On Thu, 2023-07-20 at 14:13 +0100, Ronny Adsetts wrote:
> I think upgrading our Samba servers to Bullseye and then Samba from
> backports (or Michael's repo) is the approach I'll take.
Is upgrading to Debian bookworm after that not possible for you?
--
bye,
pabs
https://wiki.debian.org/PaulWis
On Wed, 2023-02-22 at 12:13 +0100, Ola Lundqvist wrote:
> Unfortunately not the correct mailing list.
> This is the mailinglist for security updates of buster.
The request for applying Linux kernel security fixes without reboot
is even more useful for Debian oldstable/stable, which do not recieve
On Mon, 2022-10-24 at 09:54 +0200, Anton Gladky wrote:
> thanks for the information. AFAIK skipping releases is not supported.
> You have to go through all releases step-by-step.
Thats correct, although some folks want Debian to not
drop things that help skip upgrades wherever possible.
https://
On Fri, 2022-09-09 at 22:41 +0200, Ola Lundqvist wrote:
> I see that I was not clear what I meant with "in general" :-)
Woops, sorry for the noise :)
> Here I found how the generic source code looks like:
> https://rubydoc.info/gems/thin/1.3.1/Thin%2FBackends%2FUnixServer:connect
>
> You can se
On Mon, 2022-09-05 at 21:38 +0200, Ola Lundqvist wrote:
> I agree that it is good to fix the pcs package, but shouldn't we fix
> the default umask in general?
> I would argue that the default umask is insecure.
bookworm login sets new user home directories to secure permissions:
$ grep -E 'HO
On Fri, Feb 26, 2021 at 3:35 PM Markus Koschany wrote:
> How can we keep the [embedded copies] list up-to-date?
Considering that the copies can be added, removed or made irrelevant
in each upload of each package, I think this would be a very hard
problem.
The simplest solution would be to change
On Thu, Feb 25, 2021 at 10:41 PM Ola Lundqvist wrote:
> Finding embedded code copies is harder.
There are some useful strategies for that listed on the wiki:
https://wiki.debian.org/EmbeddedCopies
Probably `apt-file search -I dsc` and the various code searching
services (sources.d.o hashes/ctag
On Fri, 2021-02-12 at 14:40 +0100, Ola Lundqvist wrote:
> The discussion is more or less whether packages should be allowed in
> Debian in the first place. This should be discussed on some general
> mailinglist, like debian-devel or debian-project. LTS cannot put
> restrictions on what should ente
On Fri, Feb 12, 2021 at 11:21 AM Sylvain Beucler wrote:
> Pushing your point, we'd need to consider all software insecure by
> default, perform regular code audits on the full Debian archive, which
> would be very costly, and blocking packages from reaching testing, which
> would introduce another
On Mon, Nov 9, 2020 at 10:33 PM Brian May wrote:
> What is this "Built-Using" header?
It documents which source package versions need to be shipped to
ensure license compliance.
https://www.debian.org/doc/debian-policy/ch-relationships.html#additional-source-packages-used-to-build-the-binary-bui
On Tue, Apr 16, 2019 at 10:20 AM PICCORO McKAY Lenz wrote:
> was removed or not? are stil ELTS?
The timeline says that eLTS support ended on 31st May 2019.
https://wiki.debian.org/LTS/Extended
--
bye,
pabs
https://wiki.debian.org/PaulWise
On Sat, Dec 1, 2018 at 6:35 AM Thorsten Alteholz wrote:
> Package: nsis
> Version: 2.46-10+deb8u1
> CVE ID : CVE-2015-9267 CVE-2015-9268
>
> Among others, Andre Heinicke from gpg4win.org found several issues of
> nsis, a tool for creating quick and user friendly installers
On Wed, Oct 24, 2018 at 4:15 AM Sean Whitton wrote:
>
> On Tue 23 Oct 2018 at 05:06PM +0200, Markus Koschany wrote:
> >
> > In short: Make it very clear if you want to provide long-term support
> > for your project. Talk to the LTS team in case you need help. Nobody is
> > forced to do anything.
>
On Thu, 2018-08-09 at 16:57 +1000, Brian May wrote:
> I could still ping the host, so probably not a routing problem.
Next time try connecting to port 80/443 on the IP address without
sending any data. That would eliminate a HTTP-layer issue.
> Looks like I can connect today however, so maybe tr
On Wed, Aug 8, 2018 at 3:35 PM, Brian May wrote:
> Sidenote: Curiously I cannot connect to
> https://security-tracker.debian.org/ today from this machine on this
> network... Connections always time out. Probably something weird with my
> network, however other webpages appear to be fine. If I ssh
On Wed, Mar 14, 2018 at 4:42 PM, Mathieu Parent wrote:
> See the attached patch for CVE-2018-1050 on samba 3.6. CVE-2018-10507
> is on the AD DC code which is not part of samba 3.6.
A beta of samba 4 is also in wheezy:
https://packages.debian.org/source/wheezy/samba4
--
bye,
pabs
https://wiki
On Fri, Mar 9, 2018 at 12:05 AM, Guido Günther wrote:
> We will have to do the work anyway once oldstable becomes LTS, same
> holds for stable.
Indeed. IIRC the security team has the same approach for unstable.
--
bye,
pabs
https://wiki.debian.org/PaulWise
On Thu, 2018-01-25 at 11:05 -0500, Antoine Beaupré wrote:
> I'm not sure what to say to nodesecurity.io folks
I've already contacted them multiple times in 2014 and once in 2016,
about incorporating CVEs into their workflow. The responses were
positive but didn't result in much change, except whe
On Thu, Jan 25, 2018 at 1:12 AM, Antoine Beaupré wrote:
> Okay, so this is a broader, recurring problem we have with the security
> tracker right now... From my perspective, I've always and only used CVEs
> as unique identifiers for vulnerabilities in my work in the security
> tracker. When that w
On Fri, Jan 19, 2018 at 11:52 PM, Antoine Beaupré wrote:
> I have found that Snyk had issues in its database that weren't in Mitre:
>
> https://snyk.io/vuln/npm:jquery
I note that nodesecurity also has some CVE-less issues:
https://nodesecurity.io/advisories?search=jquery
> Finally, I wanted to
On Mon, Nov 27, 2017 at 7:43 PM, Adam Weremczuk wrote:
> deb http://httpredir.debian.org/debian/ wheezy main contrib non-free
> deb-src http://httpredir.debian.org/debian/ wheezy main contrib non-free
You can also replace httpredir.d.o with deb.d.o, httpredir.d.o is dead
and now redirects to deb.
On Fri, Jul 7, 2017 at 2:01 AM, Antoine Beaupré wrote:
> For what it's worth, my opinion is that we should attempt to synchronize
> certdata.txt (and blacklist.txt, for that matter) across all suites (but
> not other changes to the packaging). This would remove another decision
> point in our infr
On Tue, Jul 4, 2017 at 10:02 PM, Matus UHLAR wrote:
> I just found out that the unattended-upgrades package in wheezy does not
> upgrade packages although configured to do it.
I note that this same situation will apply to jessie when it becomes
oldoldstable.
I haven't tested the default stretch
On Mon, Jun 12, 2017 at 3:37 AM, Salvatore Bonaccorso wrote:
> I'm attaching the *preliminary* set of changes which I plan to
> activate once stretch is released.
Wow, there really is a horribly large amount of hard-coding of things
that should be fetched from the archive instead. I've added a
re
On Wed, May 24, 2017 at 6:24 PM, Paul Wise wrote:
> In Python/Perl YAML libraries there are ways to safely load YAML
> files, does Ruby not have the same possibilities?
After a bit of searching, I wonder if copying the ruby-safe-yaml
package from wheezy-backports to wheezy and then pa
On Wed, May 24, 2017 at 5:51 PM, Apollon Oikonomopoulos wrote:
> So, from my understanding the version in Wheezy cannot be fixed: the 2.7
> agents only use YAML to send out facts and upstream's fix is to simply
> not accept anything other than PSON. Whitelisting YAML defeats the
> purpose, as it's
On Wed, Mar 29, 2017 at 12:28 PM, Salvatore Bonaccorso wrote:
> See as well https://bugs.debian.org/761945 (and respective clones for
> debian-).
Committed a patch for this, carnil deployed it.
One downside to this is that committing DLAs to the Debian website
hasn't happened since 2016 DLA-
On Tue, Mar 28, 2017 at 8:12 AM, Michael Shuler wrote:
> I need to fix up the jessie PU I have filed (and update to 2.11), and
> I'll do a wheezy PU at the same time. Thanks!
Debian wheezy is no longer managed by the release team, so you will
need to do an LTS upload instead:
https://wiki.debian
Hi all,
I note that there have been some CA removals and additions that would
be nice to have in wheezy, in particular the ISRG Root for LE, thoughts?
--
bye,
pabs
https://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
On Tue, Feb 21, 2017 at 4:27 AM, Antoine Beaupré wrote:
> security@lists.d.o is not a list, as far as i know. there's
> debian-security@lists.d.o, but I never posted there... or did you mean
> t...@security.debian.org?
secur...@lists.debian.org goes to root (DSA) and listmaster AFAICT.
--
bye,
On Thu, Oct 20, 2016 at 9:59 PM, Santiago Vila wrote:
> Should this not start in unstable with a bug report?
This is what the stable security team usually do, because they know
that if they don't they will eventually have to do the work
themselves. They also do NMUs in unstable in some cases.
--
On Wed, May 4, 2016 at 12:23 AM, Tom Turelinckx wrote:
> Jessie is not available for sparc.
If you are actually using sparc I would recommend you look at
migrating to and assisting the sparc64 porting efforts. Or reviving
sparc if you need 32-bit SPARC. Or switch to another architecture.
https:/
On Mon, Mar 28, 2016 at 10:34 PM, Andrew Deck wrote:
> On a related note, does anyone know what happened to OSF and the OSVDB?
> There still seem to be blog updates, but I remember OSVDB having a web
> UI, and the OSF website seems to be down.
They have officially closed the OSVDB site:
https://
On Fri, Mar 25, 2016 at 7:26 AM, Holger Levsen wrote:
> I'm really not sure that teaching people to ignore apt warnings is the
> best way to tell them that they need to upgrade. IMO this is mixing two
> topics, in a bad way.
>
> At least I would have appreciated if the signing key would have been
On Tue, Mar 22, 2016 at 10:06 PM, Antoine Beaupré wrote:
> Well, the friction is one thing, but we need to adopt *one* system for
> the future, if CVEs are going the wayside (or even as a complementary
> approach).
I agree with this post from oss-security:
https://marc.info/?l=oss-security&m=145
On Sat, Mar 12, 2016 at 10:51 PM, Kurt Roeckx wrote:
> On Sun, Mar 06, 2016 at 03:33:16PM +1100, Brian May wrote:
>> For example, if there are no CVEs are we able to use OVEs instead?
>
> What abaout DWF?
That didn't exist at the time of Brian's post.
I think OVE/OVI still have less friction than
On Fri, Mar 11, 2016 at 3:49 AM, Moritz Mühlenhoff wrote:
> On Sun, Mar 06, 2016 at 06:58:48PM +0100, Salvatore Bonaccorso wrote:
>
>> But I think as well that is right now to early to
>> start adopting these for not yet assigned issues.
>
> Agreed, let's stick with the usual "file a bug to get a t
On Sun, Mar 6, 2016 at 12:33 PM, Brian May wrote:
> Just wondering if there is some other way we can track security issues
> for when CVEs are not available.
...
> For example, if there are no CVEs are we able to use OVEs instead?
>
> http://www.openwall.com/ove
This sounds like a good idea to me
On Tue, Jun 10, 2014 at 5:51 AM, Brandon Vincent wrote:
> Squeeze-LTS is maintained by volunteers rather than the Debian
> security team. If a package is released, a notification should be
> posted to the debian-lts-announce mailing list.
I guess you mean s/rather/other/ there?
People are going
39 matches
Mail list logo
