Re: Wheezy update of roundcube?

[Guilhem Moulin]

Hi Ola,

Sorry for the delay, not sure if you got an answer yet; either way I'm
not answering on behalf of the team here.

On Sat, 11 Nov 2017 at 20:14:38 +0100, Ola Lundqvist wrote:
> Would you like to take care of this yourself?
> 
> The proposed patch for later release will not apply cleanly to the version
> in wheezy so the porting work is larger than usual.
> […]
> If you don't want to take care of this update, it's not a problem, we
> will do our best with your package. Just let us know whether you would
> like to review and/or test the updated package before it gets released.

Unfortunately I no longer have any machine running Wheezy so I don't
have an easy way to adapt the patch or test the package anymore :-/

Cheers,
-- 
Guilhem.


signature.asc
Description: PGP signature

Call for testing: xserver

[Emilio Pozuelo Monfort]

Hi,

I prepared an update for the X server. The changelog is:

xorg-server (2:1.12.4-6+deb7u8) wheezy-security; urgency=medium

  * Cherry-pick changes from the jessie branch:

  * render: Fix out of boundary heap access
  * xkb: Escape non-printable characters correctly.
  * xkb: Handle xkb formated string output safely (CVE-2017-13723)
  * os: Make sure big requests have sufficient length.
  * Unvalidated lengths in
- XFree86-VidModeExtension (CVE-2017-12180)
- XFree86-DRI (CVE-2017-12182)
- XFIXES (CVE-2017-12183)
- XINERAMA (CVE-2017-12184)
- MIT-SCREEN-SAVER (CVE-2017-12185)
- RENDER (CVE-2017-12187)
  * Xi: Silence some tautological warnings
  * Xi: fix wrong extra length check in ProcXIChangeHierarchy (CVE-2017-12178)
  * dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo 
(CVE-2017-12177)
  * Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176)
  * Use timingsafe_memcmp() to compare MIT-MAGIC-COOKIES (CVE-2017-2624)

 -- Emilio Pozuelo Monfort   Sun, 19 Nov 2017 20:27:35 +0100

These changes have been on stretch and jessie for a bit, and they work
fine for me. Still if you could give them a try, that'd be appreciated.

https://people.debian.org/~pochu/lts/xorg-server/

Thanks,
Emilio

[SECURITY] [DLA 1180-1] libspring-ldap-java security update

[Markus Koschany]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: libspring-ldap-java
Version: 1.3.1.RELEASE-4+deb7u1
CVE ID : CVE-2017-8028

Tobias Schneider discovered that Spring-LDAP would allow authentication
with an arbitrary password when the username is correct, no additional
attributes are bound and when using LDAP BindAuthenticator with
DefaultTlsDirContextAuthenticationStrategy as the authentication
strategy and setting userSearch. This occurs because some LDAP vendors
require an explicit operation for the LDAP bind to take effect.

For Debian 7 "Wheezy", these problems have been fixed in version
1.3.1.RELEASE-4+deb7u1.

We recommend that you upgrade your libspring-ldap-java packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAloRyzdfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeTxkxAArS0/0/aSVJwtVI2fJ3kOxcIkMv74HDlVH9FM0ZawiMwSMBNzFSS/ci5w
PeWbHiLUWHg6/XXxNVXgtixRNlmtA+DOy6vVf7YfjxI49XAF3qWuqXZjIPFvzJ3Z
1RliyAqs6j3bWsavQ7FJkdy+3WgYTuA/k3FbP2kYYnn+jquudbWKhzm+aFnAzQRk
NTYYfaeyXIHzb2SYGPncovdWee1a6GvcFLwnUzNyQtp7QBWqEGwSHskBR4ZSJhp6
EP+QFAA1yiq5fjXx4YrLiIQtk3B3vzdxwJLuy30r/YU8RpaAHz0goQVQKDrs/Ei8
JIz6PUtEcYhBMuF61O+3FZMKZDYsIuN05ES/UZOQwAa1fjKCkt0poyWC4SKCULG2
5RyLopjrxf/sp2mGg9zDukXdZFV5vO1c1WEkuggXlQRdoCToKlaMOIj5Ts+Q/Sj9
4keNTYBSGR7mIofDNLOf5rcL2FHY1XfrRoHlU/Z8Zu5gatjfp4Pf01R28tSn3JKv
aqcFIL6UmsUfy8TP8T2p07+B+0KMfslO5/qZ7vPnODqrbZ7lh8fayivRyH//iH2a
2ntk/gBKhA3woHXRach3dnz0K8Z2UoyTxpud9xa0OqQO73SqyYOzMWNxMAwhzD5K
UMzEfTemTpkqxXzQHOBFJs6HcWe5sUk/PGJqXt8ADyrhzCaGk3Q=
=0qzu
-END PGP SIGNATURE-