On Fri, May 31, 2024 at 10:41:44AM -0400, Roberto C. Sánchez wrote:
> On Fri, May 31, 2024 at 03:05:35PM +0100, Sean Whitton wrote:
>
> > I also note: the commit message for the fix for CVE-2024-32465 says that
> > it renders the fix for CVE-2024-32004 "somewhat redundant
> the sort of usability regression linked above.
>
> Could someone review this assessment, please?
>
I haven't assessed this, but I will and then I will reply to this thread
again with my assessment.
Regards,
-Roberto
--
Roberto C. Sánchez
://meetbot.debian.net/debian-lts/2024/debian-lts.2024-05-23-14.00.log.html
Regards,
-Roberto
--
Roberto C. Sánchez
Hello everyone.
Here are the notes from today's LTS meeting, with many thanks to Sylvain
for agreeing to act as the note taker.
Present:
- Roberto C. Sánchez
- Santiago Ruano
- Stefano Rivera
- Raphael Hertzog
- Sean Whitton
- Thorsten Alteholz
- Utkarsh Gupta
- Jochen Sprickerhof
- Sylvain
On Mon, Apr 15, 2024 at 11:32:14PM +0200, Ola Lundqvist wrote:
> Hi Roberto
>
> Got it. I will assess. I guess also the popularity of the package
> counts in this case.
>
Yes, the popularity of a package is a factor in the process of making an
EOL decision.
Regards,
-Roberto
being used, and then assess how those
intended and actual use cases would be affected by an EOL decision.
Regards,
-Roberto
--
Roberto C. Sánchez
e that there is a new 9.11.x release that addresses the
vulnerabilities, then that is potentially a path we could take. If there
is not a 9.11.x version that we could migrate to, then we will need to
carefully backport the patches and ensure that everything is rigorously
tested.
Regards,
-Roberto
--
Roberto C. Sánchez
a good reason to continue this discussion.
Let me have an opportunity to think about how the FD and triage
guidelines should be articulated and then if there are still questions
after that we can revisit the topic.
Regards,
-Roberto
--
Roberto C. Sánchez
en:
- what I suggested above (copy secteam decisions and move on to the next
package)
- dive in and start developing fixes to the individual CVEs
Either way, expending the tremendous effort that we have expended on the
specific triage decisions strikes me as a poor use of time.
Regards,
-Roberto
--
Roberto C. Sánchez
it in any case because we do not
> have enough information to tell what the problem was in the first
> place.
>
> While I'm at it I'm removing postponed tag for a few CVEs now, because
> they are postponed until patches are available and now patches are
> available in fedora.
>
Regards,
-Roberto
--
Roberto C. Sánchez
| egrep "CVE[-]${c}" | sort -u | wc -l ; done
2023: 643
2022: 962
2021: 900
2020: 1098
2019: 983
Regards,
-Roberto
--
Roberto C. Sánchez
of course desirable,
> even when upstream is dead.
>
Ah, thanks for the clarification.
Regards,
-Roberto
--
Roberto C. Sánchez
; For me it was an "I don't want to do that right now" and I didn't work
> on the package at that point, but I don't see a technical reason against
> someone fixing the CVEs.
>
So, whoever is working on freeimage (Ola?) should take into account that
this is part of what needs to be done.
Regards,
-Roberto
--
Roberto C. Sánchez
need to
be doing.
Do you think that this would be sufficient? Or did I miss something that
would make the use of high/medium/low priorities potentially beneficial?
This proposal came out of the discussion from when I first started this
thread nearly a month ago. That is to say, it was after a substantial
discussion had already developed. I am inclined to prefer a simpler
approach and the fewer triage states that we have to manage, the better.
Regards,
-Roberto
--
Roberto C. Sánchez
not certain where we would
keep track of these packages which need work but perhaps not directly
for a DLA.
Regards,
-Roberto
--
Roberto C. Sánchez
Regards,
-Roberto
--
Roberto C. Sánchez
On Mon, Mar 18, 2024 at 01:01:28PM +0100, Emilio Pozuelo Monfort wrote:
> On 14/03/2024 21:36, Roberto C. Sánchez wrote:
> > - if a CVE is 'fixed' in LTS but 'ignored' in (old)stable, then the
> >security team should be contacted to see if they would be willing to
> >
On Fri, Mar 15, 2024 at 11:06:10AM +0100, Raphael Hertzog wrote:
> Hello Roberto,
>
> On Thu, 14 Mar 2024, Roberto C. Sánchez wrote:
> > Santiago and I are in agreement that at the moment the best available
> > option is to use dla-needed.txt even for tracking work that need
should be confirming that package removals from dla-needed.txt are
valid (i.e., that the package does not require any work towards an
upload to (old)stable)
Your help with this is very much appreciated.
Regards,
-Roberto
--
Roberto C. Sánchez
[2] https://lists.debian.org/debian-lts/2023/12/msg00035.html
Regards,
-Roberto
--
Roberto C. Sánchez
n issue in the lts-team/lts-updates-tasks project on Salsa,
using the "Proposed EOL of package" issue template.
Regards,
-Roberto
--
Roberto C. Sánchez
r, that
is not the case here.
That said, if someone were inclined to work on the no-dsa CVEs (assuming
that there are not other higher priority tasks), then that is fine as
well.
Regards,
-Roberto
--
Roberto C. Sánchez
Hello everyone. Here are the notes from the LTS meeting held today via
Jitsi:
Present:
- Roberto C. Sánchez
- Santiago Ruano
- Raphael Hertzog
- Stefano Rivera
- Sylvain Beucler
- Bastien Roucaries
- Santiago
- Helmut
- Thorsten
- Chris Lamb
- Guilhem
- Utkarsh
Apologies:
- Tobias Frost
- Holger
On Wed, Jan 24, 2024 at 03:19:27PM -0500, Roberto C. Sánchez wrote:
> On Tue, Jan 23, 2024 at 02:30:27PM -0800, Bruce Byfield wrote:
> >
> > I will need answers by Monday, January 29. Please cc to bbyfi...@axion.net.
> > If
> > you want a hardcopy of the issue the co
s, then go ahead and
uninstall them and you should stop getting the annoying message about
packages being held back.
Regards,
-Roberto
--
Roberto C. Sánchez
o, I am not
sure why you need 66 different langauges, but that should not interfere
with apt.
What is the output of 'apt-cache policy firefox-esr-l10n-zh-tw'?
Regards,
-Roberto
--
Roberto C. Sánchez
n't provide the output of 'apt-get -s upgrade' it isn't
clear what influence (if any) the presence of that source is having on
the situation.
Please provide the full output so that we can help you determine what is
going on.
Regards,
-Roberto
--
Roberto C. Sánchez
mmand?
apt-cache policy firefox-esr
Also, what is the full output of the failing installation command that
you attempted?
Regards,
-Roberto
--
Roberto C. Sánchez
in the
> rest
> of the world.
>
I am working on getting the responses put together.
Regards,
-Roberto
--
Roberto C. Sánchez
as the coordinator for the LTS team and I would be the primary POC
for this sort of inquiry. That said, I would prefer if you could post
your questions to this list, unless for some reason you are not able to
post your questions to a public list.
Regards,
-Roberto
--
Roberto C. Sánchez
Do you think this can be achieved, and how?
>
Has there been any progress or discussion regarding this? The LTS team
will be responsible for bullseye starting in August and it would be
beneficial if there could be a resolution to this.
Is there anything that we could do from our side to help move things
along?
Regards,
-Roberto
--
Roberto C. Sánchez
or do wait for a formal
announcement to let us know that these should no longer be generated
when a DLA is released?
Regards,
-Roberto
--
Roberto C. Sánchez
earlier to December 19th (similar to what we are doing with the
December 2023 meeting).
[0] https://lts-team.pages.debian.net/wiki/Meetings.html
--
Roberto C. Sánchez
On Fri, Dec 01, 2023 at 02:05:42AM +0100, Guilhem Moulin wrote:
> On Thu, 30 Nov 2023 at 19:47:42 -0500, Roberto C. Sánchez wrote:
> > Yes, I would recommend two things.
>
> Done, thanks Roberto!
>
You're welcome!
--
Roberto C. Sánchez
://meetbot.debian.net/debian-lts/2023/debian-lts.2023-11-30-13.57.txt
Log:
http://meetbot.debian.net/debian-lts/2023/debian-lts.2023-11-30-13.57.log.html
Regards,
-Roberto
--
Roberto C. Sánchez
678-1. A new announcement has been sent under the
correct reference ID.
======
Regards,
-Roberto
--
Roberto C. Sánchez
that
added code is where the SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER value is
set, all of that makes me think that my theory is a likely explanation
for your unexpected test failure.
Regards,
-Roberto
[0]
https://hg.mozilla.org/projects/nss/rev/57bbefa793232586d27cee83e74411171e128361
--
Roberto C. Sánchez
dates can pass unstable within a day.
>
Uploads to unstable require maintainer coordination. That alone has the
potential to introduce a delay (e.g., in the case of an unresponsive
maintainer).
Perhaps "potential delays" would have been a better phrasing than
"substantial delays".
Regards,
-Roberto
--
Roberto C. Sánchez
ur agenda items here: https://pad.riseup.net/p/lts-meeting-agenda
Regards,
-Roberto
--
Roberto C. Sánchez
On Tue, Oct 10, 2023 at 09:53:58AM +, Bastien Roucariès wrote:
> Le vendredi 6 octobre 2023, 19:31:43 UTC Roberto C. Sánchez a écrit :
> >
> > The older pjsip located in that project lacks ssl_sock_imp_common.c but
> > has the other two files. Most of the remainder
while to
find out from Thorsten (who prepared the most recent update) why that
decision was made.
Regards,
-Roberto
[0]
https://github.com/savoirfairelinux/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cd
--
Roberto C. Sánchez ◈ Freexian SARL
https://www.freexian.com
diff -ur ri
On Fri, Sep 01, 2023 at 08:59:50PM +0200, Sylvain Beucler wrote:
> Hi,
>
> On 30/08/2023 02:13, Roberto C. Sánchez wrote:
> > On Sun, Aug 20, 2023 at 06:53:54PM -0300, Santiago Ruano Rincón wrote:
> > > Dear all
> > >
> > > I've prepared a glib2.0 upd
egards,
-Roberto
--
Roberto C. Sánchez
On Fri, Aug 25, 2023 at 11:02:35PM -0400, Chris Frey wrote:
> On Fri, Aug 25, 2023 at 07:02:07AM -0400, Roberto C. Sánchez wrote:
> > To claim that "because this bug affects me, it *must* be
> > fixed, even when it does not meet the criteria for a normal security bug
> &g
at it is normal "security" uploads only (which, as already
stated, can occasionally include some non-security bug fixes but
generally not).
Regards,
-Roberto
--
Roberto C. Sánchez
or the rather robust process that we try to utilize
to ensure that we properly balance the needs of everyone involved.
Regards,
-Roberto
--
Roberto C. Sánchez
rior to the transition
to LTS. Once that happens there will be no further point releseas, only
security updates.
You should not expect that this bug will be fixed in bullseye.
Regards,
-Roberto
--
Roberto C. Sánchez
which might not be appropriate for a public mailing list can be directed
to the coordinator email address.
Regards,
-Roberto
--
Roberto C. Sánchez
signature.asc
Description: PGP signature
-
Debian LTS Advisory DLA-3539-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Roberto C. Sánchez
August 22, 2023 https://wiki.debian.org/LTS
of these tickets and/or if
you have comments/ideas/thoughts related to the experiment or the
overall concept, please feel free to bring them up.
Regards,
-Roberto
--
Roberto C. Sánchez
a normal update for us (since the unstable packaging work wouldn't
have been done on it, as the maintainer already moved to the next
version), but is still much quicker than waiting on the toolchain
stuff
Regards,
-Roberto
--
Roberto C. Sánchez
-
Debian LTS Advisory DLA-3479-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Roberto C. Sánchez
July 05, 2023 https://wiki.debian.org/LTS
traightforward
backoport), and then we would have to decide at that point whether to
try to apply the strategy using 10.5 as a source branch, or to migrate
to a newer version altogether.
Regards,
-Roberto
--
Roberto C. Sánchez
k" or "no, that doesn't seem feasible and the latest upstream
release might be the only viable route") and then perhaps offer to
assist with the work.
Regards,
-Roberto
--
Roberto C. Sánchez
--
Roberto C. Sánchez
ct configuration what will be now rejected.
>
> I am asking the opinion of apache maintainer/security team before releasing.
>
> Thanks for remainder
>
> Bastien
>
Hi Philipp,
To clarify, Bastien is working on a fix for CVE-2023-25690 for *both*
buster and stretch.
Regards,
-Roberto
--
Roberto C. Sánchez
-
Debian LTS Advisory DLA-3316-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Roberto C. Sánchez
February 10, 2023 https://wiki.debian.org/LTS
f the paperwork just now.
Regards,
-Roberto
--
Roberto C. Sánchez
-
Debian LTS Advisory DLA-3288-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Roberto C. Sánchez
January 28, 2023 https://wiki.debian.org/LTS
particular
individual or team and the continuity that comes with that.
Attached to this email is a preliminary write up of the proposed role.
If you have questions or feedback, please bring them to the IRC meeting
or share them via a reply to this mail.
Regards,
-Roberto
--
Roberto C. Sánchez
Th
ds,
-Roberto
[0] https://lists.debian.org/debian-lts/2022/05/msg00043.html
--
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
On Mon, Jul 04, 2022 at 02:23:37PM +0200, Andreas Rönnquist wrote:
> On Sun, 3 Jul 2022 17:59:53 -0400
> Roberto C. Sánchez wrote:
>
> >On Sat, Jul 02, 2022 at 01:30:26AM +0200, Andreas Rönnquist wrote:
> >> Hello -
> >>
> >> I have updated the image
t; 0)
{
...
if (svg_info->parser == (xmlParserCtxtPtr) NULL)
{
...
}
}
I suspect that may have something to do with the test failures you are
observing. It may be necessary to correct the patch and upload again.
Regards,
-Roberto
--
Roberto C. Sánchez
d to drop. The LTS triage script retrieves
the current list from debian-security-support package, so it should
point out which packages are EOL or have limited security support. All
other packages are supported as usual.
Regards,
-Roberto
--
Roberto C. Sánchez
(example [0]). If
there are no objections, I will go ahead and do this in two or three
days.
If anyone has any comments or feedback, those would be welcome.
Regards,
-Roberto
[0] https://lists.debian.org/debian-lts-announce/2020/02/msg00011.html
--
Roberto C. Sánchez
/debian-lts/2022/04/msg8.html
[1]
https://salsa.debian.org/debian/debian-security-support/-/commit/0a6147d6b88d7c19ee7c072a344bbb63a7b1f32c
--
Roberto C. Sánchez
Thanks to those who responded. I will go ahead and start working with
the security team on declaring gpac EOL.
Regards,
-Roberto
On Thu, Apr 14, 2022 at 11:11:52AM -0400, Roberto C. Sánchez wrote:
> Hello everyone,
>
> I've been working on gpac vulnerabilities. The situation ha
[0] https://tracker.debian.org/pkg/gpac
--
Roberto C. Sánchez
-
Debian LTS Advisory DLA-2814-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Roberto C. Sánchez
November 09, 2021 https://wiki.debian.org/LTS
. I imagine that upstream support for security
vulnerabilities associated with the old approach will either be
significantly reduced or just not even there. It seems sensible to make
the change now, rather than later after enduring lots more pain trying
to hang on to the current approach.
Regards,
-Roberto
--
Roberto C. Sánchez
On Mon, Aug 30, 2021 at 10:57:59AM +0200, Sylvain Beucler wrote:
> Hi Roberto,
>
> Thanks for your thorough review :)
> I answer a couple comments below:
>
> On 29/08/2021 05:08, Roberto C. Sánchez wrote:
> > On Sat, Aug 28, 2021 at 08:30:56PM +0200, Sylvain Beucler wro
it is implemented that this
would be another tool that requires updating to deal with the new
architecture. I wonder if it makes sense to proceed with implementing a
"list of filenames" that the script operates upon for each parameter
(e.g., CVE, DSA, DLA, etc.) in order to be ready for the coming change.
Regards,
-Roberto
--
Roberto C. Sánchez
-
Debian LTS Advisory DLA-2737-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Roberto C. Sánchez
August 09, 2021 https://wiki.debian.org/LTS
On Mon, Aug 09, 2021 at 10:52:00AM +, Holger Levsen wrote:
> Hi Roberto,
>
> On Mon, Aug 09, 2021 at 06:38:15AM -0400, Roberto C. Sánchez wrote:
> > It was completely my fault. [...]
>
> Mistakes happen, thank you for owning yours!
>
> > The update to dla-nee
On Mon, Aug 09, 2021 at 10:32:54AM +, Holger Levsen wrote:
> On Mon, Aug 09, 2021 at 06:20:43AM -0400, Roberto C. Sánchez wrote:
> > On Mon, Aug 09, 2021 at 08:43:34AM +, Holger Levsen wrote:
> > > today three packages were unclaimed for LTS:
> &g
sponsored the upload, and the packages were literally in
the process of uploading when I saw this message. I will publish the
advisories in a few hours, after all the binary packages are built.
Regards,
-Roberto
--
Roberto C. Sánchez
-
Debian LTS Advisory DLA-2726-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Roberto C. Sánchez
August 02, 2021 https://wiki.debian.org/LTS
-
Debian LTS Advisory DLA-2608-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Roberto C. Sánchez
March 25, 2021https://wiki.debian.org/LTS
On Mon, Feb 01, 2021 at 11:32:13AM +, Holger Levsen wrote:
>
> One DLA has been reserved but not yet been published:
> - DLA 2537-1 (31 Jan 2021) (ffmpeg)
>
It looks like this was just merged/published.
> Have a great week!
>
You too!
Regards,
-Roberto
--
Roberto C. Sánchez
-
Debian LTS Advisory DLA-2537-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Roberto C. Sánchez
January 31, 2021 https://wiki.debian.org/LTS
-
Debian LTS Advisory DLA-2504-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Roberto C. Sánchez
December 22, 2020 https://wiki.debian.org/LTS
-
Debian LTS Advisory DLA-2500-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Roberto C. Sánchez
December 18, 2020 https://wiki.debian.org/LTS
On Fri, Dec 18, 2020 at 10:27:11AM +0100, Emilio Pozuelo Monfort wrote:
> On 18/12/2020 00:05, Roberto C. Sánchez wrote:
> > Uggh. If only I had waited a few more hours to upload. I have the
> > advisory text ready but have not yet published the DLA. Your changes
> >
-
Debian LTS Advisory DLA-2467-2debian-...@lists.debian.org
https://www.debian.org/lts/security/ Roberto C. Sánchez
December 18, 2020 https://wiki.debian.org/LTS
ons.
>
Hi Tim,
This sort of fell off my radar. Is it still possible that you might be
able to review the condor updates?
Regards,
-Roberto
--
Roberto C. Sánchez
Would you like to take a look at
> this and finish it (probably backporting the test changes from [2]) or
> should I?
>
Uggh. If only I had waited a few more hours to upload. I have the
advisory text ready but have not yet published the DLA. Your changes
for deb9u3 look good. Would you go ahead and upload deb9u3 and I will
publish the advisory once it is built.
Regards,
-Roberto
--
Roberto C. Sánchez
Thanks Ola and Emilio both for the helpful pointers.
Regards,
-Roberto
On Tue, Dec 15, 2020 at 12:30:17PM +0100, Emilio Pozuelo Monfort wrote:
> On 15/12/2020 02:16, Roberto C. Sánchez wrote:
> > I am curious if there is a policy or best practice for how to handle a
> >
vulnerability fix as a subsequent update?
Regards,
-Roberto
--
Roberto C. Sánchez
On Thu, Dec 10, 2020 at 08:53:58AM -0500, Roberto C. Sánchez wrote:
> On Tue, Dec 08, 2020 at 10:04:13AM -0500, Roberto C. Sánchez wrote:
> > Hi Moritz & Chris,
> >
> > On Tue, Dec 08, 2020 at 02:37:14PM +, Chris Lamb wrote:
> > > Hi Moritz,
> &g
-
Debian LTS Advisory DLA-2340-2debian-...@lists.debian.org
https://www.debian.org/lts/security/ Roberto C. Sánchez
December 10, 2020 https://wiki.debian.org/LTS
On Tue, Dec 08, 2020 at 10:04:13AM -0500, Roberto C. Sánchez wrote:
> Hi Moritz & Chris,
>
> On Tue, Dec 08, 2020 at 02:37:14PM +, Chris Lamb wrote:
> > Hi Moritz,
> >
> > > CVE-2019-20218 isn't fixed in Stretch/LTS. Running the reproducer:
> >
>
>
> Roberto, can you follow-up on this?
>
I have claimed the package in dla-needed.txt. I will get this
straightened out (including properly confirming that the vulnerability
is fixed) in the coming days.
Regards,
-Roberto
--
Roberto C. Sánchez
-
Debian LTS Advisory DLA-2476-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Roberto C. Sánchez
December 01, 2020 https://wiki.debian.org/LTS
-
Debian LTS Advisory DLA-2475-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Roberto C. Sánchez
December 01, 2020 https://wiki.debian.org/LTS
y available in stretch (LTS) and jessie (ELTS).
Regards,
-Roberto
--
Roberto C. Sánchez
bian sources are really using it in a way that
warrants the amount of effort that is likely to be required to continue
support.
To be clear, my vote would be to drop support.
Regards,
-Roberto
--
Roberto C. Sánchez
-
Debian LTS Advisory DLA-2463-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Roberto C. Sánchez
November 22, 2020 https://wiki.debian.org/LTS
-
Debian LTS Advisory DLA-2379-3debian-...@lists.debian.org
https://www.debian.org/lts/security/ Roberto C. Sánchez
November 21, 2020 https://wiki.debian.org/LTS
-
Debian LTS Advisory DLA-2456-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Roberto C. Sánchez
November 18, 2020 https://wiki.debian.org/LTS
-
Debian LTS Advisory DLA-2448-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Roberto C. Sánchez
November 11, 2020 https://wiki.debian.org/LTS
1 - 100 of 508 matches
Mail list logo