Re: testing jasper for Wheezy LTS

[Emilio Pozuelo Monfort]

On 23/04/17 13:16, Thorsten Alteholz wrote:
> Hi everybody,
> 
> I uploaded version 1.900.1-13+deb7u6 of jasper to:
> 
> https://people.debian.org/~alteholz/packages/wheezy-lts/jasper/amd64/
> 
> Please give it a try and tell me about any problems you met. If you use jasper
> for your own projects, I would be also interested whether you can still build 
> it
> with that new version.

Gave this a quick try with some jp2 files I found, using eog (uses jasper
through gdk-pixbuf I think) and gimp (uses jasper directly), and all seems fine.
I didn't try building anything that uses jasper, but that should be fine unless
you changed the API, which I hope you didn't?

Cheers,
Emilio

testing Mysql 5.5.55 for LTS

[Emilio Pozuelo Monfort]

On 24/04/17 07:41, Lars Tangvald wrote:
> Hi,
> 
> The debian/wheezy branch should now be updated.

Thanks Lars. Test packages for amd64 are available at

https://people.debian.org/~pochu/lts/mysql/

I did some smoke testing, but we have to wait for the jessie update, so if
someone wants to give this some more testing that'd be nice.

Thanks,
Emilio

[SECURITY] [DLA 914-1] minicom security update

[Thorsten Alteholz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: minicom
Version: 2.6.1-1+deb7u1
CVE ID : CVE-2017-7467
Debian Bug : 860940

CVE-2017-7467
Out of bounds write in vt100.c

For Debian 7 "Wheezy", these problems have been fixed in version
2.6.1-1+deb7u1.

We recommend that you upgrade your minicom packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iQJ8BAEBCgBmBQJY/lcGXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHx/gQALxL4Gm408JVwI65MG4dXqyo
QPiqyvye+5rbub6thBnwJsm+9fDtWCd3fQ+6tDfLg6awF8fpPsONy0/X1l4NGlxU
VrPQ84TOXDy46HhfRHbv6H4CZYSC37udGpjIZzbYOc1Pf7HLHtVLs0ujey7L55Jp
GAFgjSetUgc4/mSQ1NAtpv/KdKwpxNZpELGE/yP3pinRRa50TVJQDc4JzXOELwNW
zyN/k15ue78YRt1Nbt9VBaWsJi/a0IQKYkoa3YCMueYe6sFuPFIXzBJ/KXn/mUhR
6y7jFEvq5VrCX+S01J9y0IsabRfx82bkwLUwuhrwnRyydWeEb7cMAsL22CoA0vct
OQZHEi9lLuAwbeq/C7nITN1dR9wxXTkhwS9XB4s+DPdggqibIyVJ0IVUIIHd9NQo
qIN0kft23UukPaamojshg20Qtoh04ozpb0TePlE9Gl9Z2OUiDYtlaljrMs8SZVEU
DqcEOOkUttfsKy58hJSBKj1oTryhWDNlypclTeuXgF7rd3SV2KXak9E4M5vgFLxE
LEQNufK4XH+B0ftMNEm/p9ift3v9hy6fFksUhE5qcndPZdmkDAfgX1nOxpuYncjn
4627rSj3XnMsBEpxaxYR8I7n7+PkjaLMlohj2dR83tKo7Sh8HCdVvvRfWevU4m7y
VeILoBJsnNuQWcCfQhpq
=HG8p
-END PGP SIGNATURE-

[SECURITY] [DLA 912-1] tiff3 security update

[Markus Koschany]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: tiff3
Version: 3.9.6-11+deb7u5
CVE ID : CVE-2017-7593 CVE-2017-7594 CVE-2017-7595
 CVE-2017-7596 CVE-2017-7597 CVE-2017-7599
 CVE-2017-7600 CVE-2017-7601
Debian Bug : 86 860001 860003

Multiple security issues have been found in the tiff3 image library
that may allow remote attackers to cause a denial of service
(application crash), to obtain sensitive information from process
memory or possibly have unspecified other impact via a crafted image.

For Debian 7 "Wheezy", these problems have been fixed in version
3.9.6-11+deb7u5.

We recommend that you upgrade your tiff3 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlj+V8lfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeREbg//VvROHo5UpciB0T63LsYQRj6t8EzU+FKBH7JgMAGskwL6PJ4JuK+lV6aJ
E+kCve+7rF0nHAu+psRJdhUukfr8MIEXkdDPvxZkLPOTioImKdqvKwg6d8TDUGZ3
4NiRyW/Luk2TyZ/c/Bo3n+J4wwxwVU3Aywt+xxQnrHAqorhmCePnV8+Y0CN6eA6v
dY9YZVhpjqIHi2VfA4TXKllgpr7coJJGEgFGDo9P541hUh1R6qBME8vJRxpapb4B
jbC4pqGDkla0BFSbuScbgFXPvb7U1H/FN6HLcKCiqNup/PegrVkGYHHOOWm8tMfk
NT2oS4g5W5HBrHmEfwgt6/DGX2cNpsp9XZdlUtJoTCDvO/8BsCTMKAAwTHHqNO+3
YkyKXkOl0uKybH0WcPY5326PXoEzwrSrdg8TygMG9dFlUSB0So2CpWTLfe2gbnJe
hL/RMTXWgyJIG03RIZSyLlAVeAdR9bC3bZQQGhCMqVkIAm+poMhpGdxmuO3I/vez
PNcy29vjsI9ru/WEgu6URmgHzceBacFvQfLM/9CGXiZQAu0Ew7a237g+6o1fUjGI
gE2Y2yvZ/tIxVMAEuE+Aq3f95NInwEVfgs/5Wzv3zf5i89u7P/iFDcZugXg5bfFB
C6aGDYWnFYtngy/Q2HSCWVoK0PYWA+nIvTsy8Wo3K6iFV5rN+c0=
=LNgT
-END PGP SIGNATURE-

Accepted tiff3 3.9.6-11+deb7u5 (source amd64) into oldstable

[Markus Koschany]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 24 Apr 2017 12:26:42 +0200
Source: tiff3
Binary: libtiff4 libtiffxx0c2 libtiff4-dev
Architecture: source amd64
Version: 3.9.6-11+deb7u5
Distribution: wheezy-security
Urgency: high
Maintainer: Jay Berkenbilt 
Changed-By: Markus Koschany 
Description: 
 libtiff4   - Tag Image File Format (TIFF) library (old version)
 libtiff4-dev - Tag Image File Format (TIFF) library (old version), development 
f
 libtiffxx0c2 - Tag Image File Format (TIFF) library (old version) -- C++ 
interfa
Changes: 
 tiff3 (3.9.6-11+deb7u5) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the LTS team.
   * Fix the following security vulnerabilities:
   * CVE-2017-7593:
 tif_read.c in LibTIFF does not ensure that tif_rawdata is properly
 initialized, which might allow remote attackers to obtain sensitive
 information from process memory via a crafted image.
   * CVE-2017-7594:
 The OJPEGReadHeaderInfoSecTablesDcTable function in tif_ojpeg.c in LibTIFF
 allows remote attackers to cause a denial of service (memory leak) via a
 crafted image.
   * CVE-2017-7595:
 The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF allows remote
 attackers to cause a denial of service (divide-by-zero error and
 application crash) via a crafted image.
   * CVE-2017-7596, CVE-2017-7597, CVE-2017-7599, CVE-2017-7600:
 LibTIFF has an "outside the range of representable values of type float"
 undefined behavior issue, which might allow remote attackers to cause a
 denial of service (application crash) or possibly have unspecified other
 impact via a crafted image.
   * CVE-2017-7601:
 LibTIFF has a "shift exponent too large for 64-bit type long" undefined
 behavior issue, which might allow remote attackers to cause a denial of
 service (application crash) or possibly have unspecified other impact via a
 crafted image.
Checksums-Sha1: 
 b7b334223df9f555df978f5a6b47301f812068f8 2111 tiff3_3.9.6-11+deb7u5.dsc
 e2cb10b379114e3aa7bed43e372b2f4d051527b6 50286 
tiff3_3.9.6-11+deb7u5.debian.tar.gz
 a1fcd58f99bce4429d09c65bec903571816aaec2 204946 
libtiff4_3.9.6-11+deb7u5_amd64.deb
 2c32a7cb21bec4d700b54166c5838e3634b5b386 64718 
libtiffxx0c2_3.9.6-11+deb7u5_amd64.deb
 19a0837a2949e020a892c4dcd2de2bab3469aa85 341276 
libtiff4-dev_3.9.6-11+deb7u5_amd64.deb
Checksums-Sha256: 
 60402a42a47b5a086042976902637e37f1150d427538b8d8c613178a1ab2f69b 2111 
tiff3_3.9.6-11+deb7u5.dsc
 99843ed8e2de9cf367fd0893a0deae211cd291012bc69ac9c24a6fbc8645c090 50286 
tiff3_3.9.6-11+deb7u5.debian.tar.gz
 55a698f4223db86cd9cfc138e2063472e7a698f4712f9dad6ca5f74b76a022b4 204946 
libtiff4_3.9.6-11+deb7u5_amd64.deb
 8f5a76da556dcfb414f539ca3ec1f682430e93e80f8a3491005ff15a2dc4cae8 64718 
libtiffxx0c2_3.9.6-11+deb7u5_amd64.deb
 f3dba7fdfb113d2b23010c1c27f4730c866109a2f205a4fb8d009444311753cc 341276 
libtiff4-dev_3.9.6-11+deb7u5_amd64.deb
Files: 
 900de34c678e55ff70219251d503ba93 2111 oldlibs optional 
tiff3_3.9.6-11+deb7u5.dsc
 427f7d68a6b2be975354b683742a4aec 50286 oldlibs optional 
tiff3_3.9.6-11+deb7u5.debian.tar.gz
 6e58289850226601dc1c8bce31b7124d 204946 oldlibs optional 
libtiff4_3.9.6-11+deb7u5_amd64.deb
 e41c206400d1211be5ffdc58cad131d3 64718 oldlibs optional 
libtiffxx0c2_3.9.6-11+deb7u5_amd64.deb
 77f787059799b7eab08adf4d3d8b38a7 341276 libdevel optional 
libtiff4-dev_3.9.6-11+deb7u5_amd64.deb

-BEGIN PGP SIGNATURE-

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlj91c9fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkdK8P+QENYJCrQKwbsBYjB0uQZFAd055uoKwZp3Ea
EbAKKbNCqpKsmiAjiaZVRdSSonE8u4y0qSWBADHJtPvsI2PWJYtwq5bmVoFagpne
GgNOvQtQN6+dgibFzkMXS/75GsJUSNSqkQgEfxaAaEqLko/3tW5WfYSeklxtSUxy
RPkLn3j/SexApt8mBltLThFmU3JntKZxRwArvTCEqd1lsr7kBaZUfAhfnZaqY+pT
tsheObHHbqtDf7B/lSLmBGWCdmiN2O/LCnJLP9VrNNmC4JiyJ2bYL54Jm1ruXkl9
/8WGmxmz77LxsMfyzEr/gG1T5GIq+7/wFtFnQSQl47Ei2X+BoAJfHMEKj1kWyOEe
7j3kJef3JSbmEiKF2aUjTmDaHwnfOu7Yuc9iUewhODtS2geTeSSYAf4gKCqaDpQu
2TjC/qq9yY92duLmy/4iHRHoLjQCYmLbb5izUP4hXYCCIyib1a2QFib1xP7hG+OZ
TRm3hrJd7VcL59mE35CfLkYW07U0LWnaO84pG37PV7WRZB70xs4posR6nwomJFXP
Jg0nybWhLra5W3A2RgKJ1yLtQh6QnWplG6VuQdMsEhh5v8bK+IWabTJBN+v+FztW
AJrkzIr2KB/6M9xOzDU3fp9aGHel9CLGyeTaS441oETF1SdIZYNKOel72eY41wfn
qAM589ay
=LNsX
-END PGP SIGNATURE-

Accepted activemq 5.6.0+dfsg-1+deb7u3 (source all) into oldstable

[Markus Koschany]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 24 Apr 2017 12:50:21 +0200
Source: activemq
Binary: libactivemq-java libactivemq-java-doc activemq
Architecture: source all
Version: 5.6.0+dfsg-1+deb7u3
Distribution: wheezy-security
Urgency: high
Maintainer: Debian Java Maintainers 

Changed-By: Markus Koschany 
Description: 
 activemq   - Java message broker - server
 libactivemq-java - Java message broker core libraries
 libactivemq-java-doc - Java message broker core libraries - documentation
Changes: 
 activemq (5.6.0+dfsg-1+deb7u3) wheezy-security; urgency=high
 .
   * Team upload.
   * Fix CVE-2015-7559.
 DoS in activemq-core via shutdown command.
Checksums-Sha1: 
 f922e53d37583385925a58f7bb69a49fea2f17a9 3503 activemq_5.6.0+dfsg-1+deb7u3.dsc
 ac5a64b18e223d4de3f852caae40a80e7d276df1 43691 
activemq_5.6.0+dfsg-1+deb7u3.debian.tar.gz
 cf92f843ef327497d160b3a74203893990c9b5d0 4012526 
libactivemq-java_5.6.0+dfsg-1+deb7u3_all.deb
 c69be5dd28242dee046d44115b8b9a21e7505eed 9222544 
libactivemq-java-doc_5.6.0+dfsg-1+deb7u3_all.deb
 cf80e36632a38b2fa9a89128447650d4804dd5f5 53604 
activemq_5.6.0+dfsg-1+deb7u3_all.deb
Checksums-Sha256: 
 361c302e3534881fed6d2533f1656d5d90aae11aa735bc7782b2c27da214ae74 3503 
activemq_5.6.0+dfsg-1+deb7u3.dsc
 f070b6d22b107b7ccb9bd43d4e1de1bce96322197793616d87f316be6555d647 43691 
activemq_5.6.0+dfsg-1+deb7u3.debian.tar.gz
 0633e758d324299a349f67e4c62cad00f4bf8374d7e69d149de2f13a92b34c62 4012526 
libactivemq-java_5.6.0+dfsg-1+deb7u3_all.deb
 506cb31e225b04b79d1d4525664e18466a71d30739f556f160a3e050120fc76c 9222544 
libactivemq-java-doc_5.6.0+dfsg-1+deb7u3_all.deb
 35b5fccf4a7b77fba196f22e60ce2ea4439fbd9ad3650da0f10f394a9e1ce37a 53604 
activemq_5.6.0+dfsg-1+deb7u3_all.deb
Files: 
 14bc0902f64b313261d6169447d22cab 3503 java optional 
activemq_5.6.0+dfsg-1+deb7u3.dsc
 17f4e38acf24b44f294f116f0319fbe1 43691 java optional 
activemq_5.6.0+dfsg-1+deb7u3.debian.tar.gz
 930765153d429777a0589c07a5733973 4012526 java optional 
libactivemq-java_5.6.0+dfsg-1+deb7u3_all.deb
 599b4b84e1d8dd3be7d4680b72d21303 9222544 doc optional 
libactivemq-java-doc_5.6.0+dfsg-1+deb7u3_all.deb
 f522ec157491a5169073b052b3227308 53604 java optional 
activemq_5.6.0+dfsg-1+deb7u3_all.deb

-BEGIN PGP SIGNATURE-

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlj95CZfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HklEEP/AhLOOyFX/NMxJaNCy6/RO8kQAAiYuI5CZ1S
ds1KguWDKYle+iWtc6rdJJNISKa86Hkji3cDbFkkst0hwjhadrEnLEYDkQ9Lr7wQ
yKM9ZH6dL3QhS9gTdd8+/WeSUGkFLX54eLII5ZMA2Qbe2peXmW4XehQVRy9KTCzR
thRAMB+rPCP9UyZ6ywKLktvIWsS0QCT5CMEeMegj9/giFIdm8NBFq0UyOPOQZCM7
XRxFYSJSTGnW4OO4rcEeclBbWTaK/QRZvSnAuvwpoxOf2mb14UMkmeHHQON9mXrS
nn7sOUwl4dSmNsDTbelapnVvUGUyNz7ybHlejofOxxsyEsiy2Sz0sdHlbHjnE09L
lOz89TBjxsmrEaYcr/WhdmDZFddxkSCmcShSsXmXoLy8Gbc4jSeBgAFFqLCZC2xj
+w/9Ri+9SllIAc41p1CATs5uLCwtFF/iX1ArFWLFEEPMYa0Dn/C22m5RbvuD8oT2
kl4b2WeWee6z4fHAqZzBcoD+NNO3+HVgWfpikbz0brm7nk3jNSJWcYC7DsvcicT1
dBfOgJamoVH5IKM17qQDq0mwtYfiVjQj5XTP76iivM/mEIDqrz73ra3Au+Uq2Jyh
zq58qOu+jh9RuOs0K5vwFJtTwgiPy+ZUou+fL4IfTRZlXet9ls/Jw02KwJB/ZNPj
5xkmO3f7
=MTQN
-END PGP SIGNATURE-

Re: Wheezy update of wireshark?

[Antoine Beaupré]

On 2017-02-18 15:31:07, Moritz Mühlenhoff wrote:
> On Sat, Feb 18, 2017 at 01:22:19AM +0100, Bálint Réczey wrote:
>> Were there any reason for handling the last CVE very quickly? I can
>> catch up with the changes in Jessie.
>
> No. It's totally harmless, for jessie let's also line this one up in
> git for the next Wireshark advisory round.

Hi,

I assume this is the status for the more recent Wireshark
vulnerabilities jessie and wheezy are exposed to?

https://security-tracker.debian.org/tracker/source-package/wireshark

Bálint: I noticed you performed the last LTS update as well - should we
just wait for you to perform this one as well?

Thanks for the followup!

A.

-- 
Les plus beaux chants sont les chants de revendications
Le vers doit faire l'amour dans la tête des populations.
À l'école de la poésie, on n'apprend pas: on se bat!
- Léo Ferré, "Préface"

[SECURITY] [DLA 911-1] tiff security update

[Markus Koschany]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: tiff
Version: 4.0.2-6+deb7u12
CVE ID : CVE-2017-7592 CVE-2017-7593 CVE-2017-7594
 CVE-2017-7595 CVE-2017-7596 CVE-2017-7597
 CVE-2017-7598 CVE-2017-7599 CVE-2017-7600
 CVE-2017-7601 CVE-2017-7602
Debian Bug : 859998 86 860001 860003

Multiple security issues have been found in the tiff image library
that may allow remote attackers to cause a denial of service
(application crash), to obtain sensitive information from process
memory or possibly have unspecified other impact via a crafted image

For Debian 7 "Wheezy", these problems have been fixed in version
4.0.2-6+deb7u12.

We recommend that you upgrade your tiff packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlj9xaRfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeRVbQ//ZT13rLFzY44u1eUqzD1k3YT//fc10Raja94mVwl8iMz0atfJR52FOE+l
8jR03R7Q6HblNOPLyD/rx2jEcd+1XrkOFIgY68R5biACMDBMIeIKzPc3bU4CSPFG
qRp3BmJjHWRD/NEp7rXB/wmuti1y4s121H+44Uxw0faVF+x6+jwWE1X37kVwB9lF
Vl+PydCHsxSks/SQFmQrrugXG07ZU7mt7aMCW+apqQvARggbp7Y+3fKnZivT8sKQ
+BkjgL1/MrXDirfKUNyXF1IlJa0ah1piymxDpucL+thgYB2P05JxXZf65WgMsKh0
HcBfR9DQvV4+QFC92dU7znG81y5uPnTkBmKvqlT6bVlh+uVYd4zxrQLgBPnD0R6L
VVAer4biHnUhXoZcVduWOu986s3sBlxKA5TDdFRgG4iwAzCtdcZ/fYcAIKCh6V9v
AmwFVTO6igtz56BI1BqtoCT6ZZLrwO8b1zCGpSTxObYTFn53njmpI1A7ohb41EtB
qvxs8jnyzE/MMQQuNXDXoMCmITB9PFbDdLRORCBpVJ6VEbVVB1v9W5QxH+IoWYpT
l+TB8UobiPp7CboIwMmugUqs7Q02StSLKb8m2E0I7E3nz8rFUDuy+ru3rqh+qSya
UojQOB3MCRgOw1Uko51QlHhXIKrEFKc1rsLt9fVzOPL3PSJfVMA=
=tQI3
-END PGP SIGNATURE-

Accepted tiff 4.0.2-6+deb7u12 (source all amd64) into oldstable

[Markus Koschany]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 24 Apr 2017 09:53:51 +0200
Source: tiff
Binary: libtiff5 libtiffxx5 libtiff5-dev libtiff5-alt-dev libtiff-tools 
libtiff-opengl libtiff-doc
Architecture: source all amd64
Version: 4.0.2-6+deb7u12
Distribution: wheezy-security
Urgency: high
Maintainer: Ondřej Surý 
Changed-By: Markus Koschany 
Description: 
 libtiff-doc - TIFF manipulation and conversion documentation
 libtiff-opengl - TIFF manipulation and conversion tools
 libtiff-tools - TIFF manipulation and conversion tools
 libtiff5   - Tag Image File Format (TIFF) library
 libtiff5-alt-dev - Tag Image File Format library (TIFF), alternative 
development fil
 libtiff5-dev - Tag Image File Format library (TIFF), development files
 libtiffxx5 - Tag Image File Format (TIFF) library -- C++ interface
Changes: 
 tiff (4.0.2-6+deb7u12) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the LTS team.
   * Fix the following security vulnerabilities:
   * CVE-2017-7592:
 The putagreytile function in tif_getimage.c has a left-shift undefined
 behavior issue, which might allow remote attackers to cause a denial of
 service (application crash) or possibly have unspecified other impact via a
 crafted image.
   * CVE-2017-7593:
 tif_read.c in LibTIFF does not ensure that tif_rawdata is properly
 initialized, which might allow remote attackers to obtain sensitive
 information from process memory via a crafted image.
   * CVE-2017-7594:
 The OJPEGReadHeaderInfoSecTablesDcTable function in tif_ojpeg.c in LibTIFF
 allows remote attackers to cause a denial of service (memory leak) via a
 crafted image.
   * CVE-2017-7595:
 The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF allows remote
 attackers to cause a denial of service (divide-by-zero error and
 application crash) via a crafted image.
   * CVE-2017-7596, CVE-2017-7597, CVE-2017-7599, CVE-2017-7600:
 LibTIFF has an "outside the range of representable values of type float"
 undefined behavior issue, which might allow remote attackers to cause a
 denial of service (application crash) or possibly have unspecified other
 impact via a crafted image.
   * CVE-2017-7598:
 tif_dirread.c in LibTIFF might allow remote attackers to cause a denial of
 service (divide-by-zero error and application crash) via a crafted image.
   * CVE-2017-7601:
 LibTIFF has a "shift exponent too large for 64-bit type long" undefined
 behavior issue, which might allow remote attackers to cause a denial of
 service (application crash) or possibly have unspecified other impact via a
 crafted image.
   * CVE-2017-7602:
 LibTIFF has a signed integer overflow, which might allow remote attackers
 to cause a denial of service (application crash) or possibly have
 unspecified other impact via a crafted image.
Checksums-Sha1: 
 fc1de67c973f54cfb0a737e90227ce2f89fbff7b 2361 tiff_4.0.2-6+deb7u12.dsc
 c761c86c25b555bb55e35f358ddd6919666e7ee4 76595 
tiff_4.0.2-6+deb7u12.debian.tar.gz
 f865fc713d3e50fee3a3742b9abdb2e123c1b97d 416894 
libtiff-doc_4.0.2-6+deb7u12_all.deb
 cba95a625de104c967a7e4a6b9495b3686a35921 239096 
libtiff5_4.0.2-6+deb7u12_amd64.deb
 b29cdc286cc432c88eadb9d5402d74d13aa3ffe2 76738 
libtiffxx5_4.0.2-6+deb7u12_amd64.deb
 ceda49a5fd175e2adf65a05b00228d9b476b19c1 382932 
libtiff5-dev_4.0.2-6+deb7u12_amd64.deb
 1d14e1ce25754c0892de50b12f24cda739ac08b9 303230 
libtiff5-alt-dev_4.0.2-6+deb7u12_amd64.deb
 db9ed81e19eb52820e7bedb77aa124010ef566e3 309040 
libtiff-tools_4.0.2-6+deb7u12_amd64.deb
 145dbc99fcbf6520d72ab9bb78ad2d39728d5f07 82246 
libtiff-opengl_4.0.2-6+deb7u12_amd64.deb
Checksums-Sha256: 
 6681c0a125d3e8b358cabff07303c73c451bd7c8b2648b0f2e14bf1c8b214eb2 2361 
tiff_4.0.2-6+deb7u12.dsc
 22bb072badd4005c14dcd4592d244612e1f328266d8a239c545ea0c31f1d399c 76595 
tiff_4.0.2-6+deb7u12.debian.tar.gz
 2bc783caeb7a84e5b891cfb0828f9ec990f655265a288238b25f27426b215ecb 416894 
libtiff-doc_4.0.2-6+deb7u12_all.deb
 d47e7a312861f8dd22eacd87b04a6ce6c4eb40e4aba48102b883212414289e67 239096 
libtiff5_4.0.2-6+deb7u12_amd64.deb
 0d7488a515bbfc06be66f7e3caf83385d84053b8f72694dc10a8f6c507998861 76738 
libtiffxx5_4.0.2-6+deb7u12_amd64.deb
 9ffba0f864d64113e3f2d841a216cbe3903e1bffe99d229184221bb3a97803c0 382932 
libtiff5-dev_4.0.2-6+deb7u12_amd64.deb
 b7564fed8f33dd1bd6b51034d8dba1147e9a462efce50af2c4371584c6cadf23 303230 
libtiff5-alt-dev_4.0.2-6+deb7u12_amd64.deb
 077bb8d3dcf4d825f171194dab637adfeb083ee09e61265bbb47a89ec33821a1 309040 
libtiff-tools_4.0.2-6+deb7u12_amd64.deb
 3296859c0df5f31cd6be2bd23d1fedd2688b33f02515722b995acc09e81fb7ed 82246 
libtiff-opengl_4.0.2-6+deb7u12_amd64.deb
Files: 
 03bdd9c7a366ec912f80f6f06dafadc5 2361 libs optional tiff_4.0.2-6+deb7u12.dsc
 86908af95730793f3c737de6d18cb3b4 76595 libs optional 
tiff_4.0.2-6+deb7u12.debian.tar.gz
 5c36a8f57ec79d21188b82f5e7d70db2 416894 doc optional 

Re: Wheezy update of batik?

[Ola Lundqvist]

Hi

Just for information. I based my conclusion on that the package is affected
by a statement from security team that all versions from 1.0 are affected.

// Ola

On 23 April 2017 at 23:06, Emilio Pozuelo Monfort  wrote:

> On 23/04/17 21:50, Ola Lundqvist wrote:
> > Dear maintainer(s),
> >
> > The Debian LTS team would like to fix the security issues which are
> > currently open in the Wheezy version of batik:
> > https://security-tracker.debian.org/tracker/CVE-2017-5662
>
> FWIW I investigated this a bit and there doesn't seem to be any details
> other
> than what is in the advisory: i.e. I couldn't find the commit that fixes
> this
> (looking at the svn repository) or an upstream bug report. I found a
> security-related one, reported by Lars Krapf (as mentioned in the
> oss-security
> mail) but that seemed different than CVE-2017-5662 and much older (see
> [1]).
>
> Also our 1.8 and the upstream 1.9 tarballs have different layouts so it's
> hard
> to compare them.
>
> Cheers,
> Emilio
>
> [1] https://issues.apache.org/jira/browse/BATIK-1139
>



-- 
 --- Inguza Technology AB --- MSc in Information Technology 
/  o...@inguza.comFolkebogatan 26\
|  o...@debian.org   654 68 KARLSTAD|
|  http://inguza.com/Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---

Re: Mysql 5.5.55

[Lars Tangvald]

Hi,

The debian/wheezy branch should now be updated.

--
Lars

On 04/23/2017 02:12 PM, Emilio Pozuelo Monfort wrote:

Hi Lars,

I see that you already started preparing MySQL 5.5.55 for wheezy in

https://urldefense.proofpoint.com/v2/url?u=https-3A__anonscm.debian.org_cgit_pkg-2Dmysql_mysql-2D5.5.git_log_-3Fh-3Ddebian_wheezy=DwIDaQ=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10=HPjEzLhETPj8fl9HCxxISaaV3f5tXDpGXDR3R2IELxg=OXZ-mPBOb1aDtu253RZDNLexhCUPtUx0S1P4-y-d_VQ=JjozhmBLoLkqpEOObpOLd2XZDxVhtGaHIahsbPfqLbA=

If you want I can upload the package and send the announcement. Just let me know
when you're done with the update (at least I think the changelog needs to be
updated).

Cheers,
Emilio