Re: imagemagick
On Feb/12, Brian May wrote: > > - imagemagick in squeeze appears to only be vulnerable > > TEMP-0811308-B63DA1[0]. > > This is five separate issues. See #811308. So does it make sense to ask > for a separate CVE for each issue? "Having a CVE associated to each security issue is definitely a plus, at the very least for those issues serious enough to be fixed via a DSA/DLA" stills stands :) Cheers, --Seb
Re: Preparing to announce Squeeze LTS end-of-life
On 12/02/2016, Miroslav Skoric wrote: > On 02/10/2016 10:17 AM, Matus UHLAR - fantomas wrote: > >> >> so, are you prepared for valentine's day massacre? >> > > Actually not: It is Wheezy (7.9) now, and I predict its valentine's day > massacre to approach in few years. Btw, when is the end of life for > Wheezy LTS? > >> or have you tried something like memory upgrade? >> >> I notice slowdown when logging to lxde after upgrading to jessie, >> however I think most of problems aren't related to HW performance, I >> remember ~18 tears ago when installing dnsmasq locally speed up my >> computer much. >> > > Well, it's an 1999-year machine, 224 meg RAM, Celeron 400 MHz. I do not > plan to waste $$$ for an upgrade. As long as it works I'll keep it as > is. Interestingly, while that box was running Squeeze LTS, I found xfce > to be the fastest GUI (compared to lxde and gnome). Now with Wheezy, > Gnome is the speediest. It's slow but works. > > Have you tried the MATE desktop? I do not know how the different desktops compare, in terms of speed, but, it could be worth trying MATE - I expect that it would be faster than GNOME. But, I am not an expert or anything like that. -- Bret Busby Armadale West Australia .. "So once you do know what the question actually is, you'll know what the answer means." - Deep Thought, Chapter 28 of Book 1 of "The Hitchhiker's Guide to the Galaxy: A Trilogy In Four Parts", written by Douglas Adams, published by Pan Books, 1992
Re: Accepted eglibc 2.11.3-4+deb6u10 (source all amd64) into squeeze-lts
Holger Levsen writes: > where's the bug/CVE for this change? I also don't recall a discussion on this > list, can you please explain what's so critical about this upload? I believe this was to fix a regression in the previous LTS upload. See: https://lists.debian.org/msgid-search/20160208082335.ga10...@fantomas.sk I don't think there was a bug report filed in the BTS. The previous upload was announced here: https://lists.debian.org/msgid-search/20160205162120.GA20334@novelo -- Brian May
Re: Preparing to announce Squeeze LTS end-of-life
Am 12.02.2016 um 01:08 schrieb Holger Levsen: > Hi, > > On Donnerstag, 11. Februar 2016, Markus Koschany wrote: >>> In the light of the recent confusion about what "February 2016" means >>> you should really communicate a fixed date upfront. >> Since there were no objections against ending Squeeze LTS at the end of >> February 2016, May 2018 implies the same for Wheezy LTS. At least that >> would be consistent. As soon as the current LTS cycle ends all >> information on wiki.debian.org will be updated to reflect this. > > Moritz is right, we should't say "wheezy LTS will end in May 2018." now, but > instead explicitly say "wheezy LTS will end of May 31 2018." > > And the announcement hasn't been sent yet…! As I said this should and will be corrected as part of the next wiki update. For now it should be clear that Wheezy LTS will be supported until the end of May 2018. Regards, Markus signature.asc Description: OpenPGP digital signature
Re: Accepted eglibc 2.11.3-4+deb6u10 (source all amd64) into squeeze-lts
Hi Santiago, On Donnerstag, 11. Februar 2016, Santiago Ruano Rincón wrote: > Changes: > eglibc (2.11.3-4+deb6u10) squeeze-lts; urgency=medium > . >* debhelper.in/libc.{preinst,postinst}: update preversion when upgrading > to check services and restart them. >* Update debhelper.in/libc.templates. where's the bug/CVE for this change? I also don't recall a discussion on this list, can you please explain what's so critical about this upload? It's just libc after all ;) cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: Preparing to announce Squeeze LTS end-of-life
Hi, On Donnerstag, 11. Februar 2016, Markus Koschany wrote: > > In the light of the recent confusion about what "February 2016" means > > you should really communicate a fixed date upfront. > Since there were no objections against ending Squeeze LTS at the end of > February 2016, May 2018 implies the same for Wheezy LTS. At least that > would be consistent. As soon as the current LTS cycle ends all > information on wiki.debian.org will be updated to reflect this. Moritz is right, we should't say "wheezy LTS will end in May 2018." now, but instead explicitly say "wheezy LTS will end of May 31 2018." And the announcement hasn't been sent yet…! cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: imagemagick
Sébastien Delafond writes: > - imagemagick in squeeze appears to only be vulnerable > TEMP-0811308-B63DA1[0]. This is five separate issues. See #811308. So does it make sense to ask for a separate CVE for each issue? -- Brian May
Re: [Fwd: Preparing to announce Squeeze LTS end-of-life]
> On Feb 11, 2016, at 2:02 AM, santiag...@riseup.net wrote: > > Debian LTS would like to announce the end-of-support for Squeeze, so we > have prepared a draft announcement: > > https://anonscm.debian.org/cgit/publicity/announcements.git/tree/en/2016/20160212.wml > > Could you please take a look at it? I did, and I'd like to thank you folk for your work over the past few years -- I admin a Squeeze site, and I've been glad to see the updates from time to time. Thanks for the help. -- Glenn English
Re: squeeze update of chrony?
On Thu, Feb 11, 2016 at 02:02:52PM -0500, Antoine Beaupré wrote: On 2016-02-10 17:33:37, Vincent Blut wrote: Ok, it’s done. Please could you review and eventually upload if everything is good for you? Note that the concerned branch is *squeeze-lts* and the chrony-1.24 upstream tarball is in a branch named *upstream-1.24*. Hi! Hello Antoine, I have tried to build the package using the git repo here: git://anonscm.debian.org/collab-maint/chrony.git Could you please give it another shot, I updated the series file? ... i guess i'm not familiar enough with non-quilt packages to handle this, but I'd be curious to hear how you build the package from the git repo. If you want to build it from the git tree, the following should suffice: $git clone https://anonscm.debian.org/git/collab-maint/chrony.git $git checkout squeeze-lts $gbp buildpackage --git-pbuilder --git-debian-branch=squeeze-lts --git-upstream-branch=upstream-1.24 I'm sorry I can't help further with this now. If you provide a debdiff, I think I'd be able to review, build and upload the result. “dsc” file attached! A. PS: oh, i think i found out: 14_restrict-authentication-of-server-peer-to-specified-key.patch is missing from debian/applied/series! Thanks for catching. ;-) -- From the age of uniformity, from the age of solitude, from the age of Big Brother, from the age of doublethink - greetings! - Winston Smith, 1984 Format: 1.0 Source: chrony Binary: chrony Architecture: any Version: 1.24-3+squeeze3 Maintainer: John G. Hasler Standards-Version: 3.8.3 Build-Depends: debhelper (>= 7), libreadline5-dev | libreadline-dev, texinfo, bison Package-List: chrony deb admin extra arch=any Checksums-Sha1: 1abc71d4050670d13f4cc8287a3245f810aefccc 345441 chrony_1.24.orig.tar.gz 3fcb28b89e0fc75e1294ee6d827f54bf859e4eb5 264168 chrony_1.24-3+squeeze3.diff.gz Checksums-Sha256: efa72f3b3e7eae74f994d03a55ff138ebac0c5de349218e64b365572a8dffed6 345441 chrony_1.24.orig.tar.gz 4af31992a03b2afbc15993c96a5aadedc19b51b5af2e95eded40b04212705d80 264168 chrony_1.24-3+squeeze3.diff.gz Files: 9e452951172fb642341fb93c50a74442 345441 chrony_1.24.orig.tar.gz f9d871a2e8c90c9a7b4a2c058d9c5de8 264168 chrony_1.24-3+squeeze3.diff.gz signature.asc Description: PGP signature
Re: Preparing to announce Squeeze LTS end-of-life
[ I am subscribed to debian-lts. No need to CC me ] Am 11.02.2016 um 20:36 schrieb Moritz Mühlenhoff: > On Thu, Feb 11, 2016 at 08:19:02PM +0100, Markus Koschany wrote: >> Am 11.02.2016 um 19:09 schrieb Miroslav Skoric: >>> On 02/10/2016 10:17 AM, Matus UHLAR - fantomas wrote: >>> so, are you prepared for valentine's day massacre? >>> >>> Actually not: It is Wheezy (7.9) now, and I predict its valentine's day >>> massacre to approach in few years. Btw, when is the end of life for >>> Wheezy LTS? >> >> May 2018. More information about Debian LTS can be found here: > > In the light of the recent confusion about what "February 2016" means > you should really communicate a fixed date upfront. > Since there were no objections against ending Squeeze LTS at the end of February 2016, May 2018 implies the same for Wheezy LTS. At least that would be consistent. As soon as the current LTS cycle ends all information on wiki.debian.org will be updated to reflect this. Regards, Markus signature.asc Description: OpenPGP digital signature
Re: Preparing to announce Squeeze LTS end-of-life
On Thu, Feb 11, 2016 at 08:19:02PM +0100, Markus Koschany wrote: > Am 11.02.2016 um 19:09 schrieb Miroslav Skoric: > > On 02/10/2016 10:17 AM, Matus UHLAR - fantomas wrote: > > > >> > >> so, are you prepared for valentine's day massacre? > >> > > > > Actually not: It is Wheezy (7.9) now, and I predict its valentine's day > > massacre to approach in few years. Btw, when is the end of life for > > Wheezy LTS? > > May 2018. More information about Debian LTS can be found here: In the light of the recent confusion about what "February 2016" means you should really communicate a fixed date upfront. Cheers, Moritz
Re: Preparing to announce Squeeze LTS end-of-life
Am 11.02.2016 um 19:09 schrieb Miroslav Skoric: > On 02/10/2016 10:17 AM, Matus UHLAR - fantomas wrote: > >> >> so, are you prepared for valentine's day massacre? >> > > Actually not: It is Wheezy (7.9) now, and I predict its valentine's day > massacre to approach in few years. Btw, when is the end of life for > Wheezy LTS? May 2018. More information about Debian LTS can be found here: https://wiki.debian.org/LTS/ signature.asc Description: OpenPGP digital signature
Re: Preparing to announce Squeeze LTS end-of-life
On 02/10/2016 10:17 AM, Matus UHLAR - fantomas wrote: so, are you prepared for valentine's day massacre? Actually not: It is Wheezy (7.9) now, and I predict its valentine's day massacre to approach in few years. Btw, when is the end of life for Wheezy LTS? or have you tried something like memory upgrade? I notice slowdown when logging to lxde after upgrading to jessie, however I think most of problems aren't related to HW performance, I remember ~18 tears ago when installing dnsmasq locally speed up my computer much. Well, it's an 1999-year machine, 224 meg RAM, Celeron 400 MHz. I do not plan to waste $$$ for an upgrade. As long as it works I'll keep it as is. Interestingly, while that box was running Squeeze LTS, I found xfce to be the fastest GUI (compared to lxde and gnome). Now with Wheezy, Gnome is the speediest. It's slow but works.
Re: squeeze update of chrony?
On 2016-02-10 17:33:37, Vincent Blut wrote: > Ok, it’s done. Please could you review and eventually upload if > everything is good for you? Note that the concerned branch is > *squeeze-lts* and the chrony-1.24 upstream tarball is in a branch named > *upstream-1.24*. Hi! I have tried to build the package using the git repo here: git://anonscm.debian.org/collab-maint/chrony.git For some reason, I can't seem to build the package with git-buildpackage, or, more precisely, it doesn't pickup the new patch: $ debdiff chrony_1.24-3+squeeze2_amd64.deb build-area/chrony_1.24-3+squeeze3_amd64.deb File lists identical (after any substitutions) Control files: lines which differ (wdiff format) Version: [-1.24-3+squeeze2-] {+1.24-3+squeeze3+} I tried to build straight from the git repo with pdebuild, no luck there either: $ DIST=squeeze ARCH=amd64 pdebuild --pbuilder cowbuilder W: /home/anarcat/.pbuilderrc does not exist I: using cowbuilder as pbuilder dpkg-checkbuilddeps: Unmet build dependencies: texinfo W: Unmet build-dependency in source dpkg-buildpackage: source package chrony dpkg-buildpackage: source version 1.24-3+squeeze3 dpkg-buildpackage: source distribution squeeze-lts dpkg-buildpackage: source changed by Vincent Blut dpkg-source --before-build chrony dpkg-checkbuilddeps: Unmet build dependencies: texinfo dpkg-buildpackage: warning: build dependencies/conflicts unsatisfied; aborting dpkg-buildpackage: warning: (Use -d flag to override.) dpkg-buildpackage: warning: this is currently a non-fatal warning with -S, but will probably become fatal in the future fakeroot debian/rules clean dh_testdir dh_testroot rm -f build-stamp install-stamp debian/substvars # Add here commands to clean up after the build process. [ ! -f Makefile ] || /usr/bin/make distclean dh_clean dpkg-source -b chrony dpkg-source: warning: source directory 'chrony' is not - 'chrony-1.24' dpkg-source: warning: .orig directory name chrony.orig is not - (wanted chrony-1.24.orig) dpkg-source: info: using source format `1.0' dpkg-source: info: building chrony using existing chrony_1.24.orig.tar.gz dpkg-source: info: building chrony in chrony_1.24-3+squeeze3.diff.gz dpkg-source: warning: executable mode 0744 of '.git/config' will not be represented in diff dpkg-source: warning: executable mode 0755 of '.git/hooks/applypatch-msg.sample' will not be represented in diff dpkg-source: warning: executable mode 0755 of '.git/hooks/commit-msg.sample' will not be represented in diff dpkg-source: warning: executable mode 0755 of '.git/hooks/post-update.sample' will not be represented in diff dpkg-source: warning: executable mode 0755 of '.git/hooks/pre-applypatch.sample' will not be represented in diff dpkg-source: warning: executable mode 0755 of '.git/hooks/pre-commit.sample' will not be represented in diff dpkg-source: warning: executable mode 0755 of '.git/hooks/pre-push.sample' will not be represented in diff dpkg-source: warning: executable mode 0755 of '.git/hooks/pre-rebase.sample' will not be represented in diff dpkg-source: warning: executable mode 0755 of '.git/hooks/prepare-commit-msg.sample' will not be represented in diff dpkg-source: warning: executable mode 0755 of '.git/hooks/update.sample' will not be represented in diff dpkg-source: error: cannot represent change to .git/index: binary file contents changed dpkg-source: error: cannot represent change to .git/objects/pack/pack-4029e2b6b072815ff088ae301e0946047c664542.idx: binary file contents changed dpkg-source: error: cannot represent change to .git/objects/pack/pack-4029e2b6b072815ff088ae301e0946047c664542.pack: binary file contents changed dpkg-source: warning: the diff modifies the following upstream files: .git/HEAD .git/config .git/description .git/hooks/applypatch-msg.sample .git/hooks/commit-msg.sample .git/hooks/post-update.sample .git/hooks/pre-applypatch.sample .git/hooks/pre-commit.sample .git/hooks/pre-push.sample .git/hooks/pre-rebase.sample .git/hooks/prepare-commit-msg.sample .git/hooks/update.sample .git/info/exclude .git/logs/HEAD .git/logs/refs/heads/master .git/logs/refs/heads/squeeze-lts .git/logs/refs/remotes/origin/HEAD .git/packed-refs .git/refs/heads/master .git/refs/heads/squeeze-lts .git/refs/remotes/origin/HEAD README addrfilt.c chrony.1 chrony.conf chrony.html chrony.info chronyc.1 chronyd.8 client.c cmdmon.c faq.html io_linux.h ntp_core.c pktlength.c version.h dpkg-source: info: use the '3.0 (quilt)' format to have separate and documented changes to upstream files, see dpkg-source(1) dpkg-source: unrepresentable changes to source dpkg-buildpackage: error: dpkg-source -b chrony gave error exit status 1 ... i guess i'm not familiar enough with non-quilt packages to handle this, but I'd be curious to hear how you build the package from the git repo. I'm sorry I can't help further with this now. If you provide a debdiff, I think I'd be able to re
Re: imagemagick
On Feb/11, Brian May wrote: > 0069-Fixed-memory-leak-when-reading-incorrect-PSD-files.patch > 0070-Fix-PixelColor-off-by-one-on-i386.patch > 0071-Prevent-null-pointer-access-in-magick-constitute.c.patch > 0072-Fixed-out-of-bounds-error-in-SpliceImage.patch > 0073-Fixed-memory-leaks.patch > > I have been advised each of these issues should have its own CVE. > > I have also been advised that the memory leaks aren't worth bothering > with, so that leaves 0070, 0071, and 0072 that we would need to deal > with. > > Out of this, only the 0071 patch applies cleanly to the version in > squeeze. > > I also note that a number of security issues concerning imagemagick > have been marked no-DSA for wheezy and jessie. > > What would you advise for these issues? Having a CVE associated to each security issue is definitely a plus, at the very least for those issues serious enough to be fixed via a DSA/DLA. > Also I note that a number of security issues fixed in squeeze-lts > don't have assigned CVEs - is this something that needs rectifying? It's always a plus, yes. So, to summarize: - imagemagick in squeeze appears to only be vulnerable TEMP-0811308-B63DA1[0]. - issues fixed via a DLA, but lacking a CVE, are: + TEMP-0806441-CB092C[1] + TEMP-0806441-76CD60[2] + TEMP-0773834-5EB6CF[3] I personally would only request CVEs for those 4 issues, even though in the end it's your choice to also ask for those tagged no-dsa. Cheers, --Seb [0] https://security-tracker.debian.org/tracker/TEMP-0811308-B63DA1 [1] https://security-tracker.debian.org/tracker/TEMP-0806441-CB092C [2] https://security-tracker.debian.org/tracker/TEMP-0806441-76CD60 [3] https://security-tracker.debian.org/tracker/TEMP-0773834-5EB6CF
squeeze update of wordpress?
Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Squeeze version of wordpress: https://security-tracker.debian.org/tracker/CVE-2016-2221 https://security-tracker.debian.org/tracker/CVE-2016- Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: http://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. Thank you very much. Santiago, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup signature.asc Description: Digital signature
[Fwd: Preparing to announce Squeeze LTS end-of-life]
Dear i18n and l10n-english teams, Debian LTS would like to announce the end-of-support for Squeeze, so we have prepared a draft announcement: https://anonscm.debian.org/cgit/publicity/announcements.git/tree/en/2016/20160212.wml Could you please take a look at it? Cheers, Santiago signature.asc Description: Digital signature