Re: Packages not supportable in squeeze-lts

On Mon, May 19, 2014 at 08:52:04AM +0200, Jan Ingvoldstad wrote: > On 16. mai 2014, at 22:07, Matt Palmer wrote: > > > > On the other hand, I do like the idea of providing alternate kernels, > > although I wonder if the regular backported kernel isn't enough for people? > > No, they're not, beca

Re: Companies contact team@security?

On Tue, May 20, 2014 at 12:28:49PM +0200, Holger Levsen wrote: > Hi Korte, > > On Samstag, 17. Mai 2014, ko...@free.de wrote: > > https://wiki.debian.org/LTS/Development mentions > > > > "Companies using Debian who are interested in aiding this effort should > > contact t...@security.debian.org"

[ftpmas...@ftp-master.debian.org: debian-security-support_2014.05.16+deb6u1_amd64.changes REJECTED]

-06-10) on inutil.org X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=BAYES_50 autolearn=ham version=3.2.5 Envelope-to: j...@inutil.org Delivery-date: Wed, 21 May 2014 12:21:48 +0200 From: Debian FTP Masters To: Christoph Biedl , Moritz Muehlenhoff X-DAK: dak process-up

Re: Questions about the lts repository

On Wed, May 21, 2014 at 05:55:15PM +0200, Korte wrote: > Hi > > In [1] there is: deb http://ftp.de.debian.org/debian squeeze-lts main > but no contrib non-free. In [2] there is contrib and non-free. Is that > alright? I can't remember that we made a security upload for contrib or non-free since

Re: Packages not supportable in squeeze-lts

On Wed, May 21, 2014 at 12:22:07PM +0200, Moritz Muehlenhoff wrote: > On Fri, May 16, 2014 at 07:12:10AM +0200, Moritz Muehlenhoff wrote: > > Hi, > > a range of packages will not be supportable in squeeze-lts. But since we > > have now have the debian-security-support package

Re: Packages not supportable in squeeze-lts

On Fri, May 23, 2014 at 02:01:45AM +0200, Carlos Alberto Lopez Perez wrote: > I would rather invest my efforts in upgrading my Asterisk deployment. > > Hopefully for wheezy LTS we could support it, since the version on > wheezy matches the one that upstream has picked as LTS. Ack, that sounds lik

Draft of announcement for Debian LTS

Hi, please review and comment on attached draft (especially those among you who are native speakers in English). I'm planning to send it on Sunday. Anything I'm missing in the annoucement? I'd like to finalise the list of unsupported packages before than and upload a new version of debian-securit

Re: Draft of announcement for Debian LTS

Hi, I've incorporated various updates, see new version attached. On Fri, May 23, 2014 at 12:18:03PM +0100, Dominic Hargreaves wrote: > On Fri, May 23, 2014 at 11:54:06AM +0200, Moritz Muehlenhoff wrote: > > please review and comment on attached draft (especially those among y

Re: squeeze-lts not (yet?) on packages.debian.org

On Sat, May 24, 2014 at 01:36:40PM +0200, Christoph Biedl wrote: > Hello, > > just a short bit, I noticed squeeze-lts does not show in the list of > distribution in the top-right corner of a package page as e.g. in > . Should we be concerned > about this?

Re: Debian contributors looking for paid work on Squeeze LTS

On Mon, May 26, 2014 at 02:15:13PM +0200, Raphael Hertzog wrote: > Hello, > > as a follow up to my former mail[1], I'd like to know who is interested to > be paid to contribute to Squeeze LTS. I am myself in this position and I > believe that we should coordinate ourselves to have a clear offer to

Re: Debian contributors looking for paid work on Squeeze LTS

On Mon, May 26, 2014 at 10:54:42PM +0200, Raphael Hertzog wrote: > On Mon, 26 May 2014, Raphael Hertzog wrote: > > > That's difficult to judge. If someone compiles of list of all DSAs in 2014 > > > for squeeze (minus the ones which are unsupported in squeeze-lts) we can > > > make a rough estimatio

Re: Debian contributors looking for paid work on Squeeze LTS

On Tue, May 27, 2014 at 08:34:47AM +0200, Raphael Hertzog wrote: > > Some of them are delayed 'til the next point release. > > Right that's the way the security team delegates the responsibility of > such updates to the maintainers and the stable release team. Not necessarily. I only means that t

Re: Debian contributors looking for paid work on Squeeze LTS

On Wed, May 28, 2014 at 08:36:10AM +0200, Raphael Hertzog wrote: > On Tue, 27 May 2014, Moritz Muehlenhoff wrote: > > On Mon, May 26, 2014 at 10:54:42PM +0200, Raphael Hertzog wrote: > > > On Mon, 26 May 2014, Raphael Hertzog wrote: > > > > > That's difficult

Re: libplrpc-perl vs DBI vs mysql

On Wed, May 28, 2014 at 09:49:45AM +0200, Christoph Biedl wrote: > So I > am thinking of an an updated version of libdbi-perl for squeeze-lts > that lowers the dependency on libplrpc-perl to Recommends: or > Suggests:, or drops it entirely. The libplrpc-perl package has no > other reverse dependenc

Re: Draft of announcement for Debian LTS

On Thu, May 29, 2014 at 06:33:13PM +0200, matteo filippetto wrote: > 2014-05-23 15:07 GMT+02:00 Moritz Muehlenhoff : > > > > I think until things are sorted out (I expect some additional > > questions/clarifications > > after the public announcement) we should use the

Re: libplrpc-perl vs DBI vs mysql

On Wed, May 28, 2014 at 10:21:10AM +0200, Christoph Biedl wrote: > So opening a can of worms: Given package A depends on package B, > perhaps even through a third package. Now support for B is to be > terminated. Shouldn't there be precise warnings for A too, at least to > some degree? At the momen

Workflow for Debian LTS / First update released

Hi, now that the official security support for Squeeze has ended, Squeeze LTS can go live! I've just released the first update (for gnutls26) and it seems to have worked fine. Now everyone else should pick up some work :-) As discussed earlier we'll use the same workflow to coordinate work as use

gnutls26 update and NEW queue

Note that the gnutls26 package isn't available yet. It landed in the NEW queue which is a bug in the dak installation. I've contacted FTP masters to fix that. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact

Re: gnutls26 update and NEW queue

On Mon, Jun 02, 2014 at 12:19:01PM +0200, Moritz Muehlenhoff wrote: > Note that the gnutls26 package isn't available yet. It landed in the NEW queue > which is a bug in the dak installation. I've contacted FTP masters to > fix that. It has been processed in NEW by now, so

Re: Debian contributors looking for paid work on Squeeze LTS

On Tue, Jun 03, 2014 at 08:31:49AM +0200, Raphael Hertzog wrote: > Hi, > > On Mon, 02 Jun 2014, Moritz Mühlenhoff wrote: > > Following a very rough methodology: > > > > For updates in leaf packages with a patch available for stable-security > > four updates should be sufficient for the updated pa

Re: debsecan with squeeze-lts

On Tue, Jun 03, 2014 at 12:14:13PM +0100, Steven Chamberlain wrote: > Hi, > > I noticed an interesting problem that squeeze-lts creates for debsecan. > > debsecan (at least the version in squeeze) doesn't seem to know about > libgnutls26 version 2.8.6-1+squeeze4, or even that it has the fixes fro

Re: fail2ban (0.8.4-3+squeeze2)

On Tue, Jun 03, 2014 at 12:30:57PM +0200, matteo filippetto wrote: > 2014-06-02 23:49 GMT+02:00 Moritz Mühlenhoff : > > > > You're right, the security tracker data is incomplete here. Do you want > > to update the data yourself? > > > > If so, please create an Alioth handle and tell us the username

squeeze-lts and the security tracker

On Tue, Jun 03, 2014 at 01:09:41PM +0200, Moritz Muehlenhoff wrote: > On Tue, Jun 03, 2014 at 12:14:13PM +0100, Steven Chamberlain wrote: > > Hi, > > > > I noticed an interesting problem that squeeze-lts creates for debsecan. > > > > debsecan (at least the ve

Re: Workflow for Debian LTS / First update released

On Fri, Jun 06, 2014 at 02:23:26AM +0200, Carlos Alberto Lopez Perez wrote: > On 02/06/14 09:59, Moritz Muehlenhoff wrote: > > As discussed earlier we'll use the same workflow to coordinate work as used > > in the Debian Security Team: A simple text file. I've commited a

Re: Missing openssl build for i386

On Fri, Jun 06, 2014 at 09:15:11AM +1000, Matt Palmer wrote: > On Thu, Jun 05, 2014 at 11:30:12PM +0100, Steven Chamberlain wrote: > > Hi again, > > > > Looking at the Packages file on the same mirror, I see the > > openssl packages available for amd64, but not i386? > > The amd64 build got uploa

Re: linux-2.6 (2.6.32-48squeeze7) CVE-2014-3153

On Fri, Jun 06, 2014 at 04:34:37AM +0200, Carlos Alberto Lopez Perez wrote: > On 06/06/14 03:09, Carlos Alberto Lopez Perez wrote: > > On 06/06/14 02:06, Carlos Alberto Lopez Perez wrote: > >> Hi, > >> > >> > >> I can see on the svn that the updated package for linux-2.6 is ready [1] > >> (or at le

Re: Re: linux-2.6 (2.6.32-48squeeze7) CVE-2014-3153

On Mon, Jun 09, 2014 at 11:10:30PM +0200, Raphael Geissert wrote: > On Monday 09 June 2014 17:32:15 Dominic Hargreaves wrote: > [...] > > I noticed that lts-needed.txt says: > > > > "Some packages are not tracked here: > > - Linux kernel (tracking in kernel-sec repo) > > " > > > > What is the ker

Re: LTS progress so far [was: Draft announce of Debian 6 LTS, please review quickly]

Matt Palmer wrote: > I was under the impression that security team members were releasing > updates for LTS alongside the rest of the distributions, where those team > members were also interested in LTS. Individual members will continue to handle some updates, but from a high level view, rather n

Re: LTS progress so far [was: Draft announce of Debian 6 LTS, please review quickly]

On Tue, Jun 17, 2014 at 10:28:02AM +0200, Thorsten Alteholz wrote: > > > On Mon, 16 Jun 2014, Moritz Muehlenhoff wrote: >> Initially there needs to be an initial analysis of the data shown at >> https://security-tracker.debian.org/tracker/status/release/oldstable >> as

Bug#753122: PTS: Please add support for squeeze-lts

Package: qa.debian.org Severity: normal Hi, please list squeeze-lts in the "versions" table of the PTS. Since there won't be further updates to squeeze-security after the final Squeeze point release, this can simply replace the old "old-sec" entry. Cheers, Moritz -- To UNSUBSCRIBE, ema

Re: CVE-2014-4610: Integer Overflow in FFmpeg LZO implementation

On Tue, Jul 01, 2014 at 10:01:35AM +1000, Matt Palmer wrote: > Hi, > > On Fri, Jun 27, 2014 at 07:30:11PM +0200, Andreas Cadhalpun wrote: > > I'd like to inform you that ffmpeg 0.5.10-1 in squeeze is vulnerable > > to CVE-2014-4610 [1]. > > The fix [2] should be easily backportable. > > Thanks fo

Re: dbus for LTS

On Thu, Jul 10, 2014 at 08:06:02PM +0200, Thorsten Alteholz wrote: > Hi, > > according to the security tracker there are three CVEs[1] for dbus which > shall all affect Squeeze (DSA-2971-1). > > As far as I understand CVE-2014-3532 is for kernels above 2.6.37-rc4 but > only 2.6.32 is in Squeeze

Re: updating tor (to 0.2.4.x)

On Mon, Jul 14, 2014 at 09:52:42AM +0200, Peter Palfrader wrote: > Hi, > > now that Tor 0.2.4.x has hit stable, I'd like to update it in squeeze as > well. > > Currently squeeze ships with tor 0.2.2.39. (I think initially it even > shipped a 0.2.1.x version.) The arguments for updating to 0.2.4

Re: DLA documented

On Mon, Jul 14, 2014 at 06:45:06PM +0200, Alexander Wirt wrote: > On Mon, 14 Jul 2014, Moritz Mühlenhoff wrote: > > > On Mon, Jul 14, 2014 at 05:06:26PM +0200, Holger Levsen wrote: > > > Hi, > > > > > > Alexander Wirt just offered/suggested to reject mails not conforming to a > > > certain subje

Re: Fwd: cacti security update

On Mon, Jul 14, 2014 at 09:20:54PM +0200, Paul Gevers wrote: > Hi all, > > On 5 July, I sent the attached security update to the announce list. It > seems to have never reached that list. Could somebody enlighten me and > tell me what I did wrong? Only list masters can investigate this. Please se

Collecting notes for preparing security updates for selected packages

Hi, now that more people are involved in creating security updates outside the security team we should create a central place to gather useful information. We can use this to collect information how to build tricky packages (like the Linux kernel or OpenJDK) and especially to collect information h

Re: Re: gen-DLA (was: Re: LTS-ID : LTS6A-2014-015)

On Tue, Jul 22, 2014 at 11:09:20PM +0200, Raphael Geissert wrote: > On Tuesday 22 July 2014 22:49:34 Holger Levsen wrote: > > On Dienstag, 22. Juli 2014, Raphael Geissert wrote: > > sure. I think the distinction / meaning of "reserved" is just > > "unreleased"... > > Take a look at DLA/list's brot

Re: Fwd: Re: php5 in squeeze LTS

On Sun, Aug 24, 2014 at 07:23:28PM +0200, Thorsten Alteholz wrote: > Hi Ondrej, > > On Wed, 20 Aug 2014, Ondřej Surý wrote: >> Personally I would suggest you to do the same for 5.3.x in squeeze LTS. > > would it be sufficient to only use those patches for Squeeze LTS that > have been applied in Wh

Re: DLA for updated debian-security-support?

On Sun, Sep 07, 2014 at 07:53:46PM +0200, Christoph Biedl wrote: > Hello, > > today, I uploaded a new version of debian-security-support to > squeeze-lts (and also to sid). After that, Holger asked me in IRC to > do an DLA for this. I don't think we need this, after all debian-security-support w

Re: [SECURITY] [DLA 62-1] nss security update

On Fri, Sep 26, 2014 at 12:45:46PM +0800, Bret Busby wrote: > On 26/09/2014, Holger Levsen wrote: > > Hi, > > > > to answer the original posters question (bcc:ed), iceape ain't supported > > anymore, see > > https://lists.debian.org/debian-security-announce/2013/msg00233.html > > > Hello. > > In

End of life for MySQL 5.1

Hi, I just noticed that MySQL 5.1 is now EOLed by Oracle: http://www.mysql.com/support/eol-notice.html: | Per Oracle's Lifetime Support policy, as of December 31, 2013, MySQL | 5.1 is covered under Oracle Sustaining Support. As per http://www.mysql.com/support/ this means: | No new releases, no

Re: spamassassin update

On Mon, Feb 02, 2015 at 06:52:02PM +1100, Matt Palmer wrote: > On Mon, Feb 02, 2015 at 02:12:06PM +0800, Bret Busby wrote: > > On 02/02/2015, Matt Palmer wrote: > > > On Sun, Feb 01, 2015 at 09:49:15AM -0800, Noah Meyerhans wrote: > > >> Let me know if I should go ahead with this upload, or if any

Re: Fwd: Re: TLSv1.2 needed in Debian 6 LTS

On Tue, Feb 03, 2015 at 01:02:11AM +0100, Disch Services GmbH wrote: > Am 03.02.2015 um 00:04 schrieb Ben Hutchings: > >> No, the point is the claim that Debain 6 LTS has 5 year support until > >> mid. 2016. > > With a limited subset of package and architectures, and subject to > > developers being

Re: About the security issues affecting redmine in Squeeze

On Mon, Mar 23, 2015 at 02:59:36PM +0100, Raphael Hertzog wrote: > Hello dear maintainer(s), > > the Debian LTS team recently reviewed the security issue(s) affecting your > package in Squeeze: > https://security-tracker.debian.org/tracker/source-package/redmine rails is not covered by LTS securi

Re: squeeze update of flightgear?

On Wed, Mar 25, 2015 at 09:28:01AM +0100, Markus Wanner wrote: > I'm sorry, I don't think I'll have time to work on this, myself. (Nor > do I think games are an important part of an LTS distribution. YMMV, > of course.) I concur. Section:games should probably be excluded from Wheezy LTS. Cheers,

Re: Any ideas on possibility of wheezy-lts?

On Mon, Mar 30, 2015 at 10:03:11AM +1100, Jeremy Davis wrote: > Hi, > > I have googled high and low and got no recent comment/thoughts/etc on > whether or not there is even consideration of a Wheezy LTS. > > I understand that it would be dependant on the success (or not) of > Squeeze-LTS but I co

Re: Any ideas on possibility of wheezy-lts?

On Tue, Mar 31, 2015 at 01:06:22PM +0800, Bret Busby wrote: > (as > opposed to the Ubuntu LTS system, which, I believe (but, I stand to be > corrected), supposedly fully maintains all packages, for the LTS > lifecycle) Absolutely not! In Ubuntu the majority of packages isn't covered by security s

Re: How to deal with wireshark CVE affecting Squeeze

On Sun, Apr 12, 2015 at 01:20:37PM +0200, Bálint Réczey wrote: > Hi Ben, > > 2015-04-12 1:38 GMT+02:00 Ben Hutchings : > > On Sun, 2015-04-12 at 01:05 +0200, Bálint Réczey wrote: > > [...] > >> I assume this situation is not unique to Wireshark. What do you think, > >> what would be the best for t

Re: bin/genDLA proposal: auto-commit requested DLA numbers (was: Re: [SECURITY] [DLA 265-1] unattended-upgrades security update)

On Fri, Jul 03, 2015 at 09:19:14PM +0200, Raphael Hertzog wrote: > On Fri, 03 Jul 2015, Mike Gabriel wrote: > > I just discussed this with Moritz Mühlenhoff on #debian-security. His > > request is to leave all genDSA specific stuff in the genD{S,L}A script > > untouched. > > What about the attache

Re: squeeze update of rails?

On Sun, Jul 05, 2015 at 10:24:57AM +0200, Thorsten Alteholz wrote: > Hello dear maintainer(s), > > the Debian LTS team would like to fix the security issues which are > currently open in the Squeeze version of rails: > https://security-tracker.debian.org/tracker/CVE-2015-3226 > https://security-tr

Unsupported packages for Wheezy LTS

Hi, as a followup to yesterday's BoF I compared the list of unsupported packages in Squeeze LTS against the current status quo: (We try to split the LTS work from the normal security work, but I'm adding t...@security.debian.org to CC to let people comment who are not on debian-lts.) These pack

Re: lts-cve-triage.py: patch to check no-dsa tags in already triaged issues

On Wed, Aug 26, 2015 at 02:47:42PM +0200, Raphael Hertzog wrote: > On Tue, 25 Aug 2015, Santiago Ruano Rincón wrote: > > > Thus it would be better if we fixed packages listed in dla-needed.txt > > > even if the security team tagged the same issues as no-dsa afterwards. > > > > > > What do you thin

Re: Volunteers to handle embargoed security issues

On Fri, Sep 04, 2015 at 11:06:03AM +0200, Raphael Hertzog wrote: > On Wed, 02 Sep 2015, Raphael Hertzog wrote: > > So, who is willing to be added on this alias? > > FTR I just filed ticket #5950 on rt.debian.org to request > lts-secur...@debian.org pointing to Ben Hutchings and Thorsten Alteholz.

Re: Long term improvement to Debian's security and LTS

Hi, > On Fri, Oct 30, 2015 at 03:01:47PM +0100, Raphael Hertzog wrote: > > Hello everybody, > > > > with the current LTS funding level and the somewhat limited scope of > > squeeze, > > and until the LTS team takes care of wheezy, we are likely to have some > > spare hours to invest into improvi

Re: Long term improvement to Debian's security and LTS

On Sat, Oct 31, 2015 at 04:00:56PM +0100, Raphael Hertzog wrote: > On Fri, 30 Oct 2015, Moritz Muehlenhoff wrote: > > > > - improving the security infrastructure > > > > That has certainly the best net positive from my point of view. > > From my point of view

Re: Unsupported packages for Wheezy LTS

On Thu, Nov 05, 2015 at 06:47:03AM +0900, Mike Hommey wrote: > First and foremost, while GCC 4.7 is the current > minimum version supported, it's likely to become GCC 4.8 in the near > future, because of some wanted C++11/C++14 features. That problem also bit us with chromium in wheezy. Introduci

Re: squeeze update of piwigo (for compatibility against mysql-5.5)?

On Wed, Dec 02, 2015 at 09:56:08PM +0100, Santiago Ruano Rincón wrote: > Dear piwigo maintainers, > > Would you like to fix this issue in piwigo for squeeze lts? piwigo is end-of-life in squeeze. Cheers, Moritz

Re: Using the same nss in all suites

On Wed, Nov 25, 2015 at 11:58:19AM +0100, Florian Weimer wrote: > * Guido Günther: > > > On Thu, Nov 05, 2015 at 09:00:51PM +0100, Florian Weimer wrote: > >> * Mike Hommey: > >> > The biggest issue with NSS version bumps is that defaults change, > >> > such as cyphers, protocols, etc. That can hav

Re: squeeze update of openssh?

On Fri, Jan 15, 2016 at 02:50:33PM +0100, Yves-Alexis Perez wrote: > On ven., 2016-01-15 at 14:47 +0100, Guido Günther wrote: > > > I believe Yves-Alexis Perez is handing this. > > > > I figured Mike's mail is related to > > > >     TEMP-000 Eliminate the fallback from untrusted X11-forwardin

Re: Summary of the LTS BoF held during DebConf

On Thu, Jan 28, 2016 at 05:24:13AM +0100, Thijs Kinkhorst wrote: > On Tue, January 19, 2016 17:56, Santiago Ruano Rincón wrote: > > Moreover, squeeze lts has been advertised to end next February, the 6th > > to be precise. At the same time, the security team would support wheezy > > until April 26t

Re: working for wheezy-security until wheezy-lts starts

On Tue, Mar 01, 2016 at 02:08:56PM +, Sébastien Delafond wrote: > On 2016-03-01, Mike Gabriel wrote: > > @Security Team: Shall we (LTS contributors) handle wheezy-security > > updates like described below until Debian wheezy LTS comes into play? > > > >o Pick a package that has open CVE

Re: working for wheezy-security until wheezy-lts starts

On Wed, Mar 16, 2016 at 02:27:15PM +1100, Brian May wrote: > Guido Günther writes:> > > > Sid has Xen 4.6 and looking at the CVEs that affect sid the patches > > don't seem to be applied so the tracker looks correct, there's plenty of > > work left. > > > > Are you going to look at the Wheezy pac

Re: imagemagick

On Wed, Apr 06, 2016 at 08:28:18PM +1000, Brian May wrote: > Luciano Bello writes: > > > On Saturday 26 March 2016 17.40.39 Brian May wrote: > >> > If you didn't get any other comment, fill free to upload to security > >> > master. I'm not part of the LTS team, but I guess you can also update >

Re: imagemagick

On Wed, Apr 06, 2016 at 08:46:03PM +1000, Brian May wrote: > Moritz Muehlenhoff writes: > > >> # dput security-master-unembargoed > >> /tmp/brian/tmp6cIyLr/build/i386/imagemagick_6.7.7.10-5+deb7u4_i386.changes > > > > Try "security-master" in

Re: working for wheezy-security until wheezy-lts starts

B0;115;0cOn Wed, Apr 20, 2016 at 09:35:31AM +0200, Raphael Hertzog wrote: > On Wed, 20 Apr 2016, Brian May wrote: > > Looks like a total of 85 packages failed to build and 46 packages > > succeeded. So me thinks this strategy of using the Jessie version in > > wheezy may not be a feasible option. >

Re: Announcing Wheezy LTS via debian-security-announce

On Wed, Apr 20, 2016 at 10:31:48AM +0100, Justin B Rye wrote: > > - Forwarded message from Markus Koschany - > [...] > > [draft] > > > > Security support for Wheezy handed over to the LTS team > > === > > > > As of today the standard se

Re: Supporting armel/armhf in wheezy-lts

On Sun, Apr 24, 2016 at 09:55:10AM +0200, Raphael Hertzog wrote: > > https://wiki.debian.org/LTS/ makes it appear that LTS is an official Debian > > effort. > > And it is. There are multiple Debian developers who have initiated this > project, have been organizing it on debian-lts@lists.debian.org

Re: staging security updates

On Thu, Apr 28, 2016 at 10:03:44AM -0400, Antoine Beaupré wrote: > On 2016-04-28 02:54:36, Brian May wrote: > > - Created private signed repository for staging my proposed updates for > > testing. https://people.debian.org/~bam/debian/ > > Could we have a proposed-updates suite for security the

Re: Sending LTS changes to debian-lts-changes

On Mon, May 02, 2016 at 08:57:40PM +0200, Ansgar Burchardt wrote: > Raphael Hertzog writes: > > On Mon, 02 May 2016, Markus Koschany wrote: > >> thank you for fixing the mirror bug. Moritz Mühlenhoff informed us on > >> IRC that accepted mails for LTS uploads are still sent to dak AT > >> security.

Re: Wheezy update of roundcube?

On Tue, May 03, 2016 at 06:28:03PM +0200, Markus Koschany wrote: > The second best solution would be to backport either the 1.0.x branch or > your jessie-backport packages to Wheezy. Since you actively maintain > them, what do you think, how complex is the task to backport the > packages from jessi

Re: how reliable is "debian-security-support" ? AW: [SECURITY] Security support for Wheezy handed over to the LTS team

On Mon, May 09, 2016 at 09:35:22AM +, Holger Levsen wrote: > On Mon, May 09, 2016 at 08:43:37AM +, Schulz, Reiner wrote: > > How often i have to update the "debian-security-support" package? > > "never" is valid answer I'd say (though maybe a bit confusing at first). Quite the contrary, i

Re: Unsupported packages for Wheezy LTS

On Thu, May 12, 2016 at 10:07:17AM -0400, Antoine Beaupré wrote: > On 2016-05-12 10:00:24, Guido Günther wrote: > >> qemu and qemu-kvm were triaged as unsupported for CVE-2016-3712, but I > >> think Guido is studying how to support virtualisation related packages, > >> and maybe we should wait for

Re: Unsupported packages for Wheezy LTS

On Fri, May 13, 2016 at 12:09:08PM +0200, Guido Günther wrote: > On Fri, May 13, 2016 at 09:40:42AM +0200, Raphael Hertzog wrote: > > On Thu, 12 May 2016, Guido Günther wrote: > > > > I would rather see qemu supported, in other words. But the version in > > > > wheezy is really old, and in xen/whee

Re: Unsupported packages for Wheezy LTS

On Fri, May 13, 2016 at 12:21:13PM +0200, Raphael Hertzog wrote: > On Fri, 13 May 2016, Moritz Muehlenhoff wrote: > > > I'm not convinced that > > > supporting the current Wheezy versions of QEMU for two more years is of > > > much use (in contrast to the versi

Re: mediawiki support in wheezy-LTS

On Fri, May 20, 2016 at 11:11:53AM +0200, Thorsten Glaser wrote: > On Tue, 17 May 2016, Antoine Beaupré wrote: > > > >> Actually, before we do that: did we actually agree that we would not > > >> support mediawiki in wheezy? That's news to me, and it's part of the > > >> sponsored packages list...

Re: mediawiki support in wheezy-LTS

On Fri, May 20, 2016 at 09:25:59AM -0400, Antoine Beaupré wrote: > So what should we do with mediawiki then, mark it as unsupported? Remove > it from the archive completely? Yes. I'll ask for removal from jessie with the next stable release. Cheers, Moritz

Re: Iceweasel 45 for Wheezy-LTS

On Thu, May 26, 2016 at 10:29:22PM +0900, Mike Hommey wrote: > On Sun, May 22, 2016 at 07:34:29PM +0200, Guido Günther wrote: > > Hi Mike, > > I'm currently looking into building icedove 45 for Wheezy-LTS. I wonder > > if I should do the same for Iceweasel or if you intend to keep > > maintaining I

Re: Security update of libxstream-java

On Thu, Jun 02, 2016 at 09:32:27PM +0200, Markus Koschany wrote: > On 02.06.2016 11:35, Emmanuel Bourg wrote: > > Le 2/06/2016 à 11:19, Markus Koschany a écrit : > > > >> I saw that you have claimed libxstream-java in dla-needed.txt. It's been > >> a while since the security update for Jessie has

Re: CVE-2016-6131 binutils, gdb, valgrind etc.

On Thu, Jul 07, 2016 at 10:36:49AM +0200, Santiago Ruano Rincón wrote: > After talking with Salvatore and Guido, we plan to discuss about the > no-dsa meaning for oldstable during BoF tomorrow. One of the reasons > for tagging no-dsa minor issues is to handle them via point-releases. > Since we don

Re: Wheezy update of icu?

On Wed, Sep 07, 2016 at 08:25:36AM -0400, Roberto C. Sánchez wrote: > On Wed, Sep 07, 2016 at 11:07:16AM +0200, Bálint Réczey wrote: > > > > I have not found however the proposed fix on the list thus I did not > > know if you used the upstream fix. > > > > I think it would be a good idea to send

Re: Wheezy update of icu?

On Thu, Sep 08, 2016 at 06:45:28AM -0400, Roberto C. Sánchez wrote: > On Thu, Sep 08, 2016 at 07:29:55AM +0200, Guido Günther wrote: > > > > If you find useful information on e.g. howto reproduce the bug or about > > the proper upstream fix use > > > >NOTE: > > > > See e.g. this entry from t

Re: wheezy update for libav

On Mon, Sep 12, 2016 at 12:52:32PM +0200, Hugo Lefeuvre wrote: > Hi, > > > I'm counting 22 open CVEs for libav at the moment. Which of them do you > > intend to address with your fixes? Do you mind working together with > > Hugo Lefeuvre on some issues? I could imagine you both could pool your > >

Re: wheezy update for libav

Markus Koschany wrote: > Just to be clear a new upstream libav doesn't need to coincide with a > Debian security update. It wouldn't do any harm though. Important is > that we only fix security related issues and leave possible features out > that are not strictly needed to fix the CVEs. This is n

Re: fixing in oldstable before unstable (was Re: Wheezy update of tre?)

On Thu, Oct 20, 2016 at 05:00:36PM +0200, Guido Günther wrote: > Please file these bugs! The security team has asked for help on this > task on several occasions. It's on the LTS TODO list since the BoF at > Debconf16: > > > https://wiki.debian.org/LTS/TODO#Update_documentation_on_frontdesk

Re: ghostscript and evince/libspectre problem

On Wed, Oct 26, 2016 at 11:09:54PM -0400, Roberto C. Sánchez wrote: > On Tue, Oct 25, 2016 at 09:54:01PM +0200, Salvatore Bonaccorso wrote: > > Hi Roberto > > > > Could you double-check/confirm if you see the same > > https://bugs.debian.org/840691 in wheezy? Note although the bug is > > still ass

Re: Bug#840691: ghostscript and evince/libspectre problem

On Thu, Oct 27, 2016 at 06:31:43AM -0400, Roberto C. Sánchez wrote: > On Thu, Oct 27, 2016 at 08:54:39AM +0200, Moritz Muehlenhoff wrote: > > > > Salvatore mentioned that the same bug occurs when unstable has the security > > patches merged (which hasn't happened so far

Re: nss 3.26.2 in jessie?

On Wed, Dec 21, 2016 at 05:27:30PM -0500, Antoine Beaupré wrote: > Hi, > > We (the LTS team, but mainly me and buxy) are working on an update to > the NSS package for wheezy, and we just packaged the upstream 3.26.2 > release since it was a minimal diff that was easy to review. > > We can't reall

Re: Print undetermined issues in lts-cve-triage

On Fri, Feb 03, 2017 at 10:58:35AM +0100, Guido Günther wrote: > Hi, > while looking at the recent changes in data/CVE/list I noticed a bunch > of gstreamer issues being added but not showing up in the output > produced by lts-cve-triage. Reason was that they're marked as > undetermined. The attach

Re: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download

On Fri, Mar 24, 2017 at 03:55:23PM +0100, Guido Günther wrote: > Hi Roberto, > On Fri, Mar 24, 2017 at 10:45:44AM -0400, Roberto C. Sánchez wrote: > > On Fri, Mar 24, 2017 at 03:16:28PM +0100, Mathieu Parent wrote: > > > Please wait a bit before uploading. > > > > > > There is a regression in jess

Re: Dealing with renamed source packages during CVE triaging

On Tue, Mar 28, 2017 at 03:11:41PM +0200, Raphael Hertzog wrote: > Hello, > > So it looks like we have to tweak our worflow and/or build something > to make sure that we do not miss to handle issues in such packages. > What do you think ? What would be the proper approach ? I'd suggest a cron job

Re: Dealing with renamed source packages during CVE triaging

On Tue, Mar 28, 2017 at 03:55:12PM +0200, Raphael Hertzog wrote: > On Tue, 28 Mar 2017, Moritz Muehlenhoff wrote: > > I'd suggest a cron job running once or twice per day, which keeps > > a table of (current source package name / old source package name(s)) > > and a

Re: fixing links for DLAs in the security tracker

On Tue, Mar 28, 2017 at 04:08:19PM -0400, Antoine Beaupré wrote: > I constantly find myself struggling to find the actual DLA announcements > when I browse the security tracker. Take for example: > > https://security-tracker.debian.org/tracker/CVE-2016-8743 > > If you click on the DSA there: > >

Re: [SECURITY] [DLA 918-1] freetype security update

On Thu, Apr 27, 2017 at 10:55:51AM +0200, Bolesław Tokarski wrote: > I'm curious to see the version scope/some proof of a particular version not > being affected by CVE-2016-10328. See https://security-tracker.debian.org/tracker/CVE-2016-10328 > The reason I'm asking is because I'm maintaining

Re: [SECURITY] [DLA 918-1] freetype security update

On Thu, Apr 27, 2017 at 01:04:54PM +0200, Bolesław Tokarski wrote: > Hi, > > > See https://security-tracker.debian.org/tracker/CVE-2016-10328 > > Nice, I see it's in 'fixed' state in 2.5.2-3+deb8u1 already. I guess it was > not > clear that this does not affect that version last time I checked

Re: [Secure-testing-commits] r51756 - data/CVE

On Fri, May 19, 2017 at 04:23:25PM +, Hugo Lefeuvre wrote: > Author: hle > Date: 2017-05-19 16:23:25 + (Fri, 19 May 2017) > New Revision: 51756 > > Modified: >data/CVE/list > Log: > CVE triage for libav in wheezy by Diego Biurrun That's no okay. Why do you remove several entries? Ch

Re: [Secure-testing-commits] r51756 - data/CVE

On Fri, May 19, 2017 at 06:34:10PM +0200, Hugo Lefeuvre wrote: > Hi Moritz, > > On Fri, May 19, 2017 at 06:25:43PM +0200, Moritz Muehlenhoff wrote: > > On Fri, May 19, 2017 at 04:23:25PM +, Hugo Lefeuvre wrote: > > > Author: hle > > > Date: 2017-05-19

Re: tiff and CVE-2016-10095

On Fri, Jun 02, 2017 at 10:25:29AM +0200, Guido Günther wrote: > Hi Moritz, > I'm trying to figure out the reasoning for @51764. This marks tiff as > affected by CVE-2016-10095. However from the upstream bug and the > changes we made in wheezy it looks like the changes we made already are > suffici

Re: update of debian-security-support [was Re: Marking autotrace as unsuppported ?]

On Fri, Jun 02, 2017 at 12:21:01PM +0200, Guido Günther wrote: > Hi, > On Fri, Jun 02, 2017 at 11:32:07AM +0200, Raphael Hertzog wrote: > > Hi, > > > > On Fri, 02 Jun 2017, Guido Günther wrote: > > > > I updated the git repository of debian-security-support. Shall we > > > > release > > > > an up

Re: update of debian-security-support [was Re: Marking autotrace as unsuppported ?]

On Fri, Jun 02, 2017 at 12:53:58PM +0200, Guido Günther wrote: > On Fri, Jun 02, 2017 at 12:27:47PM +0200, Moritz Muehlenhoff wrote: > > On Fri, Jun 02, 2017 at 12:21:01PM +0200, Guido Günther wrote: > > > Hi, > > > On Fri, Jun 02, 2017 at 11:32:07AM +0200, Raphae

for LTS

Hi, when we're marking issues as for the suites supported by the security team and if that issue is also marked in wheezy (or whatever is LTS at the time), ok to also mark the LTS suite as or do you want to do deal with that by yourself? Specific example of such a change: r56270 Cheers,

  1   2   >