Re: Wheezy update of roundcube?
Hi Ola, Sorry for the delay, not sure if you got an answer yet; either way I'm not answering on behalf of the team here. On Sat, 11 Nov 2017 at 20:14:38 +0100, Ola Lundqvist wrote: > Would you like to take care of this yourself? > > The proposed patch for later release will not apply cleanly to the version > in wheezy so the porting work is larger than usual. > […] > If you don't want to take care of this update, it's not a problem, we > will do our best with your package. Just let us know whether you would > like to review and/or test the updated package before it gets released. Unfortunately I no longer have any machine running Wheezy so I don't have an easy way to adapt the patch or test the package anymore :-/ Cheers, -- Guilhem. signature.asc Description: PGP signature
Call for testing: xserver
Hi, I prepared an update for the X server. The changelog is: xorg-server (2:1.12.4-6+deb7u8) wheezy-security; urgency=medium * Cherry-pick changes from the jessie branch: * render: Fix out of boundary heap access * xkb: Escape non-printable characters correctly. * xkb: Handle xkb formated string output safely (CVE-2017-13723) * os: Make sure big requests have sufficient length. * Unvalidated lengths in - XFree86-VidModeExtension (CVE-2017-12180) - XFree86-DRI (CVE-2017-12182) - XFIXES (CVE-2017-12183) - XINERAMA (CVE-2017-12184) - MIT-SCREEN-SAVER (CVE-2017-12185) - RENDER (CVE-2017-12187) * Xi: Silence some tautological warnings * Xi: fix wrong extra length check in ProcXIChangeHierarchy (CVE-2017-12178) * dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo (CVE-2017-12177) * Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176) * Use timingsafe_memcmp() to compare MIT-MAGIC-COOKIES (CVE-2017-2624) -- Emilio Pozuelo MonfortSun, 19 Nov 2017 20:27:35 +0100 These changes have been on stretch and jessie for a bit, and they work fine for me. Still if you could give them a try, that'd be appreciated. https://people.debian.org/~pochu/lts/xorg-server/ Thanks, Emilio
[SECURITY] [DLA 1180-1] libspring-ldap-java security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: libspring-ldap-java Version: 1.3.1.RELEASE-4+deb7u1 CVE ID : CVE-2017-8028 Tobias Schneider discovered that Spring-LDAP would allow authentication with an arbitrary password when the username is correct, no additional attributes are bound and when using LDAP BindAuthenticator with DefaultTlsDirContextAuthenticationStrategy as the authentication strategy and setting userSearch. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect. For Debian 7 "Wheezy", these problems have been fixed in version 1.3.1.RELEASE-4+deb7u1. We recommend that you upgrade your libspring-ldap-java packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAloRyzdfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeTxkxAArS0/0/aSVJwtVI2fJ3kOxcIkMv74HDlVH9FM0ZawiMwSMBNzFSS/ci5w PeWbHiLUWHg6/XXxNVXgtixRNlmtA+DOy6vVf7YfjxI49XAF3qWuqXZjIPFvzJ3Z 1RliyAqs6j3bWsavQ7FJkdy+3WgYTuA/k3FbP2kYYnn+jquudbWKhzm+aFnAzQRk NTYYfaeyXIHzb2SYGPncovdWee1a6GvcFLwnUzNyQtp7QBWqEGwSHskBR4ZSJhp6 EP+QFAA1yiq5fjXx4YrLiIQtk3B3vzdxwJLuy30r/YU8RpaAHz0goQVQKDrs/Ei8 JIz6PUtEcYhBMuF61O+3FZMKZDYsIuN05ES/UZOQwAa1fjKCkt0poyWC4SKCULG2 5RyLopjrxf/sp2mGg9zDukXdZFV5vO1c1WEkuggXlQRdoCToKlaMOIj5Ts+Q/Sj9 4keNTYBSGR7mIofDNLOf5rcL2FHY1XfrRoHlU/Z8Zu5gatjfp4Pf01R28tSn3JKv aqcFIL6UmsUfy8TP8T2p07+B+0KMfslO5/qZ7vPnODqrbZ7lh8fayivRyH//iH2a 2ntk/gBKhA3woHXRach3dnz0K8Z2UoyTxpud9xa0OqQO73SqyYOzMWNxMAwhzD5K UMzEfTemTpkqxXzQHOBFJs6HcWe5sUk/PGJqXt8ADyrhzCaGk3Q= =0qzu -END PGP SIGNATURE-