Hi Santiago,
On Thu, Aug 08, 2024 at 03:07:51PM -0300, Santiago Ruano Rincón wrote:
> Hi all,
>
> As suggested by Moritz, giving the status of iotjs, I think it is not
> possible to support it during the bullseye LTS period. iotjs was removed
> from unstable (and bookworm when it was testing) nea
Hi,
On Tue, Jul 23, 2024 at 09:54:14AM +0900, Hideki Yamane wrote:
> Hello,
>
> > LTS
> >
> > - git
> >
> > - Released DLA-3844-1 fixing CVE-2023-25652, CVE-2023-25815,
> > CVE-2023-29007, CVE-2024-32002, CVE-2024-32004, CVE-2024-32021 and
> > CVE-2024-32465, and including a follow-up
Hi,
On Fri, Apr 26, 2024 at 08:32:21PM +0200, Cyrille Bollu wrote:
>
>
> Le vendredi 26 avril 2024 à 12:50 -0300, Santiago Ruano Rincón a
> écrit :
> > Hi Cyrille!
> >
> > El 25/04/24 a las 15:00, Cyrille Bollu escribió:
> > > Hi Santiago,
> > >
> > > Here's some follow up :-)
> > >
> > > Bes
Hi Daniel,
On Mon, Feb 19, 2024 at 11:00:14AM +0100, Daniel Leidert wrote:
> Am Montag, dem 19.02.2024 um 07:11 +0100 schrieb Salvatore Bonaccorso:
>
> [..]
>
> > > Debian LTS Advisory DLA-3735-1
>
> [..]
>
> > The DLA reservation for this u
Hi,
On Mon, Feb 19, 2024 at 03:28:00AM +0100, Daniel Leidert wrote:
> -
> Debian LTS Advisory DLA-3735-1debian-lts@lists.debian.org
> https://www.debian.org/lts/security/ Daniel Leidert
>
Hi Thomas,
On Fri, Jan 05, 2024 at 12:06:58AM +0100, Thomas Lange wrote:
> Hi all,
>
> we now redirect all DSA/DLA URLs under security and lts/security with
> or without having the year in the path and with or without a version
> to their announcement mail:
> Examples:
> /security/dsa-5576
> /sec
Hi Carsten,
On Thu, Jan 04, 2024 at 07:30:27AM +0100, Carsten Schoenert wrote:
> Hello Salvatore, hello Emilio,
>
> Am 03.01.24 um 19:11 schrieb Salvatore Bonaccorso:
> > Hi Emilio, hi Carsten,
> >
> > I noticed that the builds for amd64 and armhf for
> > thu
Hi Emilio, hi Carsten,
I noticed that the builds for amd64 and armhf for
thunderbird/1:115.6.0-1~deb10u1 from DLA 3698-1 did fail to build:
https://buildd.debian.org/status/fetch.php?pkg=thunderbird&arch=amd64&ver=1%3A115.6.0-1%7Edeb10u1&stamp=1704285041&raw=0
https://buildd.debian.org/status/fet
Hi,
On Wed, Dec 27, 2023 at 09:53:47PM +0100, Salvatore Bonaccorso wrote:
> Hi Jim,
>
> On Wed, Dec 27, 2023 at 03:33:43PM -0500, Jim Rosenberg wrote:
> > Attempting to upgrade firefox-esr, it does not work.
> >
> > Upgrading from: 115.5.0esr
> >
> > ap
Hi Jim,
On Wed, Dec 27, 2023 at 03:33:43PM -0500, Jim Rosenberg wrote:
> Attempting to upgrade firefox-esr, it does not work.
>
> Upgrading from: 115.5.0esr
>
> apt-list --upgradable reports 66 packages upgradable, e.g.
>
> firefox-esr-l10n-en-gb/oldoldstable,oldoldstable 115.6.0esr-1~deb10u1 a
Hi Thomas,
On Mon, Dec 25, 2023 at 09:14:51PM +0100, Thomas Lange wrote:
> Hi all,
>
> as announced on Dec 7th, I have now removed the old index.wml files
> and renamed new.wml to index.wml in the webwml repository under
> security/ and lts/security/.
>
>
Hi Sylvain,
On Wed, Dec 13, 2023 at 07:50:38AM +0100, Sylvain Beucler wrote:
> Hi all,
>
> Actually we have a summary of the situation here:
> https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/51
>
> We have mostly 2 options:
>
> 1/ General fix, involving a dak hook and some corner cas
Hi Bastien,
I noticed on 19th there was an upload for node-json5 fixing
CVE-2022-46175 according to
https://lists.debian.org/debian-lts-changes/2023/11/msg00017.html but
I do not see a DLA. Did that felt trough the cracks?
Regards,
Salvatore
Hi Klaus,
On Mon, Nov 13, 2023 at 10:35:04AM +0100, Klaus Zerwes wrote:
> Hello.
> I know, buster is oldold ... But are there any plans to get a patched
> release of libclamunrar9?
> https://blog.clamav.net/2023/08/clamav-120-feature-version-and-111-102.html
> Currently buster has only 0.102.3-0+d
hi Sean, hi Sylvain,
On Sat, Jul 08, 2023 at 05:35:36PM +0200, Sylvain Beucler wrote:
> Hi,
>
> On 08/07/2023 10:04, Sean Whitton wrote:
> > On Sat 08 Jul 2023 at 09:14am +02, Salvatore Bonaccorso wrote:
> >
> > > Just noticed the suffix for the version
Hi Sean,
On Fri, Jul 07, 2023 at 01:07:57PM +0100, Sean Whitton wrote:
> Hello,
>
> On Fri 07 Jul 2023 at 12:23pm +02, Sylvain Beucler wrote:
>
> > Hello Sean,
> >
> > I had a quick test with my:
> > http://git.savannah.gnu.org/cgit/freedink.git/tree/nsis
> > which is kinda old but does call Wri
Hi LTS team,
On Wed, Jun 07, 2023 at 08:44:53AM +0200, Bernhard Schmidt wrote:
> Package: libruby2.5
> Version: 2.5.5-3+deb10u5
> Severity: grave
>
> Hi,
>
> I can't quite figure out why, but the latest security upload of ruby2.5 in
> Buster breaks the ability of the puppet agent to pull files f
Hi,
On Sat, Jun 03, 2023 at 10:55:08AM +0200, Philipp Kern wrote:
> Hi,
>
> On 01.06.23 16:51, Sylvain Beucler wrote:
> > I'm part of the Debian LTS Team, and along with the Security Team, we're
> > looking into making embargo'd build logs eventually public.
> > See https://salsa.debian.org/lts-t
Hi Federico,
On Fri, Jun 02, 2023 at 04:44:58PM -0300, Referente TIC ESRN 37 wrote:
> Hi my name is Federico, i´m having some trouble with this package
> "*firmware-realtek"
> binary firmware for Realtek wired/wifi/BT adapters*. I update my netbook
> with Huayra 5 (austral), Debian 10.13 (version
Control: forwarded -1 https://github.com/Netatalk/netatalk/pull/174
Hi Daniel,
On Wed, May 24, 2023 at 10:50:41PM -0700, Daniel Markstedt wrote:
> Package: netatalk
> Version: 3.1.12~ds-3+deb10u1
> X-Debbugs-Cc: t...@security.debian.org
>
> The code that addressed CVE-2022-23123 introduced apple
Control: severity -1 important
On Thu, May 18, 2023 at 10:17:39AM +0200, 255.255.255.255 wrote:
> Package: firmware-iwlwifi, firmware-realtek, firmware-misc-nonfree
> Version: 20190114+really20220913-0+deb10u1
> Severity: Critical
>
> Kernel: 4.19.0-24-amd64 #1 SMP Debian 4.19.282-1 (2023-04-29)
Hi Sylvain,
On Sat, Apr 15, 2023 at 01:29:08PM +0200, Sylvain Beucler wrote:
> Hello Security Team,
>
> On Thu, Apr 13, 2023 at 05:33:15PM +0200, Moritz Muehlenhoff wrote:
> > On Wed, Apr 12, 2023 at 10:58:15PM +0200, Salvatore Bonaccorso wrote:
> > > > - For py
Hi Sylvain,
On Thu, Apr 06, 2023 at 05:54:08PM +0200, Sylvain Beucler wrote:
> Hello Security Team,
>
> On 01/04/2023 21:31, Salvatore Bonaccorso wrote:
> > First a disclaimer, this probably needs further discussion, reflects
> > my current personal knowledge and view
Hi Sylvain,
First a disclaimer, this probably needs further discussion, reflects
my current personal knowledge and view on the question, and further
feedback is appreciated by at least one other persion in the Debian
security team doing frequent CVE triage, I have in mind Moritz.
As a general rul
On Mon, Feb 27, 2023 at 07:43:42AM +, Chris Lamb wrote:
> Hi Salvatore,
>
> >> python-cryptography (2.6.1-3+deb10u4) buster-security; urgency=high
> >> .
> >>* Adjust which call to CFFI's from_buffer is marked
> >> require_writable=True
> >> to address an issue in 2.6.1-3+deb10u4's
Hi Chris,
On Wed, Feb 22, 2023 at 05:30:23PM +, Debian FTP Masters wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Format: 1.8
> Date: Wed, 22 Feb 2023 09:17:00 -0800
> Source: python-cryptography
> Binary: python-cryptography python-cryptography-dbgsym
> python-cryptography-d
Utkarsh,
On Tue, Jan 31, 2023 at 08:00:30PM +, Steve McIntyre wrote:
> On Wed, Feb 01, 2023 at 01:18:46AM +0530, Utkarsh Gupta wrote:
> >Hi Steve,
> >
> >On Tue, Jan 31, 2023 at 11:43 PM Salvatore Bonaccorso
> >wrote:
> >> > I've just uploade
Hi Steve,
On Tue, Jan 31, 2023 at 03:56:55PM +, Steve McIntyre wrote:
> Hey folks,
>
> I've just uploaded a new shim update for buster, based on the latest
> update in unstable today. Please accept it quickly so we can get the
> binaries out and signed ASAP?
The upload is already accepted, b
Hi Tobias,
On Fri, Dec 09, 2022 at 10:40:53AM +0100, Tobias Frost wrote:
> Hi,
>
> I was analyzing pngcheck this morning and I'm unsure how to proceed so
> any advice would be appreciated :)
>
> pngcheck has one CVE open [1], however it seems that there are multiple
> vulnerabilities, as upstrea
Hi,
On Wed, Oct 12, 2022 at 10:12:09AM +0200, Yadd wrote:
> Package: release.debian.org
> Severity: normal
> Tags: buster
> User: release.debian@packages.debian.org
> Usertags: pu
>
> [ Reason ]
> node-xmldom is vulnerable to prototype pollution
>
> [ Impact ]
> Medium security issue
>
> [
Hi Chris,
On Fri, Aug 19, 2022 at 10:00:28AM -0700, Chris Lamb wrote:
> Hi Emilio,
>
> > Could you please use the same template as everyone else? Not just for
> > consistency, but also to avoid breaking scripts that work on the
> > announcements.
>
> Very happy to! But it very much looks like
Hi LTS team members!
The maintainer for gst-plugins-good1.0 uploaded for buster-security an
update to address current CVEs. I have thus added the package to
dla-needed list for making sure a DLA release happens.
Can someone of you please pick it up for a DLA release once the
packages are built?
Hi Ola,
On Thu, Jul 14, 2022 at 10:12:07PM +0200, Ola Lundqvist wrote:
> Hi
>
> During the work for LTS front-desk I noticed that there are three CVEs
> for XEN and xen is unsupported according to the latest
> debian-security-support information. It was added as that in 2021 from
> what I can see
Hi
On Tue, Jul 12, 2022 at 07:42:16PM +0200, Markus Koschany wrote:
> Am Dienstag, dem 12.07.2022 um 19:24 +0200 schrieb Salvatore Bonaccorso:
> > Hey,
> >
> > On Tue, Jul 12, 2022 at 06:12:04PM +0200, Markus Koschany wrote:
> >
> > >
> > > I assum
Hey,
On Tue, Jul 12, 2022 at 06:12:04PM +0200, Markus Koschany wrote:
> Hi Ola,
>
> adding the security team to CC to get some feedback from them
>
> Am Dienstag, dem 12.07.2022 um 13:58 +0200 schrieb Ola Lundqvist:
> > [...]
> > We (as LTS team) are obviously not responsible for buster yet.
>
Hi Enrico,
On Mon, Jun 06, 2022 at 11:53:59AM +0200, Enrico Zini wrote:
> Hello,
>
> last month as part of Freexian onboarding I tried to work on pdns:
> https://security-tracker.debian.org/tracker/source-package/pdns
>
> I backported patches for CVE-2020-17482 and CVE-2019-10203
> to https://sa
Hi,
On Wed, May 25, 2022 at 03:33:11PM +0200, Sylvain Beucler wrote:
> Hi,
>
> On 21/05/2022 12:06, Sylvain Beucler wrote:
> > On 21/05/2022 10:45, Mike Gabriel wrote:
> > > as I have a company interest in Horde and thus in ckeditor3, I'd be
> > > happy to co-fund work hours on ckeditor3. Esp. be
Hi Utkarsh
On Wed, May 18, 2022 at 06:05:10AM +0530, Utkarsh Gupta wrote:
> Hi Security team,
>
> On Wed, May 18, 2022 at 2:05 AM Ola Lundqvist wrote:
> > If you think we should support the package I'll add it to
> > dla-needed. From the description it looks like one can trigger
> > a denial of
Hi Sylvain,
On Fri, May 06, 2022 at 09:23:27PM +0200, Sylvain Beucler wrote:
> Hello Security Team,
>
> I'm currently checking 'ckeditor' (v4), an HTML editor for web applications,
> currently v4), for vulnerabilities to fix.
> (I may send a separate e-mail about this later)
>
> I noted that 'ck
Hi Neil,
On Wed, Dec 01, 2021 at 03:33:10PM +, Neil Williams wrote:
> On Wed, 1 Dec 2021 13:38:48 +
> Neil Williams wrote:
>
> > On Sun, 28 Nov 2021 21:02:16 +0100
> > Salvatore Bonaccorso wrote:
> >
> > > Hi Adrian, Neil,
> > >
> >
Hi Adrian, Neil,
One additional point:
On Sun, Nov 28, 2021 at 08:56:57PM +0100, Salvatore Bonaccorso wrote:
> Hi,
>
> On Sun, Nov 28, 2021 at 05:32:07PM +0200, Adrian Bunk wrote:
> > On Tue, Aug 31, 2021 at 09:15:15AM +, Raphaël Hertzog (@hertzog) wrote:
> &g
Hi,
On Sun, Nov 28, 2021 at 05:32:07PM +0200, Adrian Bunk wrote:
> On Tue, Aug 31, 2021 at 09:15:15AM +, Raphaël Hertzog (@hertzog) wrote:
> >...
> > Commits:
> > 63957298 by Neil Williams at 2021-08-31T10:11:30+01:00
> > CVE-2021-38593/qt vulnerable code introduced later
> >...
> > Changes:
>
Hi,
On Mon, Oct 18, 2021 at 09:58:31AM -0700, Rajiv Motwani wrote:
> Hi Sylvain,
>
> Those CVEs were registered in error and were requested to be listed as
> REJECTED. There are no plans to re-register these issues under new
> identifiers.
Out of interest, can you elaborate on this a bit more? W
Hi,
On Tue, Aug 31, 2021 at 05:32:44PM +0200, Sylvain Beucler wrote:
> I submitted a MR for the tool at:
> https://salsa.debian.org/security-tracker-team/security-tracker/-/merge_requests/88
>
> Follow/comment there if you're interested.
Thanks for that.
I will try to schedule some time for it
Hi,
On Thu, May 20, 2021 at 08:39:43AM +0200, Ola Lundqvist wrote:
> Hi Salvatore
>
> It is parameterized to check any release update. So it can be used to check
> any previous version to any later version.
>
> It has the parameters --old, --old-sec, --new and --new-sec to point to any
> relevan
Hi,
On Thu, May 20, 2021 at 08:14:12AM +0200, Ola Lundqvist wrote:
> Hi
>
> I was thinking more on placing it in the security tracker bin folder for
> easy access. Or do you think we should consider it as a separate tool with
> its own repo?
Given (if) it is specific to things fixed in previous
On Thu, Apr 29, 2021 at 06:29:33PM +0200, Sylvain Beucler wrote:
> Hi,
>
> I saw a batch of new CVEs were tracked for 'unbound', but not for the
> stretch-specific 'unbound1.9' package[1].
>
> I can go ahead and add '- unbound1.9' entries in data/CVE/list but I'm not
> sure whether that's what we
Hi,
On Sat, Apr 17, 2021 at 05:11:27PM +0200, Salvatore Bonaccorso wrote:
> Hi,
>
> On Sat, Apr 17, 2021 at 08:30:51PM +0530, Utkarsh Gupta wrote:
> > Hi Security team,
> >
> > On Sat, Apr 17, 2021 at 6:29 PM Anton Gladky wrote:
> > > I prepared and upload
Hi,
On Sat, Apr 17, 2021 at 08:30:51PM +0530, Utkarsh Gupta wrote:
> Hi Security team,
>
> On Sat, Apr 17, 2021 at 6:29 PM Anton Gladky wrote:
> > I prepared and uploaded python2.7_2.7.13-2+deb9u5, fixing
> > two CVEs.
> >
> > Unfortunately it fails on i386 due to timeout during the network
> >
Hi Emilio,
On Tue, Mar 16, 2021 at 01:26:18PM +0100, Emilio Pozuelo Monfort wrote:
> Hi,
>
> On 15/03/2021 12:36, Salvatore Bonaccorso wrote:
> > Hi Brian, LTS team,
> >
> > This was reported by the Ubuntu security team: The DLA 2550-1 update
> > was aiming to f
Hi Brian, LTS team,
This was reported by the Ubuntu security team: The DLA 2550-1 update
was aiming to fix CVE-2020-27844 as well, but it looks that whilst a
patch is included in debian/patches the series files does not apply
it.
To be on safe side I have removed the listing for CVE-2020-27844 in
Hi,
On Thu, Mar 04, 2021 at 02:21:04PM +0100, Sylvain Beucler wrote:
> Are CVE-2021-20225 and CVE-2021-20233 specific to SecureBoot?
They are only non-negligligible in SecureBoot context, or put
otherwise without SecureBoot grub there is not crossing any reasonable
trust boundary here. The short
Hi Moritz,
Thanks for CC'ing.
On Thu, Feb 25, 2021 at 08:01:42PM +0100, Moritz Mühlenhoff wrote:
> Am Thu, Feb 25, 2021 at 05:30:05PM +0100 schrieb Sylvain Beucler:
> > - This problem is similar/related to tracking embedded code copies.
> > See https://salsa.debian.org/lts-team/lts-extra-tasks/
Hi,
On Thu, Feb 25, 2021 at 09:09:08AM +, Chris Lamb wrote:
> Morning Ola,
>
> > Today I looked at CVE-2020-36193 since we have php-pear in dla-needed.
> > Ths thing is that this CVE tells that drupal7 is also vulnerable but
> > drupal7 is not in dla-needed.txt.
>
> It may be that drupal7 wa
Hi Sylvain,
On Wed, Feb 17, 2021 at 01:37:43PM +0100, Sylvain Beucler wrote:
> Hi,
>
> Yesterday (2021-02-16 16:57Z) I uploaded qemu_2.8+dfsg-6+deb9u13 to
> security-master.
>
> I received neither acceptance nor rejection mail, which surprises me.
>
> I recently got my GPG key changed (on 01-24
Hi Robert,
[just small comment below]
On Thu, Feb 11, 2021 at 09:20:01PM -0500, Robert Edmonds wrote:
> Markus Koschany wrote:
> > Hi Robert,
> >
> > Am Samstag, den 06.02.2021, 19:46 -0500 schrieb Robert Edmonds:
> > [...]
> > > Hi, Markus:
> > >
> > > I'm OK with both of these plans.
> > >
>
Hi Brian,
On Wed, Dec 02, 2020 at 09:01:21AM +1100, Brian May wrote:
> Salvatore Bonaccorso writes:
>
> > Hi Brian,
> >
> > On Tue, Dec 01, 2020 at 09:01:37AM +1100, Brian May wrote:
> >> I note this package - golang-github-dgrijalva-jwt-go - has been marked
>
Hi Brian,
On Tue, Dec 01, 2020 at 09:01:37AM +1100, Brian May wrote:
> I note this package - golang-github-dgrijalva-jwt-go - has been marked
> as vulnerable to CVE-2020-26160 in both Debian stretch and buster.
>
> https://security-tracker.debian.org/tracker/CVE-2020-26160
>
> But I can't find a
Hi Emilio,
On Tue, Aug 25, 2020 at 10:35:08PM +0200, Aurelien Jarno wrote:
> Hi,
>
> On 2020-08-02 23:54, Emilio Pozuelo Monfort wrote:
> > Hi,
> >
> > I was wondering if we could make old stretch-security build logs public. I
> > suppose there's nothing private there anymore (no more embargoed
Hi Felix and all,
On Sat, Aug 01, 2020 at 08:37:17AM +0200, Salvatore Bonaccorso wrote:
> Hi Felix and all,
>
> On Fri, Jul 31, 2020 at 03:36:54PM +0200, Felix Sperling wrote:
> > Hi,
> >
> > we were also effected from the update 5.7.3+dfsg-1.7+deb9u2 causing lots
Hi Emilio,
On Sun, Aug 02, 2020 at 11:54:27PM +0200, Emilio Pozuelo Monfort wrote:
> I was wondering if we could make old stretch-security build logs public. I
> suppose there's nothing private there anymore (no more embargoed updates in
> stretch) and it can help in debugging issues with updates
Hi Felix and all,
On Fri, Jul 31, 2020 at 03:36:54PM +0200, Felix Sperling wrote:
> Hi,
>
> we were also effected from the update 5.7.3+dfsg-1.7+deb9u2 causing lots of
> broken icinga checks.
>
> Our workaround is pinning 5.7.3+dfsg-1.7+deb9u1.
>
> What's unclear from the solution if 5.8 also w
Hi Emilio,
On Thu, Jun 25, 2020 at 11:39:16PM +0200, Salvatore Bonaccorso wrote:
> hi Emilio,
>
> On Thu, Jun 25, 2020 at 06:57:08PM +0200, Emilio Pozuelo Monfort wrote:
> > On 22/06/2020 08:37, Salvatore Bonaccorso wrote:
> > > Hi security team, LTS team members,
>
Hi Sylvain, rails maintainers,
On Mon, Jun 29, 2020 at 01:06:49PM +0200, Sylvain Beucler wrote:
> Hi,
>
> On 25/06/2020 18:20, Sylvain Beucler wrote:
> > On 22/06/2020 13:23, Sylvain Beucler wrote:
> >> On 22/06/2020 11:56, Utkarsh Gupta wrote:
> >>> On Mon, Jun 22, 2020 at 3:11 PM Sylvain Beucle
hi Emilio,
On Thu, Jun 25, 2020 at 06:57:08PM +0200, Emilio Pozuelo Monfort wrote:
> On 22/06/2020 08:37, Salvatore Bonaccorso wrote:
> > Hi security team, LTS team members,
> >
> > On Mon, Jun 15, 2020 at 05:44:54PM +0100, Adam D. Barratt wrote:
> >> stretch t
Hi Roberto,
On Mon, May 25, 2020 at 03:18:17PM -0400, Roberto C. Sánchez wrote:
> Hello fello LTS folks,
>
> I have been discussing with Raphael some things which we can do to
> improve the state of the LTS/TODO page in the Debian wiki. This arose
> from part of the discussion during the April L
Hi security team, LTS team members,
On Mon, Jun 15, 2020 at 05:44:54PM +0100, Adam D. Barratt wrote:
> stretch transitions from oldstable-with-security-support to LTS support
> on Saturday July 4th. As usual, we should aim for the final point
> release to be soon after that, most likely pulling in
Hi Sylvain,
On Wed, Jun 17, 2020 at 11:09:41PM +0200, Sylvain Beucler wrote:
> Hi Security Team,
>
> I see that 'rails' is present in dsa-needed.txt.
Right, current open rails issues would warrant a DSA.
> I'm currently testing an update for jessie and I can prepare an update
> for stretch (whi
Hi Sylvain,
On Fri, Jun 05, 2020 at 09:23:12AM +0200, Sylvain Beucler wrote:
[...]
> Hi Salvatore,
>
> On 04/06/2020 20:41, Salvatore Bonaccorso wrote:
> > On Mon, May 25, 2020 at 07:47:56PM +0200, Moritz Mühlenhoff wrote:
> >> On Mon, May 25, 2020 at 10:22:50AM +020
hi,
On Mon, May 25, 2020 at 07:47:56PM +0200, Moritz Mühlenhoff wrote:
> On Mon, May 25, 2020 at 10:22:50AM +0200, Sylvain Beucler wrote:
> > Hi Security Team,
> >
> > What is your view on updating mysql-connector-java 5.1.42->5.1.49 for
> > Stretch?
>
> We can update to 5.1.49, yes. We've had t
wrote:
> > > On 02/03/2020 06:53, Salvatore Bonaccorso wrote:
> > > > On Mon, Mar 02, 2020 at 01:57:05AM -, Chris Lamb wrote:
> > > >>> Internally they are all no-dsa states for the tracker. But think of it
> > > >>> of three "flavo
Hi,
[For context, this report first reached the security team, we
redirected to the LTS team as specific for the jessie version of
apache2]
On Wed, Apr 29, 2020 at 07:00:38AM +, Andrey Zelenchuk wrote:
> Package: apache2
> Version: 2.4.10-10+deb8u16
> Severity: grave
> Tags: security
>
> Dea
Hi,
A smaller comment on the update:
On Wed, Mar 11, 2020 at 08:19:11PM +0100, Anton Gladky wrote:
> After discussion with the maintainer I decided to backport the latest
> upstream version, available in Debian (3.20191218.1). Prepared package
> is available here [1]. Debdiff is attached.
[...]
>
Hi Chris,
On Mon, Mar 02, 2020 at 01:57:05AM -, Chris Lamb wrote:
> Hi Salvatore,
>
> > Internally they are all no-dsa states for the tracker. But think of it
> > of three "flavours" of no-dsa.
> >
> > For instance for postponed, we think that an update is woth of a DSA,
> > but it makes no
Hi Chris,
On Fri, Feb 21, 2020 at 12:32:12PM -0800, Chris Lamb wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Package: proftpd-dfsg
> Version: 1.3.5e+r1.3.5-2+deb8u6
> CVE ID : CVE-2020-9273
>
> It was discovered that there was a a use-after-free vulnerabi
Hi
[I'm subscribed and following, but if anything needs a immediate reply
please do CC me, if something needs a reply from a security team
member please cc the security team always]
On Sun, Mar 01, 2020 at 08:14:41AM -0500, Roberto C. Sánchez wrote:
> On Sun, Mar 01, 2020 at 01:57:21PM +0100, Tho
Hi Holger,
On Mon, Feb 24, 2020 at 04:00:50PM +, Holger Levsen wrote:
> On Mon, Feb 24, 2020 at 04:57:19PM +0100, Salvatore Bonaccorso wrote:
> > > Is this a transient condition? Should I just upload again? Or is there
> > > some other issue which I have missed?
>
Hi,
On Mon, Feb 24, 2020 at 10:18:45AM -0500, Roberto C. Sánchez wrote:
> Hi FTP team folks & LTS folks,
>
> The below rejection error message is confusing.
>
> On Mon, Feb 24, 2020 at 02:30:20PM +, Debian FTP Masters wrote:
> >
> > zsh-static_5.0.7-5+deb8u1_amd64.deb: Built-Using refers to
Hi Holger,
On Thu, Feb 20, 2020 at 04:49:09PM +, Holger Levsen wrote:
> > Does LTS provide updates for nodejs/nodejs-*, and is there a place where
> > we can document this decision?
>
> I'd lean to call it unsupported and document this in
> src:debian-security-support.
I guess you will nee
Hi Julien,
On Thu, Feb 06, 2020 at 07:35:57PM +0100, Julien Cristau wrote:
> On Thu, Feb 06, 2020 at 07:00:02PM +0100, Julien Cristau wrote:
> > Hi,
> >
> > I'm about to upgrade the security upload host (suchon.d.o) from stretch
> > to buster. That is going to cause (most likely short) outages d
Hi Mike,
On Fri, Jan 31, 2020 at 10:01:05PM +, Mike Gabriel wrote:
> Hi Ola, Noah,
>
> On Fr 31 Jan 2020 20:32:01 CET, Ola Lundqvist wrote:
>
> > Hi
> >
> > Spamassassin (and a few other packages) are handled a little differently
> > compared to most packages in Debian.
> >
> > I'd advise
Hi Mike,
On Sat, Dec 21, 2019 at 05:47:25PM +, Mike Gabriel wrote:
> Hi again,
>
> On Sa 21 Dez 2019 18:36:09 CET, Mike Gabriel wrote:
>
> > Hi again,
> >
> > On Sa 21 Dez 2019 17:27:15 CET, Mike Gabriel wrote:
> >
> > > Hi all,
> > >
> > > the recent libssh fix for CVE-2019-14889 cause
Hi,
On Mon, Nov 25, 2019 at 11:50:00AM +0100, Sylvain Beucler wrote:
> Hi,
>
> On 22/11/2019 21:23, Sylvain Beucler wrote:
> > I see in 'embedded-code-copies':
> >
> > libonig
> > - php5 5.3.2-1 (embed)
> >
> > (i.e. from 2010)
> >
> > Jessie seems to properly link to libonig (dependen
Hi Sylvain,
On Tue, Oct 15, 2019 at 12:24:20AM +0200, Sylvain Beucler wrote:
> Hi,
>
> I would like to study Ubuntu's backports of CVE-2012-2337/sudo (since
> the stable branch of sudo experienced massive changes since our
> versions), but sadly those are not available to the public:
> https://us
Hi Hugo,
On Fri, Oct 04, 2019 at 11:37:29AM +0200, Hugo Lefeuvre wrote:
> Regarding the DLAs. I plan to release a DLA per upload (one DLA for clamav
> and one for each reverse dependency). Announcing all five uploads under a
> single DLA seems a bit messy to me.
I would say it depends a bit, I wo
Hi Chris,
On Wed, Sep 25, 2019 at 02:27:43PM +0100, Chris Lamb wrote:
> Hi Salvatore,
>
>
> > > For Debian 8 "Jessie", this issue has been fixed in libgcrypt20 version
> > > 1.6.3-2+deb8u6.
> […]
> > Just a heads-up in case not seen yet: For all (but the amd64 upload)
> > it looks there were FTB
Hi Chris,
On Tue, Sep 24, 2019 at 04:40:52PM +0100, Chris Lamb wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Package: libgcrypt20
> Version: 1.6.3-2+deb8u6
> CVE ID : CVE-2019-13627
> Debian Bug : #938938
>
> It was discovered that there was a ECDSA t
hi Mike,
On Fri, Aug 30, 2019 at 03:22:23PM +0200, Salvatore Bonaccorso wrote:
> Hi Mike,
>
> On Fri, Aug 30, 2019 at 11:25:16AM +, Mike Gabriel wrote:
> > However, to address CVE-2019-5477 it should also be associated to the
> > rexical src:pkg in stretch and later. @s
Hi Mike,
On Fri, Aug 30, 2019 at 11:25:16AM +, Mike Gabriel wrote:
> However, to address CVE-2019-5477 it should also be associated to the
> rexical src:pkg in stretch and later. @security-team: can you please update
> data/CVE/list appropriately (instead of me updating it and you correcting m
Hi Markus,
On Fri, Aug 02, 2019 at 06:48:05PM +0200, Markus Koschany wrote:
> Hello Salvatore,
>
> my last email regarding unzip, CVE-2019-13232, apparently remained
> unanswered [1] but I feel it needs a clarification hence I am resending it.
>
> I don't understand why CVE-2019-13232 was marked
Hi Markus,
On Sun, Jul 07, 2019 at 10:09:22PM +0200, Markus Koschany wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> Package: unzip
> Version: 6.0-16+deb8u4
> CVE ID : CVE-2019-13232
> Debian Bug : 931433
>
> David Fifield discovered a way to construct
Hi Jonas,
On Wed, Jul 03, 2019 at 02:48:51PM +0200, Jonas Meurer wrote:
> Hi Ola,
>
> thanks for your response!
>
> Ola Lundqvist:
> > I have now looked into this problem to see if I can out something.
> >
> > What I have done is to backtrack whether the code is ever executed by
> > sqlite and
Hi Thorsten,
On Mon, Jun 24, 2019 at 10:24:51PM +0200, Thorsten Alteholz wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> Package: bzip2
> Version: 1.0.6-7+deb8u1
> CVE ID : CVE-2016-3189 CVE-2019-12900
>
>
> Two issues in bzip2, a high-quality block-sortin
Hi Jonas,
On Wed, Jul 03, 2019 at 02:48:51PM +0200, Jonas Meurer wrote:
> Hi Ola,
>
> thanks for your response!
>
> Ola Lundqvist:
> > I have now looked into this problem to see if I can out something.
> >
> > What I have done is to backtrack whether the code is ever executed by
> > sqlite and
Hi Hugo,
On Sat, May 25, 2019 at 03:12:40PM +0200, Hugo Lefeuvre wrote:
> Hi Salvatore,
>
> > When the CVE first appeared it was not yet clear where exactly the
> > vulnerabilities lie, thus we kept the TODO as per
> >
> > TODO: check details and correct vulnerability location
> >
> > Now that
Hi,
On Sat, May 25, 2019 at 01:59:53PM +0200, Hugo Lefeuvre wrote:
> Hi,
>
> I investigated CVE-2019-12221[0] and found out that the issue lies in the
> libsdl2-image/sdl-image1.2 codebase, not libsdl2/libsdl1.2.
>
> I have temporarily added a NOTE to the tracker because I was not sure of
> how
Hi Roberto
With the update of ghostscript in DLA 1792-1 for ghostscript pdfdict
is hidden for the fix for CVE-2019-3839.
cups-filters used though this undocumented internal, so with the
ghostscript update cups-filter will experience a functional
regression.
In unstable cups-filter was fixed sho
Hi Nik,
On Tue, May 07, 2019 at 10:45:33AM +0200, Nik Wrt wrote:
> I am experiencing the same identical problem. Running debian jessie on a Dell
> D430. I can reproducibly trigger this by doing
>
> python -c "import numpy"
>
> It does not happen if I roll back to linux-image-3.16.0-7-amd64
>
>
Hi Jonas
[Adding security team alias, as debian-lts is not followed
automatically]
On Wed, Apr 24, 2019 at 11:08:44AM +0200, Jonas Meurer wrote:
> Hello,
>
> The last days, I spent quite some hours on backporting and debugging
> patches for CVE-2018-15587 (Signature Spoofing in PGP encrypted ema
Hi Sylvain,
On Mon, Apr 08, 2019 at 10:18:08PM +0200, Sylvain Beucler wrote:
> Hi,
>
> On 08/04/2019 21:56, Holger Levsen wrote:
> > On Mon, Apr 08, 2019 at 09:51:19PM +0200, Salvatore Bonaccorso wrote:
> >> Recently I noticed that for a no-dsa (either for no-dsa or the
&
1 - 100 of 278 matches
Mail list logo