Re: Bug#821811: [Pkg-samba-maint] Bug#821811: samba: badlock patch breaks trust relationship
On Thu, 2016-05-26 at 11:40 +0200, Santiago Ruano Rincón wrote: > El 23/05/16 a las 22:28, Andrew Bartlett escribió: > > > > On Wed, 2016-05-18 at 15:47 -0400, Antoine Beaupré wrote: > > > > > > On 2016-04-29 08:55:43, Santiago Ruano Rincón wrote: > > > > > > > > Dear Samba maintainers, > > > > > > > > Any updates about this bug? > > > > > > > > LTS Team, anyone could help to handle it? > > > > > > > > According to comment#17 in > > > > https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1572122 > > > > Andreas Schneider prepared a fix for 3.6.25. > > > Hi again! > > > > > > Should the LTS team prepare a regression update to the wheezy > > > version > > > at > > > least? > > That would be a good idea at this point. > > > > I'm happy to review things, just not had the time to switch back on > > to > > debian matters. > > > > Andrew Bartlett > Hi, > > To the current package in git, I have added some patches imported > from > the Ubuntu package, versions 2:3.6.25-0ubuntu0.12.04.3 and > 2:3.6.25-0ubuntu0.12.04.4. The debdiff is attached. Andrew, could you > please take a look on it? Also, test package is available at: > > deb https://people.debian.org/~santiago/debian santiago-wheezy/ > deb-src https://people.debian.org/~santiago/debian santiago- > wheezy/ > > Please, test them. I don't have the infrastructure to actually verify > they solve the regressions. So, if somebody else would like to claim > this package, please do it! Given that we have a confirmation that this addresses the issue, and that the patches match the recommendations from upstream, I approve this update. Please go ahead and push it out. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba signature.asc Description: This is a digitally signed message part
Re: Re: Wheezy update of roundcube?
Adrian Zaugg writes: > I would vote for a backported 1.0.x version or rather remove 0.7 than 0.9. I couldn't find 1.0.x in Debian, so tried version 1.1.5+dfsg.1-1~bpo8+1 from jessie-backports instead. Unfortunately it needs a newer version of libjs-jquery then what is available in Wheezy: Install roundcube build dependencies (apt-based resolver) - Installing build dependencies Reading package lists... Building dependency tree... Reading state information... Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. The following information may help to resolve the situation: The following packages have unmet dependencies: sbuild-build-depends-roundcube-dummy : Depends: libjs-jquery-ui (>= 1.10) but it is not going to be installed E: Unable to correct problems, you have held broken packages. apt-get failed. E: Package installation failed Not removing build depends: cloned chroot in use -- Brian May
Re: imagemagick CVE-2016-4562, CVE-2016-4563, CVE-2016-4564
Brian May writes: > DrawDashPolygon had the following change: > > - for (i=1; (i < number_vertices) && (length >= 0.0); i++) > + for (i=1; (i < (ssize_t) number_vertices) && (length >= 0.0); i++) Actually just noticed this change is a NOP. Both i and number_vertices are of type size_t. > Alternatively, DrawDashPolygon uses DrawStrokePolygon a lot, which in > turn uses TraceStrokePolygon, which gets on to the next CVE: > Am inclined to: > > 1. Patch TraceStrokePolygon. > 2. Mark CVE-2016-4563 as fixed in wheezy (but this does not mean it is > fixed in Jessie or above - probably need to check the Jessie version first). > 3. Mark CVE-2016-4562 as not vulnerable. I will leave CVE-2016-4562 as vulerable. It is possible that the fixes to TraceStrokePolygon fixed this as well as CVE-2016-4563, but we can't tell that for certain. > 4. Leave CVE-2016-4564 as vulnerable. -- Brian May
