Am Fri, May 31, 2024 at 03:53:13PM -0300 schrieb Leandro Cunha:
> Package: release.debian.org
> Control: affects -1 + src:phppgadmin
> X-Debbugs-Cc: phppgad...@packages.debian.org
> User: release.debian@packages.debian.org
> Usertags: rm
> X-Debbugs-Cc: leandrocunha...@gmail.com
> Severity:
Am Tue, Apr 09, 2024 at 10:01:11AM +0200 schrieb Andreas Beckmann:
> Package: release.debian.org
> Severity: normal
> Tags: bullseye
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: Bastien Roucariès
> Control: affects -1 + src:json-smart
> Control: block 1039985 with
Am Sat, Jul 22, 2023 at 02:44:17PM +0100 schrieb Jonathan Wiltshire:
> Control: tag -1 confirmed
>
> On Sat, Jul 15, 2023 at 11:39:02PM +0200, Andreas Beckmann wrote:
> > Followup-For: Bug #1040925
> > Control: retitle -1 bookworm-pu: package
> > ca-certificates-java/20230620~deb12u1
> >
> > my
Am Mon, Jul 31, 2023 at 08:05:29AM +0100 schrieb Jonathan Wiltshire:
> Hi,
>
> On Mon, Jul 04, 2022 at 07:36:12PM +0100, Adam D. Barratt wrote:
> > Control: retitle -1 RM: obfs4proxy -- RoM; security issues
> > Control: tags -1 + moreinfo
> >
> > On Sat, 2022-03-26 at 21:21 +0100, Paul Gevers
Am Tue, Apr 04, 2023 at 09:14:36PM +0200 schrieb Paul Gevers:
> On 04-04-2023 20:07, Moritz Mühlenhoff wrote:
> > If we would add the list of source packages which are following micro
> releases
> > in stable-security to a machine-parseable list (e.g. somewhere in the
> &g
Am Tue, Apr 04, 2023 at 08:58:37AM +0200 schrieb Ondřej Surý:
> Hi Paul, Salvatore,
>
> In all honesty, I thought that the pre-negotiated exception for PHP
> does apply to all future Debian releases, so it did come as surprise
> that I have to explain this again.
Question to the release team:
If
Am Sat, Apr 01, 2023 at 08:32:55AM +0400 schrieb Yadd:
> Package: release.debian.org
> Severity: normal
> Tags: bullseye
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: apac...@packages.debian.org
> Control: affects -1 + src:apache2
>
> [ Reason ]
> apache2 silently
Am Mon, Mar 13, 2023 at 03:07:34PM + schrieb Holger Levsen:
> On Mon, Mar 13, 2023 at 03:58:45PM +0100, Moritz Mühlenhoff wrote:
> > Am Mon, Mar 13, 2023 at 01:43:11PM +0100 schrieb Holger Levsen:
> > > * security-support-limited:
> > > - for golang and openjd
Am Mon, Mar 13, 2023 at 01:43:11PM +0100 schrieb Holger Levsen:
> * security-support-limited:
> - for golang and openjdk-17, point to the bookworm manual instead the one
> for bullseye.
That's wrong, though. (And the release notes need updating to, I'll file
a bug soonish): In
Am Sun, Feb 19, 2023 at 05:23:55PM +0100 schrieb Markus Koschany:
> Package: release.debian.org
> Severity: normal
> Tags: bullseye
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: a...@debian.org
>
> Hi,
>
> I would like to update snakeyaml in Bullseye. The package
Am Mon, Jan 16, 2023 at 12:46:37PM + schrieb Didier 'OdyX' Raboud:
> > I understand that would be annoying for you, but I don't think that it would
> > affect the majority of our users.
>
> Hrm. More and more laptops come with usb-c only, and dongles/docks become more
> and more common.
>
>
Am Thu, Jan 12, 2023 at 09:17:18PM +0100 schrieb Paul Gevers:
> On 12-01-2023 16:50, Shengjing Zhu wrote:
> > > But this bug report triggered me: did the golang security situation
> > > already improved during this release cycle. I may be misremembering, but
> > > I recall the problems on the
Am Sun, Jan 08, 2023 at 12:27:52AM -0500 schrieb Andres Salomon:
>
> On Fri, Jan 6 2023 at 11:36:02 AM +0200, Adrian Bunk
> wrote:
> > On Fri, Jan 06, 2023 at 10:18:16AM +0100, Moritz Muehlenhoff wrote:
> > > ...
> > > We might consider to set some expectation for oldstable-security,
> > >
Hi Martina,
> Control: affects -1 + src:golang-github-prometheus-exporter-toolkit
>
> [ Reason ]
> This package is currently FTBFS on stable due to flaky tests.
If we're doing a stable update anyway, could we also piggyback the
fix https://security-tracker.debian.org/tracker/CVE-2022-46146 ?
Am Wed, Dec 07, 2022 at 08:27:05PM + schrieb Adam D. Barratt:
> Control: tags -1 + confirmed
>
> On Mon, 2022-11-28 at 20:35 +0100, Moritz Muehlenhoff wrote:
> > openjdk bumped the requirements for the test suite within
> > their 11.x branch (which is what we ship in Bullseye), it
> > now
Am Wed, Dec 07, 2022 at 08:31:06PM + schrieb Adam D. Barratt:
> Control: tags -1 + confirmed
>
> On Wed, 2022-11-30 at 22:42 +0100, Moritz Muehlenhoff wrote:
> > This updates fixes various minor crashes in mplayer, which
> > don't warrant a DSA by itself. I've run the PoCs against
> > the
Am Wed, Jun 22, 2022 at 10:05:37AM +0200 schrieb Graham Inggs:
> Hi,
>
> As part of the interim architecture qualification for bookworm, we
> request that DSA, the security team, Wanna build, and the toolchain
> maintainers review and update their list of known concerns for bookworm
> release
Am Tue, Jul 05, 2022 at 10:13:20AM +0200 schrieb Sebastian Ramacher:
> ffmpeg has a bad history of security issues including RCEs. It requires
> too many DSAs for both stable and oldstable. So I am only
> going to maintain one ffmpeg version for a specific Debian release.
> Anything else needs
Apollon wrote:
> I would like to update Ganeti to the current upstream bugfix version
> (3.0.2) - including all Debian packaging fixes currently in unstable -
> and I seek your approval.
>
> 3.0.2 was released a while back[1] as a bugfix-only release. Due to my
> involvement upstream, I had
Am Wed, Mar 23, 2022 at 02:25:26PM +0100 schrieb Yadd:
> Package: release.debian.org
> Severity: normal
> Tags: bullseye
> User: release.debian@packages.debian.org
> Usertags: pu
>
> [ Reason ]
> node-url-parse is vulnerable to an authorization Bypass Through
> User-Controlled
Am Mon, Feb 21, 2022 at 01:57:54PM +0100 schrieb Yadd:
> Package: release.debian.org
> Severity: normal
> Tags: bullseye
> User: release.debian@packages.debian.org
> Usertags: pu
>
> [ Reason ]
> node-prismjs has 2 vulnerabilities:
> * Regex DoS (CVE-2021-40438)
Where did you get that CVE
Am Thu, Feb 03, 2022 at 03:59:00PM +0100 schrieb Thorsten Glaser:
> Hi Holger,
>
> > and filed against src:debian-security-support, as openjdk-17 seems to be
> > supported and src:debian-security-support's purpose is to documented what's
>
> no, 11 is supported, 17 is just for users to run
Mattia Rizzolo schrieb:
>
> --FJqzFV9NFse93u4l
> Content-Type: text/plain; charset=us-ascii
> Content-Disposition: inline
> Content-Transfer-Encoding: quoted-printable
>
>> Am Sun, Dec 05, 2021 at 10:53:56AM +0100 schrieb Paul Gevers:
>> > The problem really is lack of maintenance. In my opinion,
Am Sun, Dec 05, 2021 at 10:53:56AM +0100 schrieb Paul Gevers:
> Hi Andres,
>
> On 05-12-2021 03:36, Andres Salomon wrote:
> > So what's happening with chromium in both sid and stable? I saw on
> > d-release that it was removed from testing (#998676 and #998732), with a
> > discussion about ending
Am Tue, Nov 30, 2021 at 06:00:57PM + schrieb Adam D. Barratt:
> I was assuming the plan was for the Firefox and Thunderbird updates to
> be released via the security archive.
Definitely! For the last ESR round DSA deployed a change to make the
security chroots include buster-proposed-updates.
Am Fri, Jul 30, 2021 at 02:41:35PM +0200 schrieb Matthias Klose:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> X-Debbugs-CC: secur...@debian.org
>
> Please unblock openjdk-11, the next openjdk-11 security release.
And for
Yadd wrote:
> Our current apache2 policy keeps a lot of (maybe unimportant) CVE opened
> [1].
Note that this isn't really accurate: While there are CVEs listed with
2019- or 2020-, those were in fact all only recently published with the
latest Apache release.
> Then I'd like to see if it is
Am Wed, May 19, 2021 at 08:49:01PM +0200 schrieb Paul Gevers:
> Hi,
>
> First off, thanks Adrian for raising the concern. In general, at this
> stage we don't like packages breaking other packages.
This should have been fixed in unstable for a long time, I pinged the maintainer
multiple times
Am Wed, May 19, 2021 at 08:47:24PM +0200 schrieb Sebastian Ramacher:
> On 2021-05-18 23:38:58 +0200, Moritz Muehlenhoff wrote:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian@packages.debian.org
> > Usertags: rm
> > X-Debbugs-Cc: ebo...@apache.org
> >
> > Please
Du schriebst in gmane.linux.debian.devel.release:
> Lucas Nussbaum writes:
>> It looks like the three open paths for resolution are:
>>
>> A) understand and restore the behaviour from Debian 10, that is, get X
>> to work in a degraded mode after installation. How it worked with Debian
>> 10 (and
Am Wed, Apr 21, 2021 at 09:31:12AM +0300 schrieb Sebastian Dröge:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
>
> Please unblock package gstreamer1.0
>
> In addition to various more minor bugs, this release also fixes
Am Sat, Mar 13, 2021 at 06:46:38PM + schrieb Adam D. Barratt:
> On Fri, 2021-02-26 at 16:30 +0100, Moritz Muehlenhoff wrote:
> > On Fri, Feb 26, 2021 at 07:49:38AM +0100, Matthias Klose wrote:
> > > On 2/25/21 7:41 PM, Moritz Muehlenhoff wrote:
> > > > + * CVE-2021-3177
> > >
> > > are all
Am Sat, Mar 13, 2021 at 05:29:30PM + schrieb Adam D. Barratt:
> Control: tags -1 + confirmed
>
> On Fri, 2021-02-19 at 22:32 +0100, Moritz Muehlenhoff wrote:
> > +python3.7 (3.7.3-2+deb10u3) buster; urgency=medium
> > +
> > + * CVE-2020-26116
> > + * CVE-2021-3177
> >
>
> Please go ahead.
Am Tue, Feb 02, 2021 at 07:15:37PM +0100 schrieb Roland Rosenfeld:
> Package: release.debian.org
> Severity: normal
> Tags: buster
> User: release.debian@packages.debian.org
> Usertags: pu
>
> This fixes CVE-2021-20216 and CVE-2021-20217.
> Since both are tagged " (Minor issue)" in security
Am Tue, Jan 26, 2021 at 04:36:13PM +0100 schrieb Matthias Klose:
> On 12/2/20 5:42 PM, Holger Levsen wrote:
> > On Fri, Nov 20, 2020 at 08:40:22AM +, Holger Levsen wrote:
> >>> Thanks for the upload.
> >> :) note however that "#975016: OpenJDK 15 support state for Bullseye" is
> >> still
> >>
Am Fri, Jan 15, 2021 at 07:58:10PM +0100 schrieb Ondřej Surý:
> Thinking about it, security-wise it might be better. Microsoft will support
> the security backports to EOL versions of PHP 7.x, but they announced they
> won’t do it for PHP 8.x, so we are (maybe) bit more covered with PHP 7.4.
Am Thu, Jan 14, 2021 at 10:28:41AM +0100 schrieb Sebastian Ramacher:
> I'm also CCing the security team for their input in case the have a
> strong opinion on this transition.
It's fine. PHP 8 would have been great, but it is what it is.
Cheers,
Moritz
On Thu, Nov 19, 2020 at 08:39:55PM +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
>
> On Fri, 2020-11-13 at 22:33 +0100, Moritz Muehlenhoff wrote:
> > This fixes a few low severity security fixes affecting libxml2,
> > I've tested the package on a buster system with a few rdeps.
> >
On Wed, Nov 18, 2020 at 10:31:30PM +0100, Thorsten Glaser wrote:
> I think nobody wants to switch default-jdk to 17 or even not ship
> 11 at all any more or stop supporting it during bullseye’s lifetime.
> Maybe that also was too implicit?
Exactly, the supported Java release for the entire
On Sun, Nov 08, 2020 at 12:36:50PM +0200, Adrian Bunk wrote:
> On Fri, Jul 10, 2020 at 06:13:58PM +0100, Ben Hutchings wrote:
> > I don't know if this should be a blocker, but the MIPS builders are
> > still extremely slow for kernel builds. In the worst case (mipsel:
> > mipsel-aql-{01,02}) it
On Sat, Oct 24, 2020 at 07:44:12PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
>
> On Tue, 2020-10-13 at 22:39 +0200, Moritz Muehlenhoff wrote:
> > This fixes a number of security issues in libjpeg,
> > which don't warrant a DSA. Package has been tested on
> > a buster system.
>
Adam D. Barratt schrieb:
> There's a school of thought which says that it doesn't make sense to
> include the plugins in the Debian archive at all, and we should instead
> suggest that users install and update plugins from the upstream
> repositories directly.
The TB 68->78 is a little special
On Tue, Oct 13, 2020 at 08:57:14PM +, Mike Gabriel wrote:
> Hi Moritz,
>
> On Di 13 Okt 2020 22:39:53 CEST, Moritz Muehlenhoff wrote:
>
> > Package: release.debian.org
> > Severity: normal
> > Tags: buster
> > User: release.debian@packages.debian.org
> > Usertags: pu
> > X-Debbugs-Cc:
On Sun, Oct 11, 2020 at 03:29:22PM +0100, Adam D. Barratt wrote:
> On Sat, 2020-10-10 at 13:42 +0200, Moritz Mühlenhoff wrote:
> > On Sat, Oct 10, 2020 at 09:40:05AM +0100, Adam D. Barratt wrote:
> > > Control: tags -1 + confirmed
> > >
> > > On Thu, 2020-10-0
On Sat, Oct 10, 2020 at 09:40:05AM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
>
> On Thu, 2020-10-08 at 21:15 +0200, Moritz Muehlenhoff wrote:
> > Low severity fix for Okular, which doesn't warrant a DSA.
> > I've tested with the reproducerand a number of other PDF
> > files
On Sat, Oct 10, 2020 at 09:44:31AM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
>
> On Fri, 2020-10-09 at 19:40 +0200, Moritz Muehlenhoff wrote:
> > Fixes a memory leak when running Transmission in daemon mode.
> >
> > [ Tests ]
> > Have been using the package since a few weeks
On Sat, Oct 10, 2020 at 09:41:38AM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
>
> On Thu, 2020-10-08 at 21:20 +0200, Moritz Muehlenhoff wrote:
> > Low severity bugfix for freecol, which doesn't warrant a DSA.
> >
> > The (identical) patch has been in unstable for half a year,
On Sat, Sep 19, 2020 at 06:17:20PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
>
> On Sat, 2020-09-19 at 13:33 +0200, Moritz Muehlenhoff wrote:
> > Fix for CVE-2020-10188, which doesn' really warrant a DSA.
> >
>
> Please go ahead.
Thanks, uploaded.
Cheers,
Moritz
On Sat, Sep 19, 2020 at 06:15:22PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
>
> On Sat, 2020-09-19 at 13:31 +0200, Moritz Muehlenhoff wrote:
> > Fix for CVE-2020-14983, which doesn't really warrant a DSA.
>
> Please go ahead.
Thanks, uploaded.
Cheers,
Moritz
On Sat, Aug 29, 2020 at 10:18:57PM +0200, Clément Hermann wrote:
> Hi,
>
> On 29/08/2020 20:09, Ansgar wrote:
> > Hi,
> >
> > Clément Hermann writes:
> >> The original message on debian-go and debian-release is here:
> >>
> >>
On Thu, Aug 27, 2020 at 07:16:19PM +0200, Clément Hermann wrote:
> I'm fine with IRC too. I think the dak implementation would be the best
> (along with a script or something that can tell which packages to
> binNMU, but with the proper field set d/control for binaries that
> doesn't sound
Paul Gevers wrote:
> As part of the interim architecture qualification for bullseye, we
> request that DSA, the security team, Wanna build, and the toolchain
> maintainers review and update their list of known concerns for bullseye
> release architectures.
There's nothing really of concern from
On Wed, May 06, 2020 at 11:22:42PM +0200, Moritz Mühlenhoff wrote:
> On Mon, May 04, 2020 at 11:04:21PM +0200, Andrej Shadura wrote:
> > On Mon, May 04, 2020 at 06:33:26PM +0200, Julien Cristau wrote:
> > > > I think in this case it’s okay because of this NEWS entry:
&
On Fri, May 22, 2020 at 10:36:51AM +, Holger Levsen wrote:
> FYI,
>
> debian-security-support (2020.05.22) unstable; urgency=medium
> .
>* Add pdns-recursor to security-support-ended.deb9 as explained in
> DSA-4691-1.
Thanks for this.
Cheers,
Moritz
On Mon, May 04, 2020 at 11:04:21PM +0200, Andrej Shadura wrote:
> On Mon, May 04, 2020 at 06:33:26PM +0200, Julien Cristau wrote:
> > > I think in this case it’s okay because of this NEWS entry:
> > >
> > > https://sources.debian.org/src/matrix-synapse/0.99.2-6/debian/NEWS/
>
> > I'm not sure
On Thu, Jan 30, 2020 at 10:41:56PM +, Holger Levsen wrote:
> On Thu, Jan 30, 2020 at 07:41:32PM +, Holger Levsen wrote:
> > I'll upload 2019.12.12~deb9u2 then which is lower than what's in
> > buster-pu currently and will be in buster soon. (2019.12.12~deb10u1)
>
> uploaded now.
>
>
On Sat, Jan 25, 2020 at 02:39:04PM +0100, Vincent Bernat wrote:
> Package: release.debian.org
> Severity: normal
> Tags: buster
> User: release.debian@packages.debian.org
> Usertags: pu
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Hey!
>
> The logrotate configuration file for
On Sat, Jan 25, 2020 at 07:29:20PM +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
>
> On Tue, 2020-01-21 at 21:09 +0100, Moritz Muehlenhoff wrote:
> > Attached debdiff fixes a minor security issue in mesa. I've been
> > running the updated packaged on a Buster workstation over the
On Tue, Dec 03, 2019 at 11:30:44AM +0300, Dmitry Shachnev wrote:
> Dear Release team,
>
> On Fri, Nov 29, 2019 at 11:10:16PM +0300, Dmitry Shachnev wrote:
> > This update fixes bug #919504 that is also known as #929286, #931860,
> > #933278 and #945147.
> >
> > The debdiff is attached. Please see
On Sun, Dec 29, 2019 at 12:17:11PM +0100, Paul Gevers wrote:
> Hi Lisandro, Moritz,
>
> On 29-12-2019 11:26, Moritz Mühlenhoff wrote:
> >> Hi! As you know we are doing an effort to remove qt4-x11 from the archive.
> >> The
> >> next big step is removing i
On Sat, Dec 28, 2019 at 08:59:45PM -0300, Lisandro Damián Nicanor Pérez Meyer
wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: rm
>
> Hi! As you know we are doing an effort to remove qt4-x11 from the archive. The
> next big step
Joachim Wiedorn schrieb:
>> Your approach above will be good for users of unstable and testing, but
>> how does this help users of stable, when they upgrade from buster to
>> bullseye after the release of the latter? Just by writing this in the
>> release notes? Is that the best we can do?
>
>
On Sat, Nov 09, 2019 at 07:10:44PM -0500, Jay Berkenbilt wrote:
> I am the upstream author and the debian maintainer of qpdf.
>
> At the request of RedHat, I have made an enhancement to qpdf that
> allows an external library to be used for crypto functions rather than
> using qpdf's native crypto
On Fri, Nov 08, 2019 at 10:09:07PM +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
>
> On Wed, 2019-10-30 at 16:44 +0100, Moritz Muehlenhoff wrote:
> > (This is a followup update on top of the +deb10u1 already in s-p-u,
> > I've reached out to Tristan beforehand)
> >
> > Attached
On Mon, Oct 21, 2019 at 04:36:23PM +0200, Jean Baptiste Favre wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: rm
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> Dear release managers,
> Please remove trafficserver from
On Fri, Aug 30, 2019 at 09:17:32AM +0200, Raphael Hertzog wrote:
> Hi,
>
> On Fri, 30 Aug 2019, Pirate Praveen wrote:
> > Fast Track repo works exactly like current backports except the packages
> > are added from unstable (or experimental during transitions and freeze)
> > as they cannot go to
On Mon, Aug 26, 2019 at 06:04:55PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
>
> On Sun, 2019-08-25 at 21:25 +0200, Moritz Muehlenhoff wrote:
> > The NSS update below fixes a few non-severe security issues. I've
> > been running this version with Firefox on Buster (which uses
reassign 935600 ftp.debian.org
retitle 935600 RM: valkyrie - depends on qt4, dead upstream
thanks
On Sat, Aug 24, 2019 at 02:40:31PM +0200, László Böszörményi (GCS) wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: rm
>
> Please
On Thu, Aug 22, 2019 at 10:07:51PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
>
> On Thu, 2019-08-22 at 22:56 +0200, Moritz Muehlenhoff wrote:
> > Attached debdiff fixes a number of bugs in sox. These have been in
> > jessie for a while already (Stretch and Jessie have the same
On Thu, Aug 08, 2019 at 09:53:16AM +0100, Adam D. Barratt wrote:
> Control: tags -1 + moreinfo
>
> On 2019-08-08 08:47, Arnaud Rebillout wrote:
> > Package: release.debian.org
> > Severity: normal
> > Tags: buster
> > User: release.debian@packages.debian.org
> > Usertags: pu
> >
> > The
On Fri, Aug 02, 2019 at 10:42:37PM +0100, Otto Kekäläinen wrote:
> (sorry for replying to wrong bug report earlier)
>
> Hello!
>
> I have now prepared 10.1.41 for upload to Stretch. I am CC'ing
> security team in case you want this faster in than waiting for the
> next stable update (planned for
On Fri, Aug 02, 2019 at 10:48:53PM +0100, Otto Kekäläinen wrote:
> Package: release.debian.org
> Severity: normal
> Tags: buster, moreinfo
> User: release.debian@packages.debian.org
> Usertags: pu
>
> MariaDB 10.3.17 includes security fixes and a few bug fixes
> appropriate for a stable
On Sat, Jul 27, 2019 at 12:34:38PM +0200, Cyril Brulebois wrote:
> Adam D. Barratt (2019-07-26):
> > On 2019-07-16 06:36, Moritz Muehlenhoff wrote:
> > > This update for OpenSSH fixes a dead lock in AuthorizedKeysCommand
> > > (#905226).
> > >
> > > The fixed package is running fine on a
On Sat, Jun 29, 2019 at 09:22:54AM +0200, Sylvestre Ledru wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
>
> Please unblock package encoding-rs
>
> Last minute, we had to update rustc to facilitate the packaging
> of
On Tue, Jun 18, 2019 at 06:19:33PM +0200, László Böszörményi (GCS) wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
>
> Hi Release Team,
>
> There's several security issues fixed with rdesktop 1.8.6 and while it
> has
On Mon, Jun 10, 2019 at 09:46:41PM -0700, tony mancill wrote:
> I am not a member of the OpenJDK team and contributed far less to the
> JDK 8 -> 11 transition than Emmanuel has. If he and Matthias are in
> agreement and the plan is palatable to the Release and Security Teams,
> that's ideal.
I
On Tue, Jun 04, 2019 at 09:27:55PM +0200, Paul Gevers wrote:
> Hi Michael, Jonathan,
>
> On Tue, 4 Jun 2019 14:11:23 +0100 Jonathan Wiltshire wrote:
> > On Mon, May 27, 2019 at 08:23:09AM +0300, Michael Tokarev wrote:
> > > I've prepared next release of the qemu debian package, with
> > > a few
On Sun, Apr 21, 2019 at 12:32:13AM +0200, Moritz Muehlenhoff wrote:
> Source: mercurial
> Version: 4.8.2-1
> Severity: grave
> Tags: security
>
> See https://www.mercurial-scm.org/wiki/WhatsNew from 4.9:
>
> This was assigned CVE-2019-3902:
> It was possible to use symlinks and subrepositories
Hi,
> I am reaching out to you to align on the security support that users can
> expect during the lifetime of buster and how this is covered in the
> release notes.
>
> The release notes currently contain a section on "Limitations in
> security support", which currently covers:
> * web
On Tue, Apr 16, 2019 at 10:04:20AM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
>
> On Mon, 2019-04-15 at 22:49 +0200, Moritz Mühlenhoff wrote:
> > On Sun, Apr 14, 2019 at 09:20:13PM +0100, Adam D. Barratt wrote:
> > > Control: tags -1 + moreinfo
> &g
On Sun, Apr 14, 2019 at 09:20:13PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + moreinfo
>
> On Mon, 2019-03-25 at 22:35 +0100, Moritz Muehlenhoff wrote:
> > How about the following debdiff to address the fallout of
> > the Xul deprecation in icedtea-web (#921748) for the next
> > point
On Tue, Apr 02, 2019 at 10:40:44PM -0400, Reinhard Tartler wrote:
> Ah, that's great news. I didn't realize that Moritz backported the
> security fixes to an earlier upstream version. I managed to locate the
> git commits but wasn't comfortable with backporting them to version 0.5.2,
> not all of
On Sat, Feb 16, 2019 at 11:31:24AM +, Adam D. Barratt wrote:
> On Fri, 2019-02-08 at 21:03 +0100, Moritz Muehlenhoff wrote:
> > This disables the browser plugin (which was broken due to the Firefox
> > Quantum changes), the equivalent change in sid was done in 1.7.1-1.
>
> Unfortunately, we
On Wed, Nov 07, 2018 at 06:22:58AM +0100, Julien Aubin wrote:
> On Sat, 03 Nov 2018 10:45:33 +0100 Moritz Muehlenhoff wrote:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian@packages.debian.org
> > Usertags: rm
> >
> > Broken with Firefox 60, please remove from
On Wed, Oct 31, 2018 at 09:17:02PM +, Adam D. Barratt wrote:
> Control: tags -1 + moreinfo
>
> On Wed, 2018-10-31 at 21:29 +0100, Moritz Muehlenhoff wrote:
> > Please remove mozvoikko from stretch, it's broken with Firefox 60.
> > Removal from sid was filed in #912457.
>
> Unfortunately it
On Sat, Oct 20, 2018 at 10:43:31AM +0100, Adam D. Barratt wrote:
> On Fri, 2018-10-05 at 17:48 -0500, Daniel Kahn Gillmor wrote:
> > I'd like to update the version of GnuPG in debian stable with a
> > series of targeted bugfixes (most of which are backported from
> > upstream).
> [...]
> > I note
On Mon, Oct 15, 2018 at 10:41:25PM +0200, Steinar H. Gunderson wrote:
> On Mon, Oct 15, 2018 at 10:33:11PM +0200, Moritz Muehlenhoff wrote:
> > Ultimately this is up for Michael to decide, as he's dealing with Chromium
> > updates single-handedly.
>
> Agreed.
>
> > Personally I have no
On Sat, Oct 06, 2018 at 11:16:00AM +0200, Emilio Pozuelo Monfort wrote:
> On 05/10/2018 21:04, Moritz Muehlenhoff wrote:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian@packages.debian.org
> > Usertags: rm
> >
> > Broken with Firefox ESR 60, filed for removal
On Tue, Sep 04, 2018 at 12:12:56AM +0200, Sebastian Andrzej Siewior wrote:
> Package: release.debian.org
> User: release.debian@packages.debian.org
> Usertags: pu
> Tags: stretch
> Severity: normal
I can't speak for the SRMs, but personally I'm in favour of this. In
fact, I had been meaning
On Tue, Jul 31, 2018 at 11:29:16AM +0900, Nobuhiro Iwamatsu wrote:
> Package: release.debian.org
> Severity: normal
> Tags: stretch
> User: release.debian@packages.debian.org
> Usertags: pu
>
> Dear stable release manager,
>
> I hereby propose an update for stretch of mruby.
There's a few
: #903118)
+
+ -- Moritz Mühlenhoff Sun, 08 Jul 2018 21:39:35 +0200
+
rustc (1.24.1+dfsg1-1~deb9u1) stretch; urgency=medium
* Build for stretch to be used by Firefox ESR60
diff -Nru rustc-1.24.1+dfsg1/debian/control rustc-1.24.1+dfsg1/debian/control
--- rustc-1.24.1+dfsg1/debian/control
Aurelien Jarno schrieb:
> Hi,
>
> The amd64 build of dosbox/stretch has been rejected by dak, as the
> changes file used for the source upload clashes with the one for the
> amd64 binary upload. This something not supported by dak for some
> suites.
>
> I guess the best is to do a manual upload
On Sun, Jul 01, 2018 at 06:44:08PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
>
> On Fri, 2018-06-08 at 22:41 +0200, Moritz Muehlenhoff wrote:
> > dosbox is broken in the default setting on a number of systems/DOS
> > binaries
> > (see #857341). This got fixed in unstable back
On Sun, Jul 01, 2018 at 08:54:00AM +, Niels Thykier wrote:
> Moritz Mühlenhoff:
> > Niels Thykier wrote:
> >> If the issues and concerns from you or your team are not up to date,
> >> then please follow up to this email (keeping debian-release@l.d.o and
> >>
On Fri, Jun 29, 2018 at 10:33:16PM +0100, Ben Hutchings wrote:
> On Fri, 2018-06-29 at 22:31 +0200, Moritz Mühlenhoff wrote:
> > Niels Thykier wrote:
> > > If the issues and concerns from you or your team are not up to date,
> > > then please follow up to this email (k
Niels Thykier wrote:
> If the issues and concerns from you or your team are not up to date,
> then please follow up to this email (keeping debian-release@l.d.o and
> debian-ports@l.d.o in CC to ensure both parties are notified).
Two issues that we discussed at the recent Security Team sprint wrt
On Wed, Jun 27, 2018 at 08:18:01PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> > It's a straightforward rebuild. The debdiff against 1:4.0.1-10
> > from buster is very simple (with an additional build conflicts
> > I ran into when preparing the build).
>
> Please go ahead.
On Tue, Jun 12, 2018 at 09:45:06AM +0100, Adam D. Barratt wrote:
> > > * git-annex 5.20141125+deb8u1 (arm64 ppc64el)
> > > * graphicsmagick 1.3.20-3+deb8u2 (powerpc)
> > > * mariadb-10.0 10.0.32-0+deb8u1 (mips mipsel powerpc s390x)
>
> Thanks, but at this stage I think we'll just have to accept
On Mon, Jun 11, 2018 at 10:04:29PM +0100, Adam D. Barratt wrote:
> Unfortunately not quite yet, as none of the builds made it to
> oldstable-new. It looks like this is due to:
>
> Version check failed:
> Your upload included the binary package openjdk-7-jre-zero, version
> 7u181-2.6.14-1~deb8u1,
On Sun, Jun 10, 2018 at 02:59:49PM -0400, Hugo Lefeuvre wrote:
>
> lame 3.99.5+repack1-7+deb8u1 is affected by several vulnerabilities in
> the code used to read the input file. These issues are not present in
> any Debian release after Jessie because the package switched to
> libsndfile to read
1 - 100 of 264 matches
Mail list logo