Re: Wheezy update of calibre?

2017-01-28 Thread Antoine Beaupré 
Just for the record: before packaging this update, we will need to
investigate the issue much further.

In particular, it seems likely that there are more undocumented but
public security issues in Calibre. See for example bug #853004:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853004

But there may be more.

A.

-- 
A lot of people never use their initiative because no-one told them to.
- Bansky

Wheezy update of svgsalamander?

2017-01-28 Thread Ola Lundqvist 
Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of svgsalamander:
https://security-tracker.debian.org/tracker/source-package/svgsalamander

Would you like to take care of this yourself?

If yes, please follow the workflow we have defined here:
https://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

You can also opt-out from receiving future similar emails in your
answer and then the LTS Team will take care of svgsalamander updates
for the LTS releases.

Thank you very much.

Ola Lundqvist,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup

Wheezy update of mysql-5.5?

2017-01-28 Thread Ola Lundqvist 
Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of mysql-5.5:
https://security-tracker.debian.org/tracker/source-package/mysql-5.5

Would you like to take care of this yourself?

If yes, please follow the workflow we have defined here:
https://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

You can also opt-out from receiving future similar emails in your
answer and then the LTS Team will take care of mysql-5.5 updates
for the LTS releases.

Thank you very much.

Ola Lundqvist,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup

Wheezy update of calibre?

2017-01-28 Thread Ola Lundqvist 
Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of calibre:
https://security-tracker.debian.org/tracker/CVE-2010-1028

Would you like to take care of this yourself?

If yes, please follow the workflow we have defined here:
https://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

You can also opt-out from receiving future similar emails in your
answer and then the LTS Team will take care of calibre updates
for the LTS releases.

Thank you very much.

Ola Lundqvist,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup

Re: Anyone having more information about the tcpdump security CVEs?

2017-01-28 Thread Ola Lundqvist 
Hi

Thank you for the information.

How to upload and issue a DLA is available here:
https://wiki.debian.org/LTS/Development

I can issue the DLA if you do the upload.

Are you sure the new tcpdump is backwards compatible?

Best regards

// Ola

On 28 January 2017 at 09:56, Romain Francoise  wrote:
> Hi,
>
> On Fri, Jan 27, 2017 at 10:25:42PM +0100, Ola Lundqvist wrote:
>> Do anyone have any reference to something that I can have a look at to
>> judge whether this package need an update in wheezy or not.
>
> It definitively needs an update, however you should be aware that for
> jessie the DSA will just update the package to the new upstream as we
> don't have broken-out patches for these vulnerabilities. I'm working on
> this right now.
>
> I can prepare packages for wheezy as well if you need, but I'm not yet
> familiar with how to get them uploaded to wheezy-lts.
>
> --
> Romain Francoise 
> http://people.debian.org/~rfrancoise/



-- 
 --- Inguza Technology AB --- MSc in Information Technology 
/  o...@inguza.comFolkebogatan 26\
|  o...@debian.org   654 68 KARLSTAD|
|  http://inguza.com/Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---

Re: testing bind9 for Wheezy LTS

2017-01-28 Thread Guido Günther 
Hi Thorsten,
On Wed, Jan 25, 2017 at 10:19:36PM +0100, Thorsten Alteholz wrote:
> Hi everybody,
> 
> I uploaded version 9.8.4.dfsg.P1-6+nmu2+deb7u14 of bind9 to:
> 
> https://people.debian.org/~alteholz/packages/wheezy-lts/bind9/amd64/
> 
> Please give it a try and tell me about any problems you met. It would be
> great to test bind9 as a recursive server and/or with DNSSEC.
> 
> Thanks!

Looks good here on a recursive server and on one with DNSSEC enabled.
Cheers,
 -- Guido

Re: Anyone having more information about the tcpdump security CVEs?

2017-01-28 Thread Romain Francoise 
Hi,

On Fri, Jan 27, 2017 at 10:25:42PM +0100, Ola Lundqvist wrote:
> Do anyone have any reference to something that I can have a look at to
> judge whether this package need an update in wheezy or not.

It definitively needs an update, however you should be aware that for
jessie the DSA will just update the package to the new upstream as we
don't have broken-out patches for these vulnerabilities. I'm working on
this right now.

I can prepare packages for wheezy as well if you need, but I'm not yet
familiar with how to get them uploaded to wheezy-lts.

-- 
Romain Francoise 
http://people.debian.org/~rfrancoise/