Accepted mesa 10.3.2-1+deb8u2 (source amd64) into oldoldstable

: jessie-security Urgency: high Maintainer: Debian X Strike Force Changed-By: Sylvain Beucler Description: libegl1-mesa - free implementation of the EGL API -- runtime libegl1-mesa-dbg - free implementation of the EGL API -- debugging symbols libegl1-mesa-dev - free implementation of the EGL API

[SECURITY] [DLA 1993-1] mesa security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: mesa Version: 10.3.2-1+deb8u2 CVE ID : CVE-2019-5068 Debian Bug : 944298 Tim Brown discovered a shared memory permissions vulnerability in the Mesa 3D graphics library. Some Mesa X11 drivers use shared-memory

Status of php-mbstring vs. libonig

Hi, I see in 'embedded-code-copies':   libonig       - php5 5.3.2-1 (embed) (i.e. from 2010) Jessie seems to properly link to libonig (dependency of e.g. libapache2-mod-php5). Stretch and Buster however (probably since the new phpX.X-mbstring package) do not link libonig anymore, despite

Accepted libonig 5.9.5-3.2+deb8u4 (source amd64) into oldoldstable

-By: Sylvain Beucler Description: libonig-dev - Development files for libonig2 libonig2 - Oniguruma regular expressions library libonig2-dbg - Debugging symbols for libonig2 Changes: libonig (5.9.5-3.2+deb8u4) jessie-security; urgency=high . * Non-maintainer upload by the LTS team. * CVE

[SECURITY] [DLA 2020-1] libonig security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: libonig Version: 5.9.5-3.2+deb8u4 CVE ID : CVE-2019-19012 CVE-2019-19204 CVE-2019-19246 Debian Bug : 944959 945313 Several vulnerabilities were discovered in the Oniguruma regular expressions library, notably

CVE-2019-1551/openssl triage

Hi Utkarsh, You wrote for CVE-2019-1551: +    [jessie] - openssl (Only affects OpenSSL > 1.1.0-pre1) However the advisory says: https://www.openssl.org/news/secadv/20191206.txt "OpenSSL versions 1.1.1 and 1.0.2 are affected by this issue." So the status for 1.0.1 (jessie, wheezy) isn't clear.

Re: CVE-2019-1551/openssl triage

Hi, On 09/12/2019 10:13, Utkarsh Gupta wrote: > Here's what lead to this commit: > > - The upstream fix[1] provides a patch which is in the > crypto/bn/asm/rsaz-x86_64.pl file. > - Going back to the git history of this file, it leads to this > commit[2], where the RSAZ assembly modules were first

[SECURITY] [DLA 2021-1] libav security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: libav Version: 6:11.12-1~deb8u9 CVE ID : CVE-2017-17127 CVE-2017-18245 CVE-2018-19128 CVE-2018-19130 CVE-2019-14443 CVE-2019-17542 Several security issues were fixed in libav, a multimedia library

Accepted libav 6:11.12-1~deb8u9 (source all amd64) into oldoldstable

libavfilter-dev libswscale-dev libavresample-dev libavresample2 libavcodec-extra-56 libavcodec-extra Architecture: source all amd64 Version: 6:11.12-1~deb8u9 Distribution: jessie-security Urgency: high Maintainer: Debian Multimedia Maintainers Changed-By: Sylvain Beucler Description: libav-dbg

Re: Ubuntu ESM access

Hi, On 15/10/2019 23:17, Salvatore Bonaccorso wrote: > On Tue, Oct 15, 2019 at 12:24:20AM +0200, Sylvain Beucler wrote: >> Hi, >> >> I would like to study Ubuntu's backports of CVE-2012-2337/sudo (since >> the stable branch of sudo experienced massive changes since

Ubuntu ESM access

Hi, I would like to study Ubuntu's backports of CVE-2012-2337/sudo (since the stable branch of sudo experienced massive changes since our versions), but sadly those are not available to the public: https://usn.ubuntu.com/4154-1/ By any chance, do we have some access/contact to "Ubuntu ESM"?

Re: Please discontinue security notices: [SECURITY] etc. ; thank you; howardn...@earthlink.net

Hi, Please stop spamming the list. I sent you unsubscribe links yesterday, if this isn't enough, use the form at: https://lists.debian.org/debian-lts/ https://lists.debian.org/debian-lts-announce/ Nobody can unsubscribe you except yourself. Cheers! Sylvain > discontinue security notices:

[SECURITY] [DLA 1965-1] nfs-utils security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: nfs-utils Version: 1.2.8-9+deb8u1 CVE ID : CVE-2019-3689 Debian Bug : 940848 In the nfs-utils package, providing support files for Network File System (NFS) including the rpc.statd daemon, the directory

[SECURITY] [DLA 1964-1] sudo security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: sudo Version: 1.8.10p3-1+deb8u6 CVE ID : CVE-2019-14287 Debian Bug : 942322 In sudo, a program that provides limited super user privileges to specific users, an attacker with access to a Runas ALL sudoer

[SECURITY] [DLA 1970-1] php5 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: php5 Version: 5.6.40+dfsg-0+deb8u7 CVE ID : CVE-2019-11043 Emil Lerner, beched and d90pwn found a buffer underflow in php5-fpm, a Fast Process Manager for the PHP language, which can lead to remote code execution.

Accepted php5 5.6.40+dfsg-0+deb8u7 (source all amd64) into oldoldstable

-security Urgency: high Maintainer: Debian PHP Maintainers Changed-By: Sylvain Beucler Description: libapache2-mod-php5 - server-side, HTML-embedded scripting language (Apache 2 module) libapache2-mod-php5filter - server-side, HTML-embedded scripting language (apache 2 filter mo libphp5-embed

Re: Status of php-mbstring vs. libonig

Hi, On 25/11/2019 15:20, Salvatore Bonaccorso wrote: > On Mon, Nov 25, 2019 at 11:50:00AM +0100, Sylvain Beucler wrote: >> On 22/11/2019 21:23, Sylvain Beucler wrote: >>> I see in 'embedded-code-copies': >>> >>>   libonig >>>       - php5 5.3.2-

Re: November LTS Report

Hi, On 01/12/2019 18:06, Hugo Lefeuvre wrote: > I had some difficulties to work this month and needed to take some time off > from Debian. Taking a look back, I was not far from burning out. I am > planning to continue my work in the next months, but will reduce my > assigned hours to 12. Take

Re: Status of php-mbstring vs. libonig

Hi, On 22/11/2019 21:23, Sylvain Beucler wrote: > I see in 'embedded-code-copies': > >   libonig >       - php5 5.3.2-1 (embed) > > (i.e. from 2010) > > Jessie seems to properly link to libonig (dependency of e.g. > libapache2-mod-php5). > > Stretch and Buste

Re: State of ampache: we should declare it unsupported

Hi, The vulnerabilities are important and upstream does not provide any fixed release. This means all ampache installations (Debian and non-Debian) are at risk. It would be worth explaining the situation to upstream and requesting his explicit stance on the matter. I believe this will make the

Re: clamd update, some tests failing

Hi, On Sat, Oct 12, 2019 at 08:18:12AM +0200, Hugo Lefeuvre wrote: > > 42,43c42,43 > > < /usr/share/clamav-testfiles/clam-v2.rar: Clamav.Test.File-6 FOUND > > < /usr/share/clamav-testfiles/clam-v3.rar: Clamav.Test.File-6 FOUND > > --- > > > /usr/share/clamav-testfiles/clam-v2.rar: OK > > >

[SECURITY] [DLA 2118-1] otrs2 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: otrs2 Version: 3.3.18-1+deb8u14 CVE ID : CVE-2019-11358 Debian Bug : 927385 It was discovered that the jQuery version embedded in OTRS, a ticket request system, was prone to a cross site scripting vulnerability

Re: security upload imposing load on other parts of Debian

Hi, On 02/03/2020 06:53, Salvatore Bonaccorso wrote: > On Mon, Mar 02, 2020 at 01:57:05AM -, Chris Lamb wrote: >>> Internally they are all no-dsa states for the tracker. But think of it >>> of three "flavours" of no-dsa. >>> >>> For instance for postponed, we think that an update is woth of

Re: addressing CVE-2018-1311/XERCESC-2188

FYI it seems none of your messages made it to the Xerces c-dev mailing list: https://mail-archives.apache.org/mod_mbox/xerces-c-dev/202001.mbox/browser Are you still working on a patch? - Sylvain On 30/01/2020 09:16, Ola Lundqvist wrote: > Hi > > Yes you answered my questions. Please go ahead

Re: security upload imposing load on other parts of Debian

Hi, On 27/02/2020 02:57, Chris Lamb wrote: >> I'm also vaguely pondering to do a survey among the Debian developers / >> teams. >> Given LTS is now 6 years old I think this could be useful. > I think the usefulness of this would very much depend on the > specificity of the questions we ask. > >

Re: Wheezy LTS not present in archive.debian.org

Hello Piviul, On 06/03/2020 10:34, Piviul wrote: > Hi all, I'm new in this list and I hope my trivial problem doesn't > concern an annoyance trivial matter... > Well, I have noted that my wheezy installed packages are newer than the > one in the archived repository... so I ask you what happens to

Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)

horsten > Alteholz) > ERROR: .data or .wml file missing for DLA 2031-1 (reserved by Hugo Lefeuvre) > ERROR: .data or .wml file missing for DLA 2017-2 (reserved by Adrian Bunk) > ERROR: .data or .wml file missing for DLA 2000-1 (reserved by Hugo Lefeuvre) > ERROR: .data or .wml file mis

Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)

On 20/02/2020 14:32, Emilio Pozuelo Monfort wrote: > I still see this in 2019/dla-1993.wml: > > # do not modify the following line > #include "$(ENGLISHDIR)/lts/security/2020/dla-1993.data" > # $Id: $ > > Looks like you actually need to modify it :p > > Btw if you parse a file with a Date:

Re: Bug#931376: debian-security-support: mention nodejs is not for untrusted content

Hi, On 03/07/2019 15:44, Holger Levsen wrote: > package: debian-security-support > x-debbugs-cc: debian-lts@lists.debian.org > > On Wed, Jul 03, 2019 at 02:59:39PM +0200, Sylvain Beucler wrote: >> I just discovered this while triaging node-fstream: >> https://www.debia

[SECURITY] [DLA 2110-1] netty-3.9 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: netty-3.9 Version: 3.9.0.Final-1+deb8u1 CVE ID : CVE-2014-0193 CVE-2014-3488 CVE-2019-16869 CVE-2019-20444 CVE-2019-20445 CVE-2020-7238 Debian Bug : 746639 941266 950966 950967 Several

[SECURITY] [DLA 2109-1] netty security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: netty Version: 1:3.2.6.Final-2+deb8u2 CVE ID : CVE-2019-20444 CVE-2019-20445 CVE-2020-7238 Debian Bug : 950966 950967 Several vulnerabilities were discovered in the HTTP server provided by Netty, a Java NIO

Re: Thoughts on Xen updates in LTS

On 22/02/2020 00:31, Roberto C. Sánchez wrote: > On Fri, Feb 21, 2020 at 11:24:02PM +, Holger Levsen wrote: >> Hi Roberto, >> >> besides what Moritz said... >> >> On Fri, Feb 21, 2020 at 01:37:14PM -0500, Roberto C. Sánchez wrote: have you done this in coordination with credative who

Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)

Hi, On 20/02/2020 13:35, Emilio Pozuelo Monfort wrote: > On 20/02/2020 12:40, Abhijith PA wrote: >> Holger, >> >> On 19/02/20 3:15 pm, Emilio Pozuelo Monfort wrote: >> >> >>> The attached patch allows that script to also print author information when >>> using a local copy of the security-tracker

[SECURITY] [DLA 2072-1] gpac security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: gpac Version: 0.5.0+svn5324~dfsg1-1+deb8u5 CVE ID : CVE-2018-21015 CVE-2018-21016 CVE-2019-13618 CVE-2019-20161 CVE-2019-20162 CVE-2019-20163 CVE-2019-20165 CVE-2019-20170

Accepted gpac 0.5.0+svn5324~dfsg1-1+deb8u5 (source amd64) into oldoldstable

Maintainer: Debian Multimedia Maintainers Changed-By: Sylvain Beucler Description: gpac - GPAC Project on Advanced Content - utilities gpac-dbg - GPAC Project on Advanced Content - debugging symbols gpac-modules-base - GPAC Project on Advanced Content - modules libgpac-dbg - GPAC Project

Accepted wordpress 4.1.29+dfsg-0+deb8u1 (source all) into oldoldstable

Distribution: jessie-security Urgency: medium Maintainer: Craig Small Changed-By: Sylvain Beucler Description: wordpress - weblog manager wordpress-l10n - weblog manager - language files wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files wordpress-theme-twentyfourteen

[SECURITY] [DLA 2067-1] wordpress security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: wordpress Version: 4.1.29+dfsg-0+deb8u1 CVE ID : CVE-2019-20041 Debian Bug : 946905 An input sanitization bypass was discovered in Wordpress, a popular content management framework. An attacker can use this

Re: tomcat ssl certificates

Hi, On 05/01/2020 14:36, Abhijith PA wrote: > I see that you have refreshed tomcat8 certificates in 8.0.14-1+deb8u15. > But when I looked at localhost-cert.pem. I see, > > notBefore=Feb 28 05:28:42 2013 GMT > notAfter=Feb 28 05:28:42 2015 GMT > [snip] > > Am I missing something. It's replaced

Re: addressing CVE-2018-1311/XERCESC-2188

Hi, On 06/03/2020 07:52, Hugo Lefeuvre wrote: >> FYI it seems none of your messages made it to the Xerces c-dev mailing list: >> https://mail-archives.apache.org/mod_mbox/xerces-c-dev/202001.mbox/browser >> >> Are you still working on a patch? > > unfortunately, I did not manage to find time for

Limiting concurrent claims?

Hi, I regularly see a package claimed while the packager already claimed others, and then semi-automatically unclaimed after two weeks. Moreover, the package is then claimed by another packager, which means the initial work (if any) was useless, and the security update was basically delayed for

Re: phppgadmin / CVE-2019-10784

Hi, On 13/03/2020 22:09, Ola Lundqvist wrote: > On Fri, 13 Mar 2020 at 10:50, Emilio Pozuelo Monfort > wrote: > > On 12/03/2020 22:02, Brian May wrote: > > Ola Lundqvist mailto:o...@inguza.com>> writes: > > > >> I have ideas on how we can reduce the

[SECURITY] [DLA 2143-1] slurm-llnl security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: slurm-llnl Version: 14.03.9-5+deb8u5 CVE ID : CVE-2019-6438 CVE-2019-12838 Debian Bug : 920997 931880 Several issue were found in Simple Linux Utility for Resource Management (SLURM), a cluster resource

[SECURITY] [DLA 2159-1] okular security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: okular Version: 4:4.14.2-2+deb8u2 CVE ID : CVE-2020-9359 Debian Bug : 954891 Mickael Karatekin from Sysdream Labs discovered that the Okular document viewer allows code execution via an action link in a PDF

Re: CVE-2019-15690/libvncserver: reference embedded copies in italc/ssvnc/tightvnc/veyon/vncsnapshot ?

Hi all, On 18/03/2020 19:27, Moritz Muehlenhoff wrote: > On Wed, Mar 18, 2020 at 06:14:36PM +0100, Sylvain Beucler wrote: >> I excluded 3 out of 8 packages. I only added packages that actually >> contain the impacted code (VNC client connection, using original RealVNC >> code

[SECURITY] [DLA 2202-1] ansible security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: ansible Version: 1.7.2+dfsg-2+deb8u3 CVE ID : CVE-2019-14846 CVE-2020-1733 CVE-2020-1739 CVE-2020-1740 Debian Bug : 942188 Several vulnerabilities were discovered in Ansible, a configuration management,

Re: Refreshing mysql-connector-java

Hi, On 08/05/2020 11:39, Chris Lamb wrote: >> The 3 recent vulnerabilities are an opportunity to refresh the package, >> so as not to have too big of a diff should a more critical vulnerability >> happen in the future. > > No objections in theory but I am finding it difficult to gauge the > risk

Re: Taking care of Keystone in Stretch and Jessie

hough LTS will take over within a couple months), adding them in Cc: to discuss what to do in Stretch. Cheers! Sylvain Beucler Debian LTS Team

Re: Jessie update of apt?

ader type 88 +E: Sub-process gzip returned an error code (1) FAIL or +E: Sub-process gzip received signal 2. FAIL Is this expected? Cheers! Sylvain Beucler Debian LTS Team

Re: Jessie update of apt?

On 14/05/2020 22:20, Julian Andres Klode wrote: > On Thu, May 14, 2020 at 09:46:38PM +0200, Julian Andres Klode wrote: >> On Thu, May 14, 2020 at 09:41:51PM +0200, Sylvain Beucler wrote: >>> /usr/src/apt/apt-1.0.9.8.6/test/integration/../../build/bin/testdeb >>> tes

Re: Revert "CVE-2019-15690/libvncserver: reference embedded copies in italc/ssvnc/tightvnc/veyon/vncsnapshot"

Hi, First, it is a bit stressful when one's work is reverted without direct communication; this requires constant checking whether there are related commit to one's past days of work, and given the volume this also can be just missed. I would recommend e.g. a quick mail in such situation, WDYT?

Re: Fixing minor/unimportant issues via DLA on demand

Hi, On 20/03/2020 01:37, Utkarsh Gupta wrote: > I was curious to know if we can (or rather, we should) fix some > CVE(s), which has been marked minor/unimportant by the Security team > or/and the person at front-desk, if there's a demand for it (meaning, > some Jessie user requested it)? > Or, if

Re: Fixing minor/unimportant issues via DLA on demand

Hi, On 20/03/2020 18:04, Utkarsh Gupta wrote: > On Fri, Mar 20, 2020 at 5:33 PM Sylvain Beucler wrote: >> These are 2 cases (request from Jessie user or from maintainer) that I >> yet to see :) >> Do you have a specific case in mind? > I do. But I am not very sure if I

Re: Wheezy LTS not present in archive.debian.org

Hi, On 17/03/2020 10:00, Emilio Pozuelo Monfort wrote: > On 17/03/2020 03:58, Ben Hutchings wrote: >> On Fri, 2020-03-13 at 16:29 +0100, Piviul wrote: >>> Sylvain Beucler ha scritto il 06/03/20 alle 13:14: >>>> [...] >>>> Good question :) >>&

Refreshing mysql-connector-java

Hi, Package mysql-connector-java is packaged in Debian up to stretch (and was replaced with mariadb-connector-java starting with buster). Consequently we need to provide security updates for a while longer. Due to lack of disclosure from Oracle, we cannot identify (let alone backport) the

Debian LTS and ELTS - August 2020

Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS) , which extend the security support for past Debian releases, as a paid contributor. In

Re: ruby-rails update destroy redmine issue number linking

Hi all, On 03/08/2020 16:43, Utkarsh Gupta wrote: > On Mon, Aug 3, 2020 at 6:02 PM Sylvain Beucler wrote: >> This version is now impacted by new security issues, such as >> CVE-2020-8163, so I would recommend upgrading anyway. There is no place >> to upload a new v

Re: golang-1.7 / CVE-2019-9514 / CVE-2019-9512

Hi Brian, On 09/09/2020 00:55, Brian May wrote: > Looking at: > > https://security-tracker.debian.org/tracker/CVE-2019-9512 > https://security-tracker.debian.org/tracker/CVE-2019-9514 > > Under "golang-1.7" release stretch it says "vulnerable". > > But in the notes, there is: > > [stretch] -

[SECURITY] [DLA 2371-1] wordpress security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2371-1debian-...@lists.debian.org https://www.debian.org/lts/security/ September 11, 2020

Re: Regarding package pdns-recursor in Stretch

rough http://snapshot.debian.org/ . Jessie isn't supported anymore by Debian (and pdns-recursor isn't supported in ELTS), I suppose it was handled differently because there was no early EOL. Cheers! Sylvain Beucler Debian LTS Team On 08/09/2020 12:53, Dominik Dausch wrote: > > Dear LTS Te

Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)

Hi, On 31/08/2020 14:44, Holger Levsen wrote: > On Fri, Aug 21, 2020 at 12:59:54PM +0200, Sylvain Beucler wrote: >> Still in this particular case, in our process the team coordinator cites >> contributors by running a heuristic-based script, and forwarding it >>

Re: Bug#971560: libsane-common 1.0.25-4.1+deb9u1 Stretch security update missing lots of files

Hi, > El jue., 1 de oct. de 2020 a la(s) 19:32, Sylvain Beucler > (b...@beuc.net) escribió: >> This could be due to a bug when building the 'all' and 'amd64' packages >> separately. I can reproduce the 2 debdiff-s with 'debuild -A' and 'debuild -B' respectively. I'm currently

[SECURITY] [DLA 2332-2] sane-backends regression update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2332-2debian-...@lists.debian.org https://www.debian.org/lts/security/ October 07, 2020

Re: Bug#971560: libsane-common 1.0.25-4.1+deb9u1 Stretch security update missing lots of files

e scanners, > local and networked ones! > So everything looks good to push those to Debian Stretch. > Thanks a lot for doing all this! > Greetings from another Allegro user ;-) > > El sáb., 3 de oct. de 2020 a la(s) 13:53, Sylvain Beucler > (b...@beuc.net) escribió: >> >&

Bugs introduced by source uploads

Hi, DLA 2332-2 (sane-backends) [1] is a regression that happened due to changing the upload process between the last archive upload and our first security upload, from a developer arch+indep build followed by buildd arch builds, to a buildd-only separate arch and indep builds [2]. [1]

Re: Bug#972189: sympa: CVE-2020-10936 regression - removal of needed environment variables

Hi, Thank you both for notifying me. For reasons stated in dla-needed.txt, and more importantly for reasons mentioned internally (see elts-git or Holger), I can't dedicate more time this month. >From a quick look: - the patch for older versions is the same besides the copyright notices. - I'm

Re: Bug#971560: libsane-common 1.0.25-4.1+deb9u1 Stretch security update missing lots of files

Hi, On 02/10/2020 13:51, Ivan Baldo wrote: > El vie., 2 de oct. de 2020 a la(s) 06:48, Sylvain Beucler > (b...@beuc.net) escribió: >> >> Hi, >> >>> El jue., 1 de oct. de 2020 a la(s) 19:32, Sylvain Beucler >>> (b...@beuc.net) escribió: >>>

[SECURITY] [DLA 2401-1] sympa security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2401-1debian-...@lists.debian.org https://www.debian.org/lts/security/ October 07, 2020

Re: About sympa

Hi, On 06/10/2020 20:42, Utkarsh Gupta wrote: > I see you recently claimed sympa in dla-needed.txt. > Please let me tell you that the upload is already ready and tested on my end. > > Just waiting on having some internal confirmation to release the upload. > So I guess it's better for to leave

Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)

Hi, On 17/08/2020 23:31, Holger Levsen wrote: > There are three DLAs which have been reserved but not yet been published on > www.debian.org: > > - DLA 2332-1 (reserved by Sylvain Beucler) I just uploaded it, I am waiting for the ftp confirmation mail, I didn't even send it b

[SECURITY] [DLA 2332-1] sane-backends security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2332-1debian-...@lists.debian.org https://www.debian.org/lts/security/ August 17, 2020

Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)

20 at 00:08, Holger Levsen <mailto:hol...@layer-acht.org>> wrote: > > hi Sylvain, > > On Mon, Aug 17, 2020 at 11:45:03PM +0200, Sylvain Beucler wrote: > > > - DLA 2332-1 (reserved by Sylvain Beucler) > > I just uploaded it, I am waiting for the ftp c

Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)

Hi On 18/08/2020 00:08, Holger Levsen wrote: > I believe that wouldn't change anything. If the script would only > complain about DLA reservations X hours old, of course $you would send > the DLA right after my mail / after X hours + 2 minutes. I was thinking of 24h, in which case it's perfectly

gb: ghostscript_9.26a~dfsg-0+deb9u7

Hello, ghostscript failed to build on armhf for stretch-security: https://buildd.debian.org/status/fetch.php?pkg=ghostscript=armhf=9.26a%7Edfsg-0%2Bdeb9u7=1597941103=0 "./soobj/dxmainc.o: file not recognized: File truncated" I cannot find an explanation for this error, and the package builds

Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)

Hi, On 20/08/2020 19:37, Holger Levsen wrote: >>> p.s.: as an after thought re: "don't harass me" (though I get it was a >>> joke, but I think the joke conveyed a useful notion): maybe my semiautomatic >>> mails should have a permanent disclaimer that being 'called out' by them is >>> nothing bad

[SECURITY] [DLA 2339-1] software-properties security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2339-1debian-...@lists.debian.org https://www.debian.org/lts/security/ August 22, 2020

[SECURITY] [DLA 2335-1] ghostscript security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2335-1debian-...@lists.debian.org https://www.debian.org/lts/security/ August 20, 2020

Re: gb: ghostscript_9.26a~dfsg-0+deb9u7

Hi, On 24/08/2020 07:42, Adrian Bunk wrote: > On Fri, Aug 21, 2020 at 02:08:44PM +0200, Sylvain Beucler wrote: >> Hello, >> >> ghostscript failed to build on armhf for stretch-security: >> https://buildd.debian.org/status/fetch.php?pkg=ghostscript=armhf=9.26a%7Ed

Re: rails update

On 24/09/2020 23:14, Sylvain Beucler wrote: > Hi Security Team, > > On 15/07/2020 10:53, Moritz Muehlenhoff wrote: >> On Wed, Jul 15, 2020 at 09:03:01AM +0200, Sylvain Beucler wrote: >>> On 14/07/2020 22:29, Moritz Mühlenhoff wrote: >>>> On Fri, Jul 10, 2020

Re: rails update

Hi Security Team, On 15/07/2020 10:53, Moritz Muehlenhoff wrote: > On Wed, Jul 15, 2020 at 09:03:01AM +0200, Sylvain Beucler wrote: >> On 14/07/2020 22:29, Moritz Mühlenhoff wrote: >>> On Fri, Jul 10, 2020 at 11:55:37AM +0200, Sylvain Beucler wrote: >>>> On 10/07

Re: IRC meeting this Thursday 24th - Agenda

Hi, On 22/09/2020 09:58, Holger Levsen wrote: > On Mon, Sep 21, 2020 at 09:57:24AM +0200, Sylvain Beucler wrote: >> One issue: https://pad.riseup.net/p/lts-meeting-agenda is currently >> unresponsive for me. > > works for me now. > > It currently has this agenda: >

Debian LTS and ELTS - September 2020

Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS) , which extend the security support for past Debian releases, as a paid contributor. In

Re: Bug#971560: libsane-common 1.0.25-4.1+deb9u1 Stretch security update missing lots of files

Hi, Thanks for report this issue. Something must have gone wrong when rebuilding the packages at Debian, because the packages I had built didn't have these differences. I just ran a local rebuild and I still have valid packages, with all the files. It's night-time here so I won't look in depth

[SECURITY] [DLA 2386-1] libdbi-perl security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2386-1debian-...@lists.debian.org https://www.debian.org/lts/security/ September 28, 2020

Re: [SECURITY] [DLA 2386-1] libdbi-perl security update

ain, > > On 28/09/2020 15:38, Sylvain Beucler wrote: >> - >> Debian LTS Advisory DLA-2386-1debian-lts@lists.debian.org >> https://www.debian.org/lts/security/ >> September 28, 2020

Re: Bug#971560: libsane-common 1.0.25-4.1+deb9u1 Stretch security update missing lots of files

t me know if that's useful or too late. > Thanks! > > El vie., 2 de oct. de 2020 a la(s) 10:22, Sylvain Beucler > (b...@beuc.net) escribió: >> >> Hi, >> >> On 02/10/2020 13:51, Ivan Baldo wrote: >>> El vie., 2 de oct. de 2020 a la(s) 06:48, Sylv

Re: Refreshing mysql-connector-java

Hi Security Team, What is your view on updating mysql-connector-java 5.1.42->5.1.49 for Stretch? Would you need a complete debdiff specifically for Stretch to make a decision, or do you already have feedback on this proposal? Cheers! Sylvain On 11/05/2020 13:51, Sylvain Beucler wrote: >

Re: EOL'ing freerdp (v.1.1) for jessie and stretch

Hi, On 01/06/2020 14:17, Holger Levsen wrote: > On Mon, Jun 01, 2020 at 10:55:02AM +, Mike Gabriel wrote: >> Triaging and patch-backporting for FreeRDP (v1.1) will mean a considerable >> effort. IMHO, we should think about avoiding this. > > what does 'considerable effort' translate to? >

IRC meeting this Thursday 24th - Agenda

Hi, As promised, here's a reminder that we have an IRC meeting this Thursday, and we can prepare which topics to discuss a bit in advance :) One issue: https://pad.riseup.net/p/lts-meeting-agenda is currently unresponsive for me. Their home page https://pad.riseup.net/ says they are experiencing

Re: ruby-rails update destroy redmine issue number linking

Hi, On 03/08/2020 10:38, Utkarsh Gupta wrote: > On 8/3/20 1:56 PM, Utkarsh Gupta wrote: >> On Tue, 07 Jul 2020 09:36:20 +0200 "s.jaekel" wrote: >>> Package: ruby-rails >>> Version: 2:4.1.8-1+deb8u7 >>> Severity: important >>> Tags: upstream >>> >>> I updated the ruby-rails packages last week.

Re: ruby-rails update destroy redmine issue number linking

Hi, On 03/08/2020 13:52, Utkarsh Gupta wrote: > Whilst I am totally fine by this suggestion, but still asking.. > Would it make sense to fix this, since this upload was made just > around the time Jessie was EOL'ed. > Of course, I'd want people to upgrade, for sure, but in case they > can't, I

Debian LTS and ELTS - July 2020

Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS) , which extend the security support for past Debian releases, as a paid contributor. In July,

Re: Update a fork for DLA publishing

Hi, Is there a reason why you do not request membership to the salsa webmaster-team group (as recommended in the wiki)? I think that'll solve the issue and save everybody's time :) Cheers! Sylvain On 30/06/2020 12:03, Ola Lundqvist wrote: > Hi LTS team > > When making a DLA published we create

Re: [Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim gosa.

point release to avoid any >> conflicts. > > I've just added notes about pending stretch-pu updates for the following > packages to dla-needed.txt: > - rails (Sylvain Beucler) This was coordinated already (cf. "rails update" thread), I clarified the note. - Sylvain

Re: rails update

Hi, On 06/07/2020 09:55, Pirate Praveen wrote: > On 2020, ജൂലൈ 6 1:09:09 PM IST, Sylvain Beucler wrote: >> On 30/06/2020 22:38, Salvatore Bonaccorso wrote: >>> On Mon, Jun 29, 2020 at 01:06:49PM +0200, Sylvain Beucler wrote: >>>> On 25/06/2020 18:20, Sylvain Beucler

Re: rails update

Hi, On 30/06/2020 22:38, Salvatore Bonaccorso wrote: > On Mon, Jun 29, 2020 at 01:06:49PM +0200, Sylvain Beucler wrote: >> On 25/06/2020 18:20, Sylvain Beucler wrote: >>> On 22/06/2020 13:23, Sylvain Beucler wrote: >>>> On 22/06/2020 11:56, Utkarsh Gupta wrote: >

Re: Draft: Debian 8 Long Term Support reaching end-of-life

Hi, On 02/07/2020 21:02, Markus Koschany wrote: > Am 02.07.20 um 20:39 schrieb Moritz Mühlenhoff: >> On Thu, Jul 02, 2020 at 08:24:42PM +0200, Markus Koschany wrote: >>> Sorry, but I was assuming that the official end of oldstable is on July >>> 18 when Debian 9.13 is released. >>> >>>

Re: rails update

Hi, On 10/07/2020 10:28, Moritz Mühlenhoff wrote: > On Wed, Jul 08, 2020 at 12:45:08PM +0200, Sylvain Beucler wrote: >> Hi, >> >> - buster update >> >> I now "up-ported" my stretch work at: >> https://www.beuc.net/tmp/debian-lts/rails-buster/ >

Re: Suggestions for handling of condor update

Hi Roberto, On 12/07/2020 13:44, Roberto C. Sánchez wrote: > Your feedback on the condor update situation (described below) would be > appreciated. > > Several weeks ago I prepared updates for condor for jessie (then-LTS), > stretch, and buster (the latter two still under the security team >

Re: DLA template and user signatures

Hi, On 07/07/2020 12:01, Emilio Pozuelo Monfort wrote: > - it was brought up that some DLAs include personal signatures at the end In what context did you receive this feedback? Cheers! Sylvain

Re: ksh / CVE-2019-14868

Hi, On 13/07/2020 00:01, Brian May wrote: > Is dla-needed.txt for Jessie or Stretch now? Stretch. > ksh was removed from dla-needed.txt for Stretch and classified "minor": > > https://salsa.debian.org/security-tracker-team/security-tracker/commit/87322fcf > > Then it was added again: > >

<    1   2   3   4   5   >