:
> Instead of applying the patches I'd propose to wait for lame 3.100
> which I could backport to stretch, jessie and wheezy if the security
> team thinks it's a good idea.
What's the timeline for lame 3.100? We can probably do that, bu
On Fri, Sep 22, 2017 at 01:34:10PM +0200, Jean Baptiste Favre wrote:
> Hello Chris,
>
> Though I'd really like to handle this update by myself, I unfortunatly
> have no time to do it. Besides, since I'm only DM, I'm not sure I'll
> have uploads rights.
Does the version of trafficserver in wheezy
On Wed, Sep 06, 2017 at 05:39:33PM +1000, Brian May wrote:
> Hello,
>
> What does " (Incomplete fix not applied)" mean?
>
> The part seems to say it is not even affected, while the
> comment seems to say it hasn't been fixed?
Fix foo introduced a new vulnerability, but since foo hadn't been
app
On Wed, Jun 21, 2017 at 06:54:57PM +0200, Markus Koschany wrote:
> Am 15.06.2017 um 18:49 schrieb Markus Koschany:
> [...]
> > Then I suggest we backport the Stretch version of smb4k to Wheezy and
> > Jessie. I have done this a few minutes ago for Wheezy and it was quite
> > painless. It pulls in a
On Thu, Aug 10, 2017 at 12:02:58PM -0400, Markus Koschany wrote:
> On 10/08/17 11:29, Hugo Lefeuvre wrote:
> > Hi,
> >
> > mysql-connector-python is affected by CVE-2017-3590.
> >
> > Since we cannot extract the fix from the upstream patch, the only way to
> > solve
> > the issue is to backport
On Thu, Aug 10, 2017 at 11:29:04AM -0400, Hugo Lefeuvre wrote:
> Hi,
>
> mysql-connector-python is affected by CVE-2017-3590.
>
> Since we cannot extract the fix from the upstream patch, the only way to solve
> the issue is to backport 2.6.1-1 to wheezy. However this issue is no-dsa
> in Jessie,
On Wed, Aug 09, 2017 at 07:11:16AM -0400, Roberto C. Sánchez wrote:
> > * license of CVE text is unclear -> Moritz rewrites from scratch
> > - generic description of the issue instead of details of functions
> >
> Is it still OK to use verbatim text from a DSA in a DLA? It seems like
> that sho
On Sun, Aug 06, 2017 at 10:07:31PM -0300, Guido Günther wrote:
> Hi,
> Looking at the Debconf program I don't see a BoF scheduled for either
> the LTS nor the Security Team. Looking at last year's
>
> https://lists.debian.org/debian-lts/2016/07/msg00173.html
>
> we have tackled some of the po
On Fri, Jul 21, 2017 at 09:51:45AM -0400, Antoine Beaupré wrote:
> On 2017-07-20 18:15:00, Philipp Kern wrote:
> > On 07/17/2017 09:41 PM, Antoine Beaupré wrote:
> >> Let's not jump the gun here. We're not shipping NSS in ca-certificates,
> >> just a tiny part of it: one text file, more or less.
>
On Mon, Jun 12, 2017 at 09:15:02AM +0800, Paul Wise wrote:
> On Mon, Jun 12, 2017 at 3:37 AM, Salvatore Bonaccorso wrote:
>
> > I'm attaching the *preliminary* set of changes which I plan to
> > activate once stretch is released.
>
> Wow, there really is a horribly large amount of hard-coding of
On Tue, Mar 21, 2017 at 10:53:05AM +0100, Raphael Hertzog wrote:
> Hello Moritz,
>
> On Sun, 12 Mar 2017, Moritz Mühlenhoff wrote:
> > > So as long as we ensure that we don't break Ghostscript and MuPDF I think
> > > we are good enough.
> > >
> > &g
On Thu, Mar 09, 2017 at 12:10:15PM +0100, Raphael Hertzog wrote:
> Hello,
>
> sorry for the delay...
>
> On Tue, 31 Jan 2017, Luciano Bello wrote:
> > On Thursday, 26 January 2017 21:05:46 EST Ola Lundqvist wrote:
> > > > I started to work on fixing jbig2dec/wheezy for
> > > > https://security-tr
On Sat, Feb 18, 2017 at 01:22:19AM +0100, Bálint Réczey wrote:
> Were there any reason for handling the last CVE very quickly? I can
> catch up with the changes in Jessie.
No. It's totally harmless, for jessie let's also line this one up in
git for the next Wireshark advisory round.
Cheers,
On Mon, Dec 26, 2016 at 08:04:29PM +0100, Hugo Lefeuvre wrote:
> Hi Moritz,
>
> > That doesn't make sense. Only a very small subset of the qemu copy
> > is security-relavant in Xen and if that happens they've usually
> > published an XSA advisory for it.
>
> XSA advisories are published for stabl
On Tue, Nov 29, 2016 at 10:18:51AM +0100, Hugo Lefeuvre wrote:
> Hi,
>
> So far, I have triaged ~120 CVEs. I have used all my assigned hours, so
> I won't be able to finish the work this month.
>
> I have marked Xen as affected by 45 'new' CVEs until now. Not all of
> them deserve a DLA.
That do
Hi Didier,
> Have we removed protocols' support in {old,}stable before?.
We have done that on a case-by-case basis via point updates in the past,
seems also fine here.
Cheers,
Moritz
On Fri, Sep 23, 2016 at 09:38:10PM +0200, Kurt Roeckx wrote:
> So I would like to just upload the 1.0.1u version to
> wheezy-security. If nobody complains that is what I will do.
Then the version number in jessie would be lower than in wheezy,
breaking updates.
Cheers,
Moritz
On Thu, Sep 15, 2016 at 04:13:52PM +, Markus Koschany wrote:
> Author: apo
> Date: 2016-09-15 16:13:52 + (Thu, 15 Sep 2016)
> New Revision: 44612
>
> Modified:
>data/CVE/list
> Log:
> mantis: CVE-2016-6837, no-dsa, unsupported
>
>
> Modified: data/CVE/list
> =
Hi,
when making uploads with an identical tarball in lts and stable-security
you really need to coordinate with t...@security.debian.org! Due to dak's
crappy orig tarball handling only of the uploads can be made with the
tarball included and if you race to the upload without coordination you're
onl
On Mon, Jul 25, 2016 at 10:45:26PM +0200, Bálint Réczey wrote:
> Hi Maximiliano,
>
> 2016-07-25 15:41 GMT+02:00 Bálint Réczey :
> > Hi,
> >
> > 2016-07-19 23:12 GMT+02:00 Brian May :
> >> Maximiliano Curia writes:
> >>
> >>> I just did the upload to unstable, with the karchive fix from upstream
Hi,
could you move lts-needed.txt and the LTS front desk file out of
the security tracker repo? This makes the -changes list less
spammy since those files are only relevant to LTS.
Cheers,
Moritz
On Tue, Jun 28, 2016 at 08:41:08AM +0200, Raphael Hertzog wrote:
> On Mon, 27 Jun 2016, Chris Lamb wrote:
> > Package: movabletype-opensource
>
> $ grep movabletype-opensource security-support-ended.deb7
> movabletype-opensource 5.1.4+dfsg-4+deb7u3 2016-02-06 Not supported in
> Debi
On Fri, May 13, 2016 at 01:13:34PM +0200, Sebastian Ramacher wrote:
> (Please CC me, I'm not subscribed.)
>
> Hi
>
> On 2016-05-02 20:46:37, Brian May wrote:
> > Raphael Hertzog writes:
> >
> > > There's also an alternate way to go forward... continue to support
> > > the current version with p
On Fri, May 13, 2016 at 02:10:48PM +0200, Guido Günther wrote:
> > No, I recommend to EOL src:qemu/qemu-kvm in wheezy (the bits relevant to
> > src:xen are
> > somewhat isolated and can be backported from the Xen Security announcements)
> > Backporting jessie's qemu will end up in a similar situat
On Tue, Apr 19, 2016 at 09:00:17PM +0200, Markus Koschany wrote:
> For Debian 7 "Wheezy" LTS there will be no requirement to add a separate
> wheezy-lts suite to your sources.list any more and your current setup
> will continue to work without further changes.
Has that been coordinated with FTP ma
On Tue, Apr 19, 2016 at 09:00:17PM +0200, Markus Koschany wrote:
> Hi security team,
>
> only one week to go and I thought it would be a good idea to draft an
> announcement for next Tuesday that should be send to
> debian-security-announce and debian-lts-announce. I suggest that we
> coordinate t
On Thu, Mar 24, 2016 at 01:37:19PM -0400, Antoine Beaupré wrote:
> (Opening a new thread to clarify topic.)
>
> Brian, I have tested the packages you have proided here:
>
> https://people.debian.org/~bam/wheezy/xen/amd64/
>
> They seem to hold, although I have yet to test them in production. One
On Sun, Mar 13, 2016 at 12:52:09PM +0100, Guido Günther wrote:
> Looking at
>
>
> http://metadata.ftp-master.debian.org/changelogs/main/x/xen/xen_4.1.4-3+deb7u9_changelog
>
> and the source package the current practice is to pull in the individual
> patches.
Ack.
> I wonder if somebody ca
On Sun, Mar 06, 2016 at 06:58:48PM +0100, Salvatore Bonaccorso wrote:
> But I think as well that is right now to early to
> start adopting these for not yet assigned issues.
Agreed, let's stick with the usual "file a bug to get a temporary
identifier" procedure for now.
Cheers,
Moritz
On Mon, Feb 29, 2016 at 03:25:46PM +, Mike Gabriel wrote:
> Hi all,
>
> as of today, the Debian squeeze LTS support will cease and squeeze will
> One thing, we can do, I guess, is helping out with the Debian Security Team
> regarding package updates in Debian wheezy.
There are two major areas
On Mon, Feb 22, 2016 at 06:42:20PM +0100, Guido Günther wrote:
> Hi Adam,
> On Sat, Feb 20, 2016 at 02:27:27PM +, Adam D. Barratt wrote:
> > [apologies to anyone who's ended up with three copies of this; the
> > original got eaten due to a misconfiguration on my side - please only
> > reply to
On Thu, Feb 11, 2016 at 08:19:02PM +0100, Markus Koschany wrote:
> Am 11.02.2016 um 19:09 schrieb Miroslav Skoric:
> > On 02/10/2016 10:17 AM, Matus UHLAR - fantomas wrote:
> >
> >>
> >> so, are you prepared for valentine's day massacre?
> >>
> >
> > Actually not: It is Wheezy (7.9) now, and I pr
On Fri, Feb 05, 2016 at 05:45:47PM -0500, Antoine Beaupré wrote:
> On 2016-02-05 17:37:30, Moritz Mühlenhoff wrote:
> > On Fri, Feb 05, 2016 at 03:20:07PM -0500, Antoine Beaupré wrote:
> >> hi
> >>
> >> considering how ffmpeg is unsupported in squeeze-LTS, is
On Fri, Feb 05, 2016 at 03:20:07PM -0500, Antoine Beaupré wrote:
> hi
>
> considering how ffmpeg is unsupported in squeeze-LTS, is it fair to
> assume we should do the same with libebml and libmatroska?
Given that both ffmpeg and vlc are EOLed in squeeze, that seems
sensible.
Cheers,
Mor
1 - 100 of 143 matches
Mail list logo
