Bug#1025647: buster-pu: package libapache2-mod-auth-mellon/0.14.2-1+deb10u1

-0.14.2/debian/changelog 2022-12-06 15:39:13.0 + @@ -1,3 +1,10 @@ +libapache2-mod-auth-mellon (0.14.2-1+deb10u1) buster; urgency=high + + * Upload to fix security issues: +- Open redirect in logout endpoint (CVE-2019-13038 CVE-2021-3639) + + -- Thijs Kinkhorst Tue, 06 Dec 2022 15:39

Bug#1025646: bullseye-pu: package libapache2-mod-auth-mellon/0.17.0-1+deb11u1

20:12:37.0 +0100 @@ -1,3 +1,10 @@ +libapache2-mod-auth-mellon (0.17.0-1+deb11u1) bullseye; urgency=medium + + * Upload to fix security issue: +- Open redirect in logout endpoint (CVE-2021-3639) + + -- Thijs Kinkhorst Tue, 06 Dec 2022 20:12:37 +0100 + libapache2-mod-auth-mellon

Bug#946841: buster-pu: package simplesamlphp/1.16.3-1+deb10u2

=medium + + * Fix incompatibility with PHP 7.3 (closes: #944820). + + -- Thijs Kinkhorst Mon, 16 Dec 2019 14:15:00 +0100 + simplesamlphp (1.16.3-1+deb10u1) buster-security; urgency=high * Fix security issue CVE-2019-3465. diff -Nru simplesamlphp-1.16.3/debian/patches/fix-xmlseclibs-php73

Bug#940477: stretch-pu: package tmpreaper/1.6.13+nmu1+deb9u2

to prevent +breaking systemd services that have PrivateTmp=true (closes: #881725). + + -- Thijs Kinkhorst Mon, 16 Sep 2019 09:39:51 +0200 + tmpreaper (1.6.13+nmu1+deb9u1) stretch-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru tmpreaper-1.6.13+nmu1+deb9u1/debian

Bug#940476: buster-pu: package tmpreaper/1.6.14+deb10u1

with maintainer approval. + * Add `--protect '/tmp/systemd-private*/*'` to cron job to prevent +breaking systemd services that have PrivateTmp=true (closes: #881725). + + -- Thijs Kinkhorst Mon, 16 Sep 2019 07:15:24 + + tmpreaper (1.6.14) unstable; urgency=medium * Upload to unstable

Bug#925345: unblock: libapache2-mod-auth-mellon/0.14.2-1

On Sat, March 23, 2019 16:56, Jonathan Wiltshire wrote: > On Sat, Mar 23, 2019 at 03:00:06PM +0100, Thijs Kinkhorst wrote: >> Please unblock package libapache2-mod-auth-mellon >> >> The upload contains fixes for two security issues, it is a new >> upstream tha

Bug#925345: unblock: libapache2-mod-auth-mellon/0.14.2-1

y release. (closes: #925197) +- Auth bypass when used with reverse proxy [CVE-2019-3878] +- Open redirect vulnerability in logout [CVE-2019-3877] + + -- Thijs Kinkhorst Fri, 22 Mar 2019 12:10:11 + + libapache2-mod-auth-mellon (0.14.1-1) unstable; urgency=medium [ Thijs Kinkhorst ]

Bug#867461: Bug#858539: should ca-certificates certdata.txt synchronize across all suites?

On Fri, January 12, 2018 10:24, Raphael Hertzog wrote: > Hi, > > On Tue, 09 Jan 2018, Brian May wrote: >> Raphael Hertzog writes: >> >> > I think this mail went through the cracks as we haven't received a >> reply >> > from you so far. Can you let us know the status and

Bug#875765: stretch-pu: package mailman/1:2.1.23-1+deb9u1

dependencies in SpamAssassin.py (Closes: #838288). +Thanks Stephen Rothwell for the patch. + + -- Thijs Kinkhorst <th...@debian.org> Thu, 14 Sep 2017 12:23:04 +0200 + mailman (1:2.1.23-1) unstable; urgency=medium * New upstream release. diff -Nru mailman-2.1.23/debian/contrib/SpamAssas

Bug#857712: unblock: libapache2-mod-auth-mellon/0.12.0-2

session transfer vulnerability [CVE-2017-6807]. + + -- Thijs Kinkhorst <th...@debian.org> Mon, 13 Mar 2017 13:06:19 + + libapache2-mod-auth-mellon (0.12.0-1) unstable; urgency=high * New upstream release. diff -Nru libapache2-mod-auth-mellon-0.12.0/debian/patches/01_logout_segfault

Re: embedding openssl source in sslcan

On Fri, December 23, 2016 18:53, Moritz Mühlenhoff wrote: > Sebastian Andrzej Siewior schrieb: > > Please use t...@security.debian.org if you want to reach the security > team, not debian-security@ldo. > >> tl;dr: Has anyone a problem if sslscan embeds openssl 1.0.2 in

Bug#784670: jessie-pu: package pound/2.6-6+deb8u1

/changelog 2015-05-07 16:30:55.0 + @@ -1,3 +1,11 @@ +pound (2.6-6+deb8u1) jessie; urgency=medium + + * Non-maintainer upload by the security team with maintainer approval. + * Add missing part of anti_beast patch to fix disabling of client +renegotiation. (Closes: #765649) + + -- Thijs

Bug#782565: unblock: commons-httpclient/3.1-11

Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package commons-httpclient. It fixes security issue CVE-2014-3577. unblock commons-httpclient/3.1-11 Cheers, Thijs diff -Nru commons-httpclient-3.1/debian/ant.properties

Bug#782147: unblock: mediawiki/1:1.19.20+dfsg-2.3

filtering to prevent XSS and protect viewer's + privacy. + + -- Thijs Kinkhorst th...@debian.org Mon, 06 Apr 2015 16:53:54 + + mediawiki (1:1.19.20+dfsg-2.2) unstable; urgency=medium * Non-maintainer upload. diff -Nru mediawiki-1.19.20+dfsg/debian/patches/security_1.19.24.patch

Bug#782146: unblock: mailman/1:2.1.18-2

installations which use an Exim or Postfix transport +instead of fixed aliases; attacker needs to be able to place +files on the local filesystem. +(CVE-2015-2775, Closes: 781626) + + -- Thijs Kinkhorst th...@debian.org Mon, 06 Apr 2015 15:36:15 + + mailman (1:2.1.18-1) unstable; urgency

Bug#776325: wheezy-pu: package pound/2.6-2+deb7u1

Hi Antonio, On Mon, February 2, 2015 15:34, Antonio Terceiro wrote: ping :) As a heads up, we're currently preparing a upload for stable-security where this patch will most likely be included. Thijs -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of

Bug#776204: unblock: python-django/1.7.1-1.1

Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package python-django. It fixes several security issues. The NMU seems to add a stray .orig in the source package; but I reckon that is harmless and should not block fixing

Bug#776200: unblock: websvn/2.3.3-1.2

arbitrary +file access (CVE-2013-6892, Closes: #775682). + + -- Thijs Kinkhorst th...@debian.org Sat, 24 Jan 2015 12:31:44 + + websvn (2.3.3-1.1) unstable; urgency=low * Non-maintainer upload. diff -Nru websvn-2.3.3/debian/patches/13_security_CVE-2013-6892.patch websvn-2.3.3/debian/patches

Bug#775165: nmu: binutils-mingw-w64_2 (wheezy-security, wheezy-p-u)

Hi ftpmaster, Op maandag 12 januari 2015 19:18:28 schreef Adam D. Barratt: On Mon, 2015-01-12 at 19:15 +0100, Thijs Kinkhorst wrote: This is not something we do very routinely, so I'd like to confirm: if these binNMU's are triggered for stable-security, do they still end up

Bug#775165: nmu: binutils-mingw-w64_2 (wheezy-security, wheezy-p-u)

On Mon, January 12, 2015 20:18, Ansgar Burchardt wrote: Hi, Thijs Kinkhorst th...@debian.org writes: Op maandag 12 januari 2015 19:18:28 schreef Adam D. Barratt: On Mon, 2015-01-12 at 19:15 +0100, Thijs Kinkhorst wrote: This is not something we do very routinely, so I'd like to confirm

Bug#775165: nmu: binutils-mingw-w64_2 (wheezy-security, wheezy-p-u)

Op maandag 12 januari 2015 08:15:39 schreef Adam D. Barratt: On Mon, 2015-01-12 at 06:47 +0100, Stephen Kitt wrote: binutils was recently updated in wheezy-security and wheezy-p-u to fix a number of security issues identified in DSA-3123-1; of these, a number concern binutils-mingw-w64 as

Bug#773782: unblock: znc/1.4-2

Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package znc. The upload adds an upstream patch that allows to disable SSL protocols, and disables SSLv2 and SSLv3. unblock znc/1.4-2 Thanks, Thijs -- To UNSUBSCRIBE,

Bug#772124: unblock: simplesamlphp/1.13.1-2

+ @@ -1,3 +1,11 @@ +simplesamlphp (1.13.1-2) unstable; urgency=medium + + * Add xmlc14n.patch fixing extreme resource consumption when processing +large metadata files (closes: #772121). +See: https://simplesamlphp.org/metaprocessing + + -- Thijs Kinkhorst th...@debian.org Fri, 05

Bug#770799: RM: cyassl/2.9.4+dfsg-3 (ROST; NPOASR, security, no r-deps)

Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm Hi, Please remove cyassl from jessie. The library has a number of open security issues affecting the version in jessie, but has no packages actually depending on it. While security team

Bug#770611: unblock: gnutls28/3.3.8-5

Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package gnutls28. The only change is a patch from upstream to disable the obsolete protocol SSLv3. OpenSSL in jessie also has SSLv3 disabled. unblock gnutls28/3.3.8-5

Re: Bug#769781: polarssl: disable SSLv3 also in jessie

Hi Roland, On Mon, November 17, 2014 10:02, Roland Stigge wrote: On 11/16/2014 01:17 PM, Thijs Kinkhorst wrote: Sorry, I have to change my request because I've now seen that the new upstream release of polarssl also fixes some other security issues. Will you be contacting the release team

Bug#769583: unblock: bind9/ 9.9.5 with patch or 9.9.6?

On Sun, November 16, 2014 17:01, Daniel Pocock wrote: On 16 November 2014 16:58:47 CET, Jonathan Wiltshire j...@debian.org Did you get any responses from elsewhere to this? Not yet, I'll follow up after the weekend. If no response, I'm happy to NMU the one line fix to copy the missing header

Bug#769279: Bug#769046: inn2: Allow for better TLS configurability

On Wed, November 12, 2014 12:55, Marco d'Itri wrote: Can I merge this for jessie? I'd strongly prefer if we could indeed merge this for jessie. INN, at the moment, supports TLS connections to nnrpd, but does not allow any configuration besides the certificate and key. +=item Itlsprotocols

Bug#769279: Bug#769046: inn2: Allow for better TLS configurability

On Wed, November 12, 2014 14:29, Marco d'Itri wrote: On Nov 12, Thijs Kinkhorst th...@debian.org wrote: Can you remove SSLv3 from the default list? I do not know the implications wrt clients support. Christian, did you do any tests? +=item Itlscompression +Whether to enable or disable

Bug#769164: unblock: file/1:5.20-2

Package: release.debian.org Severity: important User: release.debian@packages.debian.org Usertags: unblock Please unblock package file. * Fixes a security issue, urgency set to high * Cherry-pick upstream commit FILE5_20-5-g39c7ac1: Fix note bounds reading, Francisco Alonso / Red Hat

Bug#768402: unblock: simplesamlphp/1.13.1-1

On Sat, November 8, 2014 22:25, intrigeri wrote: I doubt it would add much value, but Jonathan's point was about getting enough information to assess severity, so perhaps you could tell the release team what severity you _would_ set for each of these bugs in the Debian BTS, if they were

Bug#768402: unblock: simplesamlphp/1.13.1-1

On Fri, November 7, 2014 12:52, Jonathan Wiltshire wrote: On 2014-11-07 07:30, Thijs Kinkhorst wrote: This is an upstream release limited to strictly bugfixes. Are there corresponding Debian bugs so we can assess severity please? These are the issues fixed in this release. https://github.com

Bug#768403: unblock: ttytter/2.1.0+1-1

; urgency=medium + + * New upstream pseudorelease. +- Accesses OAuth API over SSL by default (Closes: #736446, #760815). +- Addresses rate limit warning (Closes: #756960). + + -- Thijs Kinkhorst th...@debian.org Thu, 30 Oct 2014 22:36:58 +0100 + ttytter (2.1.0-1) unstable; urgency=low

Bug#768402: unblock: simplesamlphp/1.13.1-1

. + + -- Thijs Kinkhorst th...@debian.org Mon, 27 Oct 2014 19:23:35 + + simplesamlphp (1.13.0-1) unstable; urgency=medium * New upstream release. diff -Nru simplesamlphp-1.13.0/debian/control simplesamlphp-1.13.1/debian/control --- simplesamlphp-1.13.0/debian/control 2014-08-18 11:11:23.0

Re: binNMUs for dpkg-buildflags / -fstack-protector-strong

On Tue, September 23, 2014 22:36, Moritz Mühlenhoff wrote: On Sat, Sep 20, 2014 at 02:18:34PM +0200, Julien Cristau wrote: On Sat, Sep 20, 2014 at 12:53:54 +0200, Moritz Muehlenhoff wrote: On Sat, Sep 20, 2014 at 10:45:00AM +0200, Julien Cristau wrote: On Wed, Sep 17, 2014 at 22:29:10

Bug#753310: opu: ia32-libs/20140630 ia32-libs-gtk/20140630

Op dinsdag 8 juli 2014 20:52:08 schreef Adam D. Barratt: Unfortunately, something appears to have gone wrong with the ia32-libs-gtk upload and I've flagged that one for rejection. Specifically, the entire debdiff is: Right, what went wrong is that there are 0 updates for ia32-libs-gtk since

Bug#753310: opu: ia32-libs/20140630 ia32-libs-gtk/20140630

urgency=high accordingly [ gnutls26 (2.8.6-1+squeeze3) oldstable-security; urgency=high ] * 22_gnutls-2.8.5-cve-2014-0092.patch by Nikos Mavrogiannopoulos: Fix certificate validation issue. CVE-2014-0092 -- Thijs Kinkhorst th...@debian.org Mon, 30 Jun 2014 13:45:39 +0200 ia32-libs-gtk

Bug#733564: pu: apache2 with ECDHE support

On Mon, June 16, 2014 00:06, Adam D. Barratt wrote: Control: tags -1 + pending On Sun, 2014-05-25 at 17:55 +0200, Stefan Fritsch wrote: I have just uploaded apache2_2.2.22-13+deb7u2: Flagged for acceptance; sorry for the delay. apache2 (2.2.22-13+deb7u2) wheezy; urgency=medium *

Bug#736494: About #736494

On Fri, April 18, 2014 17:46, Adam D. Barratt wrote: On 2014-04-16 16:18, William Dauchy wrote: On Apr16 11:06, Adam D. Barratt wrote: On a related note, it would be appreciated if comments such as cleanup series were more verbose in future, as it appears to have involved removing enabled

Bug#736494: About #736494

Hi Adam, On Sun, April 13, 2014 14:39, Adam D. Barratt wrote: On Sun, 2014-04-13 at 13:58 +0200, William Dauchy wrote: Is there someone available to validate this package? Lots of present fixes are more than needed to have an usable version of php in production. Such comments really aren't

Bug#742329: use softer colours for architecture qualification page

Package: release.debian.org Severity: minor Tags: patch Attached patch uses softer colours which are easier on the eye for the architecture qualification page. From 3932bb06d69557a5d05efbf50459d9b7b9b5cccf Mon Sep 17 00:00:00 2001 From: Thijs Kinkhorst th...@debian.org Date: Sat, 22 Mar 2014 14

Bug#742329: use softer colours for architecture qualification page

On Sat, March 22, 2014 16:28, Julien Cristau wrote: looks like that if col==red is now broken? Indeed, see fixed patch attached. Thijs From 8f84a1be4a9c49782ea8f736ef315508591e1608 Mon Sep 17 00:00:00 2001 From: Thijs Kinkhorst th...@debian.org Date: Sat, 22 Mar 2014 16:47:16 +0100 Subject

Bug#736494: Please consider to prioritize this update

Hi Clement, On Tue, February 25, 2014 07:32, Clement Wong wrote: Our web servers has been using a self patched version for a long time because of the sybase regression from deb7u3, and this is a big problem for us in terms of security, we don’t have the manpower to keep our php up to date.

Re: PHP security upload not included in 6.0.9

Hi Lior, On Mon, February 17, 2014 09:45, Lior Kaplan wrote: 1. First time I encounter this problem, any idea where can I see the buildd logs for these security uploads to see why haven't they built fine. The security team receives those. I'll forward them to you for this case. 2. I see

Bug#737201: pu: package ia32-libs/20140131, ia32-libs-gtk/20140131

.patch. +CVE-2013-5605: Null_Cipher() does not respect maxOutputLen; allowing +remote attackers to cause a denial of service or possibly have +unspecified other impact via invalid handshake packets. + + -- Thijs Kinkhorst th...@debian.org Fri, 31 Jan 2014 09:19:46 +0100 + ia32-libs

Re: Bits from the Release Team: Architecture health check

On Thu, January 30, 2014 00:03, Niels Thykier wrote: On 2014-01-29 23:24, Steven Chamberlain wrote: What exactly does the 'scope of the port' mean? Suites of packages, tasksel tasks, desktop environments? Particular use cases (server, laptop, desktop)? Or something else? So, at this point,

Bug#726013: opu: package ia32-libs/20131011

to syslog() (CVE-2013-4258). + + -- Thijs Kinkhorst th...@debian.org Fri, 11 Oct 2013 09:40:55 +0200 + ia32-libs (20130924) squeeze-proposed-updates; urgency=low * Packages updated diff -Nru ia32-libs-20130924/debian/copyright ia32-libs-20131011/debian/copyright --- ia32-libs-20130924/debian

Bug#723641: pu: package xen/4.1.4-5

On Wed, October 2, 2013 19:21, Bastian Blank wrote: On Tue, Oct 01, 2013 at 04:58:43PM +0200, Thijs Kinkhorst wrote: On Mon, September 30, 2013 18:52, Bastian Blank wrote: I don't think this will work. The current security process ignores any communitation that is otherwise part of the NMU

Bug#723641: pu: package xen/4.1.4-5

On Mon, September 30, 2013 18:52, Bastian Blank wrote: On Mon, Sep 30, 2013 at 04:38:24PM +0200, Thijs Kinkhorst wrote: Thanks. I've read them. My conclusion is that there are two problems: 1/ On a previous upload, someone from the security team added extra changes without coordination

Bug#723641: pu: package xen/4.1.4-5

On Mon, September 23, 2013 10:47, Bastian Blank wrote: On Mon, Sep 23, 2013 at 09:47:32AM +0200, Thijs Kinkhorst wrote: Do you have a message ID for me? I'd rather try to see what the problems with the wheezy-security route are and how we can resolve them, rather than try to work around them

Bug#723641: pu: package xen/4.1.4-5

On Sun, September 22, 2013 23:34, Bastian Blank wrote: On Sun, Sep 22, 2013 at 09:58:54PM +0100, Adam D. Barratt wrote: On Wed, 2013-09-18 at 14:06 +0200, Bastian Blank wrote: There are several CVE pending for Xen, plus some embargoed ones. This fixes all publicly ones that have fixes.

Bug#718050: RM: jclicmoodle/0.1.0.11-1 -- not useful without Moodle

Package: release.debian.org Severity: normal Tags: wheezy User: release.debian@packages.debian.org Usertags: rm Hi, Please remove jcliclmoodle from wheezy. It's only useful with Moodle, which isn't in wheezy. The package missed a dependency on moodle so wasn't removed together with moodle;

Bug#711223: pu: package dpkg-ruby/0.3.6+nmu2

-upgrades to wheezy (Closes: #585448). + + -- Thijs Kinkhorst th...@debian.org Wed, 05 Jun 2013 18:11:23 +0200 + dpkg-ruby (0.3.6+nmu1) unstable; urgency=high * Non-maintainer upload. diff -Nru dpkg-ruby-0.3.6+nmu1/lib/debian.rb dpkg-ruby-0.3.6+nmu2/lib/debian.rb --- dpkg-ruby-0.3.6+nmu1/lib

Bug#706488: Aw: Re: Bug#706488: RM: boinc-server-maker/7.0.27

On Thu, May 2, 2013 09:25, Steffen Möller wrote: I have talked back to my pkg-boinc mates and, well, feelings are mixed. The remaining source to this TV report and some prominent discussions about it I found at http://www.rechenkraft.net/phpBB/viewtopic.php?f=12amp;t=12717amp;start=12

Bug#706488: RM: boinc-server-maker/7.0.27

Hi Steffen, On Tue, April 30, 2013 22:07, Steffen Moeller wrote: The PHP code shipping with the BOINC Server Maker package was not updated for a long time because of the freeze coinciding with the general overhaul the BOINC package structure. An important security update was missed. The

Bug#706488: RM: boinc-server-maker/7.0.27

On Wed, May 1, 2013 12:17, Alyssa Milburn wrote: These missed server issues were presumably what's now CVE-2013-2018: http://article.gmane.org/gmane.comp.security.oss.general/10083 Thanks, noted. Thijs -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of

Re: Security fix for jquery-jplayer 2.1.0-1

Hi Pau, On Sat, April 27, 2013 01:31, Pau Garcia i Quiles wrote: Wheezy contains my package jquery-jplayer 2.1.0-1, which is affected by a few security issues which have been recently fixed upstream. One of the issues is CVE-2013-1942. Two other issues, although important, did not get a CVE

Bug#706192: unblock: phpmyadmin/4:3.4.11.1-2

Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi, Please unblock package phpmyadmin. This is a security update. The issues fixed are not present in squeeze. unblock phpmyadmin/4:3.4.11.1-2 Thanks, Thijs -- To UNSUBSCRIBE, email

Bug#704530: RM: semanticscuttle/0.98.4+dfsg-1

Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm Hi, Please remove semanticscuttle from wheezy. The problems are detailed in RC bug #659390. My last message details that I had to conquer three different problems to get to an error-free home

Bug#704297: unblock: dput/0.9.6.3+nmu2

: #704228). + + -- Thijs Kinkhorst th...@debian.org Sun, 31 Mar 2013 13:09:54 +0200 + dput (0.9.6.3+nmu1) unstable; urgency=low * Non-maintainer upload. diff -Nru dput-0.9.6.3+nmu1/dput.cf dput-0.9.6.3+nmu2/dput.cf --- dput-0.9.6.3+nmu1/dput.cf 2012-10-14 14:54:17.0 +0200 +++ dput

Re: Bug#703290: davical: possible code insertion or XSS

On Tue, March 19, 2013 01:37, Christoph Anton Mitterer wrote: severity 703290 important stop On Tue, 2013-03-19 at 10:20 +1300, Andrew McMillan wrote: Is there any way to do an XSS exploit in 12 characters? If not, then I don't think this is 'grave'. Unless someone from the security or

Re: Bug#703290: davical: possible code insertion or XSS

severity 703294 important thanks On Tue, March 19, 2013 11:20, Jonathan Wiltshire wrote: Agreed that it's not grave until we have a concrete vulnerability at hand. The code could/should definitely be more robust, but there's not yet an acute issue. Is it fair to apply this line of reasoning

Bug#703125: tpu: wireshark/1.8.2-5wheezy1

On Sat, March 16, 2013 00:02, Balint Reczey wrote: I would like to upload wireshark/1.8.2-5wheezy1 to testing-proposed-updates to fix open security issues in wheezy. This request can be postponed, as we're going to try to handle this through wheezy-security as a first guinea pig. If this works

Bug#687583: RM: altos/wheezy

package release.debian.org user release.debian@packages.debian.org usertag 687583 + rm - unblock retitle 687583 RM: altos/1.0.3 thanks Hi Release Managers, Please remove altos from testing as per maintainer comment in #676739. Cheers, Thijs signature.asc Description: This is a digitally

Bug#702412: pre-approval unblock: postfix

Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi Release Team, I've been looking into Postfix RC bug #700719. In short, my proposal is to fix the maintainer field and then unblock the package. Please see my message in the bug log for

Bug#702412: pre-approval unblock: postfix

Op woensdag 6 maart 2013 10:16:18 schreef Adam D. Barratt: It looks like the maintainer field is already fixed in sid, in 2.10.0-1; that is a number of upstream releases more recent than the current wheezy package, however. Your last message in #700719 indicates that your inclination

Re: openjdk maintenance for wheezy and squeeze

Op donderdag 28 februari 2013 21:35:09 schreef Moritz Mühlenhoff: So we should proceed with providing backports for openjdk in the future. If Matthias keeps the Debian/Ubuntu packaging in a state that it's easily buildable on squeeze/wheezy for ojdk6 and for wheezy on ojdk7 I think we should

Bug#701833: unblock: pigz/2.2.4-2

Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi RT, Package pigz/2.2.4-2 was uploaded to sid fixing CVE-2013-0296 (#700608). The maintainer also added hardening flags. This may be on the border of acceptable/unacceptable for an

Bug#701610: unblock: pktstat/1.8.5-3 + urgency bump

Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi, Please unblock and bump the urgency of package pktstat. It fixes security issue CVE-2013-0350; #701211: left over debug code caused both a temp file race and information leak.

Bug#701476: unblock: nagios-nrpe/2.13-2

On Sat, February 23, 2013 17:55, Niels Thykier wrote: Control: reopen -1 On 2013-02-23 17:45, Alexander Wirt wrote: Thijs Kinkhorst schrieb am Saturday, den 23. February 2013: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock

Bug#700806: unblock: openconnect/3.20-3 (Fixes CVE-2012-6128)

As mentioned in #700805, this line introduces a memory leak if realloc fails for any reason. Upstream has committed a fix for the issue but also concluded that this causing real world trouble is not very probable. So either the patch needs to be applied to openconnect or the package needs to

Bug#701476: unblock: nagios-nrpe/2.13-2

Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Dear release team, Please unblock package nagios-nrpe. The update is documentation only. It's done to address #547092: SSL support is fundamentally broken in NRPE, which cannot be fixed

Re: ia32-libs-* updates (was: Re: 6.0.7 planning)

Op vrijdag 15 februari 2013 17:58:23 schreef Adam D. Barratt: On Mon, 2013-02-11 at 10:41 +0100, Thijs Kinkhorst wrote: [ cups (1.4.4-7+squeeze2) stable-security; urgency=high ] Our sanity check grumbled about this one, as p-u has +squeeze3; is that intentional? I can't remember what

Re: 6.0.7 planning

On Sun, February 10, 2013 17:25, Adam D. Barratt wrote: We're somewhat overdue with the next Squeeze point release (6.0.7) and it'd be good to get it done before the wheezy release, so that we can pull in some upgrade fixes. Attached are the proposed updates to ia32-libs and ia32-libs-core at

Re: 6.0.7 planning

On Mon, February 11, 2013 10:40, Thijs Kinkhorst wrote: On Sun, February 10, 2013 17:25, Adam D. Barratt wrote: We're somewhat overdue with the next Squeeze point release (6.0.7) and it'd be good to get it done before the wheezy release, so that we can pull in some upgrade fixes. Attached

Re: Please wheezy-ignore #695716

On Thu, January 17, 2013 23:50, Neil Williams wrote: On Thu, 17 Jan 2013 19:51:13 + Robert Lemmen rober...@semistable.com wrote: #695716 is a GFDL-bug, upstream has relicensed their docs and released a new version 0.6.7, I have updated the package and uploaded to unstable. ... which

Bug#692911: unblock: ca-certificates/20121114

retitle 692911 unblock: ca-certificates/20121114 thanks Hi, ca-certificates/20121114 has been uploaded in the meantime which addresses both the wish for documentation expressed in this bug log above and fixes RC bug #537051. It has been in unstable for over 30 days now without new issues

Re: [r...@cpan.org: CVE-2012-5195: heap buffer overrun with perl + glibc]

On Sun, December 9, 2012 16:10, Salvatore Bonaccorso wrote: On Sun, December 9, 2012 13:11, Salvatore Bonaccorso wrote: Thank you Dominic for keeping updated. Security team, attached is the proposed debdiff for the libcgi-pm-perl part. Yes, please upload this to security master. I did a

let's remove flightgear/simgear from testing

Hi, I propose that we remove the flightgear, simgear and probably associated packages fgfs-base and fgrun from wheezy, because they have RC bugs and there seems to be no concrete indication that this will be resolved anytime soon. This is based on the following observations. Security issues

Bug#691308: unblock: libgnomecanvas/2.30.3-1.2

-1.2) unstable; urgency=low + + * Non-maintainer upload. + * Revert conversion to Multi-Arch: same done in 2.30.3-1.1. +This needs to be done coordinated with changes to libglade2. + * Keep the Multi-Arch: foreign change for libgnomecanvas-common. + + -- Thijs Kinkhorst th...@debian.org Sun

Bug#690957: unblock: ia32-libs/1:0.3

Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi, I believe we should consider to have ia32-libs and friends migrate to testing. In my perception the status is as follows. All blocking bugs against ia32-libs have been closed. I have

Bug#690074: wpa will not migrate, upload to tpu?

for wheezy+1 (Closes: #677993, #678077). + * Fix DoS via specially crafted EAP-TLS messages with longer message +length than TLS data length (CVE-2012-4445, DSA 2557-1, Closes: #689990). + + -- Thijs Kinkhorst th...@debian.org Sat, 13 Oct 2012 14:48:08 + + wpa (1.0-2) unstable; urgency=low

Bug#685960: unblock: gnupg/1.4.12-5 (pre-approval)

On Thu, October 11, 2012 10:07, Thijs Kinkhorst wrote: On Wed, October 10, 2012 22:43, Adam D. Barratt wrote: On Thu, 2012-08-30 at 22:13 +0100, Adam D. Barratt wrote: On Mon, 2012-08-27 at 23:00 -0400, David Prévot wrote: Can someone from the release team please confirm that you would

Bug#685960: unblock: gnupg/1.4.12-5 (pre-approval)

On Wed, October 10, 2012 22:43, Adam D. Barratt wrote: On Thu, 2012-08-30 at 22:13 +0100, Adam D. Barratt wrote: On Mon, 2012-08-27 at 23:00 -0400, David Prévot wrote: Can someone from the release team please confirm that you would consider unblocking such an upload of gnupg, knowing that

Bug#689292: unblock: tinyproxy/1.8.3-3 (security issue)

Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi, Please unblock package tinyproxy. It fixes a denial of service. unblock tinyproxy/1.8.3-3 Thanks, Thijs -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a

Re: Squeeze point release (6.0.6)

On Fri, September 28, 2012 07:04, Adam D. Barratt wrote: Is adding the epoch any more involved than just changing the version number, from a packaging point of view? If not, then doing that today would indeed be one way out of the issue, depending on your opinion of doing so, with your

Re: Squeeze point release (6.0.6)

On Thu, September 27, 2012 20:52, Adam D. Barratt wrote: On Wed, 2012-09-26 at 12:53 +0200, Thijs Kinkhorst wrote: On Wed, September 26, 2012 11:02, Philipp Kern wrote: On Wed, Sep 26, 2012 at 09:17:53AM +0200, Thijs Kinkhorst wrote: OK, so we need to update ia32-libs again, now that all

Re: Squeeze point release (6.0.6)

On Thu, September 27, 2012 22:38, Adam D. Barratt wrote: On Thu, 2012-09-27 at 22:10 +0200, Thijs Kinkhorst wrote: On Thu, September 27, 2012 20:52, Adam D. Barratt wrote: a) prop-up the packages from p-u to testing (meh) and unstable (bad) during the point release b) exclude ia32-libs

Re: Squeeze point release (6.0.6)

On Mon, September 17, 2012 15:58, Philipp Kern wrote: ok, given the replies, let's settle on this: On Fri, Sep 07, 2012 at 09:43:03PM +0200, Philipp Kern wrote: * Sep 29/30: ok from RT side OK, so we need to update ia32-libs again, now that all changes are in. The other two ia32-libs-* do not

Re: Squeeze point release (6.0.6)

On Wed, September 26, 2012 11:02, Philipp Kern wrote: Hi, On Wed, Sep 26, 2012 at 09:17:53AM +0200, Thijs Kinkhorst wrote: OK, so we need to update ia32-libs again, now that all changes are in. The other two ia32-libs-* do not require an update in this release. Attached is the proposed

Bug#686344: unblock: simplesamlphp/1.9.2.-1

. + + -- Thijs Kinkhorst th...@debian.org Wed, 29 Aug 2012 15:43:31 + + simplesamlphp (1.9.1-1) unstable; urgency=medium * New upstream security release: diff -Nru simplesamlphp-1.9.1/docs/simplesamlphp-changelog.txt simplesamlphp-1.9.2/docs/simplesamlphp-changelog.txt --- simplesamlphp-1.9.1/docs

Bug#685960: unblock: gnupg/1.4.12-5 (pre-approval)

On Mon, August 27, 2012 03:38, David Prévot wrote: Attached the current (from the gnupg package repository) debdiff, excluding the translation, since it contains other pending changes that may not be in line with the current freeze policy (so the release team may point what changes could be

Bug#683299: please unblock: open-vm-tools/2:8.8.0+2012.05.21-724730-4

Hi, As it seems, Daniel has uploaded a version of open-vm-tools that reverts the contentious changes. This version has been in unstable for 11 days now and no bugs have been reported since. Can you please review and unblock? thanks, Thijs -- To UNSUBSCRIBE, email to

Bug#684955: unblock: phpmyadmin/4:3.4.11.1-1 (security issue)

site scripting [PMASA-2012-4]. + + -- Thijs Kinkhorst <th...@debian.org> Mon, 13 Aug 2012 13:24:09 + + phpmyadmin (4:3.4.11-1) unstable; urgency=low * New upstream release. diff -Nru phpmyadmin-3.4.11/js/db_structure.js phpmyadmin-3.4.11.1/js/db_structure.js --- phpmyadmin-3.4

Bug#684045: pre-approval simplesamlphp/1.9.1-1

On Wed, August 8, 2012 01:15, Cyril Brulebois wrote: Thijs Kinkhorst th...@debian.org (07/08/2012): On Tue, August 7, 2012 01:44, Cyril Brulebois wrote: while I have only glanced at it, that doesn't look bad at all, please go ahead and ping us once it's accepted. It has now been accepted

Bug#684045: pre-approval simplesamlphp/1.9.1-1

On Tue, August 7, 2012 01:44, Cyril Brulebois wrote: Hello Thijs, Thijs Kinkhorst th...@debian.org (06/08/2012): I would like to upload simplesamlphp/1.9.1-1: an upstream security release that only fixes a security issue and adds some minor documentation fixes. The debdiff is attached

Bug#684045: pre-approval simplesamlphp/1.9.1-1

. + + -- Thijs Kinkhorst th...@debian.org Mon, 06 Aug 2012 12:57:02 + + simplesamlphp (1.9.0-1) unstable; urgency=low * New upstream release. diff -Nru simplesamlphp-1.9.0/docs/simplesamlphp-changelog.txt simplesamlphp-1.9.1/docs/simplesamlphp-changelog.txt --- simplesamlphp-1.9.0/docs

please unblock open-vm-tools (rc bugfix)

Hi, open-vm-tools/2:8.8.0+2012.05.21-724730-3 was uploaded to fix an RC bug in the package (#679886). It has now aged for 11 days without problems discovered. It must be noted that wheezy now contains -1. -2 was uploaded before the freeze and got an automatic unblock already. Its changes have

Re: [php-maint] php5 testing transition

On Sun, May 6, 2012 10:00, Thijs Kinkhorst wrote: On Sat, May 5, 2012 20:49, Adam D. Barratt wrote: On Sat, 2012-05-05 at 20:39 +0200, Ondrej Sury wrote: For some reason I had it in my head that 5.4.2 was the upstream version with the fixed fix rather than the not-quite fixed fix. I think

Re: [php-maint] php5 testing transition

On Sat, May 5, 2012 20:49, Adam D. Barratt wrote: On Sat, 2012-05-05 at 20:39 +0200, Ondrej Sury wrote: For some reason I had it in my head that 5.4.2 was the upstream version with the fixed fix rather than the not-quite fixed fix. I think this is the case (e.g. 5.4.2 is the fixed

  1   2   3   >