[libav LTS triaging] Re: Resource for PoCs found
Hi again, hi Markus, On Do 06 Dez 2018 08:17:29 CET, Mike Gabriel wrote: Hi, today, I stumbled over a Git repo on Github containing many proof of contents for various open/closed CVEs: https://github.com/asarubbo/poc/ Probably, some of us already know that repo, but I thought, I'd share it anyway. Greets, Mike I just noticed that the PoCs don't have references to CVEs... Here is a list for some libav issues: https://blogs.gentoo.org/ago/2016/12/01/libav-multiple-crashes-from-the-undefined-behavior-sanitizer/ Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpmEpOMRln4P.pgp Description: Digitale PGP-Signatur
Resource for PoCs found
Hi, today, I stumbled over a Git repo on Github containing many proof of contents for various open/closed CVEs: https://github.com/asarubbo/poc/ Probably, some of us already know that repo, but I thought, I'd share it anyway. Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgplL71tIlTij.pgp Description: Digitale PGP-Signatur
Re: openssl 1.0 support on stretch LTS
Hi, my questions intents Will get openssl1.0 package security-update by LTS team from 2020 to 2022-mid? (Only selected packages are supported in LTS surely) Debian stretch has two openssl pakcages. https://packages.debian.org/ja/source/stretch/openssl https://packages.debian.org/ja/source/stretch/openssl1.0 I think old one(openssl1.0) is difficult to maintenance after upstream support end.(31st December 2019) -- Haruki TSURUMOTO PGP Fingerprint:3718 C84E 4EDA 1B5C 4F26 8639 9D3D EE3F 63A6 000E 2018年12月6日(木) 6:52 Ola Lundqvist : > Hi > > I'm not sure I understand the question. We have openssl 1.1 in stretch. > Do you mean to support an earlier openssl version or do you mean something > else? > > // Ola > > On Wed, 5 Dec 2018 at 13:24, Haruki TSURUMOTO > wrote: > >> Dear LTS maintainers, >> >> I have some questions about openssl packages. >> >> * Is there any plan to support openssl1.0 on stretch LTS? >> >> * If previous question is yes, Is there any possibility early >> end-of-life of openssl1.0 on stretch LTS? >> >> Regards, >> >> -- >> Haruki TSURUMOTO >> PGP Fingerprint:3718 C84E 4EDA 1B5C 4F26 8639 9D3D EE3F 63A6 000E >> >> > > -- > --- Inguza Technology AB --- MSc in Information Technology > / o...@inguza.comFolkebogatan 26\ > | o...@debian.org 654 68 KARLSTAD| > | http://inguza.com/Mobile: +46 (0)70-332 1551 | > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / > --- > >
Re: openssl 1.0 support on stretch LTS
Hi I'm not sure I understand the question. We have openssl 1.1 in stretch. Do you mean to support an earlier openssl version or do you mean something else? // Ola On Wed, 5 Dec 2018 at 13:24, Haruki TSURUMOTO wrote: > Dear LTS maintainers, > > I have some questions about openssl packages. > > * Is there any plan to support openssl1.0 on stretch LTS? > > * If previous question is yes, Is there any possibility early > end-of-life of openssl1.0 on stretch LTS? > > Regards, > > -- > Haruki TSURUMOTO > PGP Fingerprint:3718 C84E 4EDA 1B5C 4F26 8639 9D3D EE3F 63A6 000E > > -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---
Re: Xen 4.4 updates vs. Xen Stretch backport
Hi Peter and everyone, first of all, thank you all for contributing to this thread! On Mon, Dec 03, 2018 at 08:40:08PM +, Ben Hutchings wrote: > > If so, the other fixes are probably not to much work. But implementing > > BTI fixes is a long and unknown road. I cannot give any reliable numbers > > how much work that would be. But anybody can estimate that this will be > > much more than a few days to get done. There might be a shortcut for > > some patches by back porting independent code chunks like I did with the > > grant table code for Xen 4.1 (Wheezy) but for now, I can't oversee all > > of this in total yet and I doubt that there will be a great shortcut to > > be found. > Having spent several days on similar backports for Linux 3.2 and 3.16, > I recognise the likely difficulty and complexity of the task and I > think it still needs to be done. yes, we should fix what's (sensibly) possible to fix in xen 4.4. So Peter, please go ahead and backport as much as you can, while updating us (me or this list) on estimates as you get a better understanding of the work required. I assume it might also be a good idea if'd summarize the state of the various (CVE) issues in NOTEs in data/dla-needed.txt in security-tracker.git so that it's clearly visible in one location what the status of backporting these fixes is. That information is also in the mails of this thread, but that's not easy to find. You can safely spend up to 4 or 5 (8h) days on this as we have some backlog of undispatched hours accumulated and this is a good use for that. (in related news, if you know someone who'd be interested to work on LTS, please tell them to contact me.) > (But for future releases we do seriously need to consider whether Xen > should be covered by LTS, given the amount of work needed.) can we discuss this now or should we postpone this to the beginning of the Stretch LTS circle? > > Another option would be backporting the Xen > > 4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10 (and following) package from > > Stretch to Jessie. This could be done including testing within a few > > hours, maybe a little more than a working day or less if we abandon Xen > > 4.4. > I don't see this as an acceptable option for LTS. We could maybe add a > xen-4.8 package if it was popular in jessie-backports, but that doesn't > excuse us from having to support 4.4. agreed. -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
openssl 1.0 support on stretch LTS
Dear LTS maintainers, I have some questions about openssl packages. * Is there any plan to support openssl1.0 on stretch LTS? * If previous question is yes, Is there any possibility early end-of-life of openssl1.0 on stretch LTS? Regards, -- Haruki TSURUMOTO PGP Fingerprint:3718 C84E 4EDA 1B5C 4F26 8639 9D3D EE3F 63A6 000E signature.asc Description: OpenPGP digital signature
