Re: Wheezy ELTS?
On Tue, Apr 16, 2019 at 10:20 AM PICCORO McKAY Lenz wrote: > was removed or not? are stil ELTS? The timeline says that eLTS support ended on 31st May 2019. https://wiki.debian.org/LTS/Extended -- bye, pabs https://wiki.debian.org/PaulWise
Re: (E)LTS report for March
but seems wheeze are removed from security debian but still april 14 and not present at archive debain Lenz McKAY Gerardo (PICCORO) http://qgqlochekone.blogspot.com El mié., 10 de abr. de 2019 a la(s) 03:42, Emilio Pozuelo Monfort ( poch...@gmail.com) escribió: > Hi, > > During the month of March, I spent 26 hours working on LTS on the following > tasks: > > libsndfile security update > prepared firmware-nonfree update > ntfs-3g security update > firefox-esr security updates > bash security update > ghostscript coordination > openjdk-7 security update > drupal7 security update > thunderbird security update > tzdata, libdatetime-timezone-perl updates > CVE triaging > > I also spent 16h on ELTS: > > - openjdk-7 security update > - security tracker improvements (pre-commit hook) > - libsndfile security update > - firmware-nonfree update (not yet released) > - ntfs-3g security update > - bash security update > - tiff3 review / feedback > - tzdata, libdatetime-timezone-perl updates > - CVE triaging > > Cheers, > Emilio > >
Re: Wheezy ELTS?
was removed or not? are stil ELTS? El lun., 15 de abr. de 2019 a la(s) 11:54, Микаел Бак (mikael@yandex.ru) escribió: > Hi list, > > Seems Wheezy has been removed from security.debian.org, but isn't added > to the archive server. > > Is this usual, or is it an error? > > TIA, > Mikael > >
Re: Test request Re: [Pkg-clamav-devel] LTS update of clamav and call for advice
Dropped the security team from the cc. install clamav-daemon and clamav-testfiles and then use clamdscan to scan them: $ clamdscan /usr/share/clamav-testfiles/clam* The unrar test files will come up as not infected unless you also install libclamunrar7 from non-free. That's normal. Scott K On Monday, April 15, 2019 11:25:39 PM Ola Lundqvist wrote: > Hi > > Great > > Updated packages are now available on > https://apt.inguza.net/jessie-security/clamav > > Testing is much appreciated since I have limited experience of clamav > myself. > > I can test that the package installs properly but I'm not sure I can > regression test it properly myself. > > Anyone who knows how to regression test it properly? > > Best regards > > // Ola > > On Mon, 15 Apr 2019 at 23:16, Scott Kitterman wrote: > > That sounds like the right approach. > > > > Scott K > > > > On Monday, April 15, 2019 10:36:31 PM Ola Lundqvist wrote: > > > Hi again > > > > > > I have now compared the 0.100.2 version in stretch to the version > > > 0.100.3 > > > in stretch updates. > > > I can then see that most of the changes that I'm worried about is not > > > included. > > > > > > This means that I will take the .orig file and include a sub-set of the > > > updates. > > > The remaining updates will be: > > > - Symbol updates (unavoidable I think). > > > - Copyright update (not sure if it is necessary but I'll include it > > > > anyway) > > > > > The rest will not be updated. > > > > > > Best regards > > > > > > // Ola > > > > > > On Mon, 15 Apr 2019 at 20:00, Ola Lundqvist wrote: > > > > Hi Scott > > > > > > > > I have now walked through the difference in the debian directories > > > > between > > > > > > the version in jessie and stretch updates. > > > > I think there is more work than just a simple changelog update. > > > > > > > > 1) The changelog file contain a lot of changes. I wonder how we > > > > generally > > > > > > should it. If I backport a package from current stable should I keep > > > > that > > > > > > changelog and just add one entry or should I pretent that the jessie > > > > version still apply and add one entry from that one... Not sure > > > > myself. > > > > 2) /lib/systemd/system/clamav-daemon.socket is no longer installed and > > > > a > > > > > > patch introduced to not depend on it > > > > 3) Config file moved > > > > from /etc/systemd/system/clamav-daemon.socket.d/extend.conf > > > > to /etc/systemd/system/clamav-daemon.service.d/extend.conf > > > > 4) Changes in postinst. Not sure if it is backwards compatible or not > > > > yet. > > > > > > Preliminary not. > > > > 5) Debhelper compat updated. Should be ok. > > > > 6) Build dependency changes. > > > > 7) clamav-dbg package no longer provided > > > > 8) so files moved from /usr/lib/libclamav.so to > > > > /usr/lib/xxx/libclamav.so > > > > > > and pkgconfig moved accordingly. > > > > 9) Support for llvm introduced. Should probably be ok. > > > > 10) A LOT of symbols changed. They are delared private so it should be > > > > ok. > > > > > > But you never know. > > > > > > > > It would be helpful if you can help me judge if any of the above means > > > > backwards incompatibility. > > > > > > > > I'm most worried about the following: > > > > - Socket change > > > > - Config file change > > > > - Postinst change > > > > - clamav-dbg > > > > - Symbol changes > > > > > > > > Thank you in advance > > > > > > > > // Ola > > > > > > > > On Mon, 1 Apr 2019 at 15:13, Scott Kitterman > > > > wrote: > > > >> I believe you've misunderstood. > > > >> > > > >> The version in stable is 0.100.3 and does not have a soname bump (nor > > > >> does it > > > >> need one). You should be able to update the LTS with that package > > > > with > > > > > >> little > > > >> more (maybe no more) than an updated changelog. > > > >> > > > >> Scott K > > > >> > > > >> On Monday, April 01, 2019 02:46:34 PM Ola Lundqvist wrote: > > > >> > Hi Scott and LTS team > > > >> > > > > >> > Thank you. I'll see if I can backport the required fixes. That may > > > >> > solve > > > >> > the library issue. > > > >> > > > > >> > Alternatively we state that clamav is not supported. Maybe someone > > > > in > > > > > >> the > > > >> > > > >> > LTS team can advice on that. > > > >> > > > > >> > Best regards > > > >> > > > > >> > // Ola > > > >> > > > > >> > On Sun, 31 Mar 2019 at 22:35, Scott Kitterman > > >> > > > >> wrote: > > > >> > > Comments inline. > > > >> > > > > > >> > > On Sunday, March 31, 2019 09:37:46 PM Ola Lundqvist wrote: > > > >> > > > Hi > > > >> > > > > > > >> > > > I missed to include the clamav maintainers. Sorry about that. > > > >> > > > > > > >> > > > // Ola > > > >> > > > > > > >> > > > On Sun, 31 Mar 2019 at 21:21, Ola Lundqvist > > > > wrote: > > > >> > > > > Dear maintainers, LTS team and Debian Secutiry team > > > >> > > > > > > > >> > > > > I have started to look at the clamav package update due to > > > >> > > > >
Test request Re: [Pkg-clamav-devel] LTS update of clamav and call for advice
Hi Great Updated packages are now available on https://apt.inguza.net/jessie-security/clamav Testing is much appreciated since I have limited experience of clamav myself. I can test that the package installs properly but I'm not sure I can regression test it properly myself. Anyone who knows how to regression test it properly? Best regards // Ola On Mon, 15 Apr 2019 at 23:16, Scott Kitterman wrote: > That sounds like the right approach. > > Scott K > > On Monday, April 15, 2019 10:36:31 PM Ola Lundqvist wrote: > > Hi again > > > > I have now compared the 0.100.2 version in stretch to the version 0.100.3 > > in stretch updates. > > I can then see that most of the changes that I'm worried about is not > > included. > > > > This means that I will take the .orig file and include a sub-set of the > > updates. > > The remaining updates will be: > > - Symbol updates (unavoidable I think). > > - Copyright update (not sure if it is necessary but I'll include it > anyway) > > > > The rest will not be updated. > > > > Best regards > > > > // Ola > > > > On Mon, 15 Apr 2019 at 20:00, Ola Lundqvist wrote: > > > Hi Scott > > > > > > I have now walked through the difference in the debian directories > between > > > the version in jessie and stretch updates. > > > I think there is more work than just a simple changelog update. > > > > > > 1) The changelog file contain a lot of changes. I wonder how we > generally > > > should it. If I backport a package from current stable should I keep > that > > > changelog and just add one entry or should I pretent that the jessie > > > version still apply and add one entry from that one... Not sure myself. > > > 2) /lib/systemd/system/clamav-daemon.socket is no longer installed and > a > > > patch introduced to not depend on it > > > 3) Config file moved > > > from /etc/systemd/system/clamav-daemon.socket.d/extend.conf > > > to /etc/systemd/system/clamav-daemon.service.d/extend.conf > > > 4) Changes in postinst. Not sure if it is backwards compatible or not > yet. > > > Preliminary not. > > > 5) Debhelper compat updated. Should be ok. > > > 6) Build dependency changes. > > > 7) clamav-dbg package no longer provided > > > 8) so files moved from /usr/lib/libclamav.so to > /usr/lib/xxx/libclamav.so > > > and pkgconfig moved accordingly. > > > 9) Support for llvm introduced. Should probably be ok. > > > 10) A LOT of symbols changed. They are delared private so it should be > ok. > > > But you never know. > > > > > > It would be helpful if you can help me judge if any of the above means > > > backwards incompatibility. > > > > > > I'm most worried about the following: > > > - Socket change > > > - Config file change > > > - Postinst change > > > - clamav-dbg > > > - Symbol changes > > > > > > Thank you in advance > > > > > > // Ola > > > > > > On Mon, 1 Apr 2019 at 15:13, Scott Kitterman > wrote: > > >> I believe you've misunderstood. > > >> > > >> The version in stable is 0.100.3 and does not have a soname bump (nor > > >> does it > > >> need one). You should be able to update the LTS with that package > with > > >> little > > >> more (maybe no more) than an updated changelog. > > >> > > >> Scott K > > >> > > >> On Monday, April 01, 2019 02:46:34 PM Ola Lundqvist wrote: > > >> > Hi Scott and LTS team > > >> > > > >> > Thank you. I'll see if I can backport the required fixes. That may > > >> > solve > > >> > the library issue. > > >> > > > >> > Alternatively we state that clamav is not supported. Maybe someone > in > > >> > > >> the > > >> > > >> > LTS team can advice on that. > > >> > > > >> > Best regards > > >> > > > >> > // Ola > > >> > > > >> > On Sun, 31 Mar 2019 at 22:35, Scott Kitterman > > > >> > > >> wrote: > > >> > > Comments inline. > > >> > > > > >> > > On Sunday, March 31, 2019 09:37:46 PM Ola Lundqvist wrote: > > >> > > > Hi > > >> > > > > > >> > > > I missed to include the clamav maintainers. Sorry about that. > > >> > > > > > >> > > > // Ola > > >> > > > > > >> > > > On Sun, 31 Mar 2019 at 21:21, Ola Lundqvist > wrote: > > >> > > > > Dear maintainers, LTS team and Debian Secutiry team > > >> > > > > > > >> > > > > I have started to look at the clamav package update due to > > >> > > > > CVE-2019-1787 > > >> > > > > CVE-2019-1788 > > >> > > > > CVE-2019-1789 > > >> > > > > (the other three vulnerabilities are not affecting jessie or > > >> > > >> stretch > > >> > > >> > > as I > > >> > > > > >> > > > > understand it) > > >> > > > > >> > > That's correct. > > >> > > > > >> > > > > I have understood that the clamav package is typically > updated to > > >> > > >> the > > >> > > >> > > > > latest version also in stable and oldstable. However when > doing > > >> > > >> so I > > >> > > >> > > > > encountered quite a few things that I would like to ask your > > >> > > >> advice > > >> > > >> > > > > on. > > >> > > > > > > >> > > > > First of all to the maintainers. Do you want to handle also > LTS > > >> > > > > (oldstable) and regular security (stable) upload of
Re: [Pkg-clamav-devel] LTS update of clamav and call for advice
That sounds like the right approach. Scott K On Monday, April 15, 2019 10:36:31 PM Ola Lundqvist wrote: > Hi again > > I have now compared the 0.100.2 version in stretch to the version 0.100.3 > in stretch updates. > I can then see that most of the changes that I'm worried about is not > included. > > This means that I will take the .orig file and include a sub-set of the > updates. > The remaining updates will be: > - Symbol updates (unavoidable I think). > - Copyright update (not sure if it is necessary but I'll include it anyway) > > The rest will not be updated. > > Best regards > > // Ola > > On Mon, 15 Apr 2019 at 20:00, Ola Lundqvist wrote: > > Hi Scott > > > > I have now walked through the difference in the debian directories between > > the version in jessie and stretch updates. > > I think there is more work than just a simple changelog update. > > > > 1) The changelog file contain a lot of changes. I wonder how we generally > > should it. If I backport a package from current stable should I keep that > > changelog and just add one entry or should I pretent that the jessie > > version still apply and add one entry from that one... Not sure myself. > > 2) /lib/systemd/system/clamav-daemon.socket is no longer installed and a > > patch introduced to not depend on it > > 3) Config file moved > > from /etc/systemd/system/clamav-daemon.socket.d/extend.conf > > to /etc/systemd/system/clamav-daemon.service.d/extend.conf > > 4) Changes in postinst. Not sure if it is backwards compatible or not yet. > > Preliminary not. > > 5) Debhelper compat updated. Should be ok. > > 6) Build dependency changes. > > 7) clamav-dbg package no longer provided > > 8) so files moved from /usr/lib/libclamav.so to /usr/lib/xxx/libclamav.so > > and pkgconfig moved accordingly. > > 9) Support for llvm introduced. Should probably be ok. > > 10) A LOT of symbols changed. They are delared private so it should be ok. > > But you never know. > > > > It would be helpful if you can help me judge if any of the above means > > backwards incompatibility. > > > > I'm most worried about the following: > > - Socket change > > - Config file change > > - Postinst change > > - clamav-dbg > > - Symbol changes > > > > Thank you in advance > > > > // Ola > > > > On Mon, 1 Apr 2019 at 15:13, Scott Kitterman wrote: > >> I believe you've misunderstood. > >> > >> The version in stable is 0.100.3 and does not have a soname bump (nor > >> does it > >> need one). You should be able to update the LTS with that package with > >> little > >> more (maybe no more) than an updated changelog. > >> > >> Scott K > >> > >> On Monday, April 01, 2019 02:46:34 PM Ola Lundqvist wrote: > >> > Hi Scott and LTS team > >> > > >> > Thank you. I'll see if I can backport the required fixes. That may > >> > solve > >> > the library issue. > >> > > >> > Alternatively we state that clamav is not supported. Maybe someone in > >> > >> the > >> > >> > LTS team can advice on that. > >> > > >> > Best regards > >> > > >> > // Ola > >> > > >> > On Sun, 31 Mar 2019 at 22:35, Scott Kitterman > >> > >> wrote: > >> > > Comments inline. > >> > > > >> > > On Sunday, March 31, 2019 09:37:46 PM Ola Lundqvist wrote: > >> > > > Hi > >> > > > > >> > > > I missed to include the clamav maintainers. Sorry about that. > >> > > > > >> > > > // Ola > >> > > > > >> > > > On Sun, 31 Mar 2019 at 21:21, Ola Lundqvist wrote: > >> > > > > Dear maintainers, LTS team and Debian Secutiry team > >> > > > > > >> > > > > I have started to look at the clamav package update due to > >> > > > > CVE-2019-1787 > >> > > > > CVE-2019-1788 > >> > > > > CVE-2019-1789 > >> > > > > (the other three vulnerabilities are not affecting jessie or > >> > >> stretch > >> > >> > > as I > >> > > > >> > > > > understand it) > >> > > > >> > > That's correct. > >> > > > >> > > > > I have understood that the clamav package is typically updated to > >> > >> the > >> > >> > > > > latest version also in stable and oldstable. However when doing > >> > >> so I > >> > >> > > > > encountered quite a few things that I would like to ask your > >> > >> advice > >> > >> > > > > on. > >> > > > > > >> > > > > First of all to the maintainers. Do you want to handle also LTS > >> > > > > (oldstable) and regular security (stable) upload of clamav? > >> > > > >> > > Stable is already done through stable proposed updates (which is the > >> > > normal > >> > > path for clamav). We leave the LTS releases to the LTS team. Base > >> > >> your > >> > >> > > work > >> > > on what's in stable. > >> > > > >> > > > > Question to maintainers and Security team. Should we synchronize > >> > >> the > >> > >> > > > > efforts here and have you already started on the stable update? > >> > > > > > >> > > > > If not I have a few questions: > >> > > > > 1) Do you know the binary compatibility between libclamav7 and > >> > > > >> > > libclamav9? > >> > > > >> > > > > I have noticed that the package in sid produces
Re: [Pkg-clamav-devel] LTS update of clamav and call for advice
On 2019-04-15 22:36:31 [+0200], Ola Lundqvist wrote: > Hi again > > I have now compared the 0.100.2 version in stretch to the version 0.100.3 > in stretch updates. > I can then see that most of the changes that I'm worried about is not > included. > > This means that I will take the .orig file and include a sub-set of the > updates. > The remaining updates will be: > - Symbol updates (unavoidable I think). you need to update the symbol file as we have in Stretch. The reason is that clamav-daemon (among other clamav packages) _have_ to pull in libclamav from this version. The clamav-* packages use internal symbols from that library and would complain otherwise. > - Copyright update (not sure if it is necessary but I'll include it anyway) > > The rest will not be updated. > > Best regards > > // Ola Sebastian
Re: [Pkg-clamav-devel] LTS update of clamav and call for advice
Hi again I have now compared the 0.100.2 version in stretch to the version 0.100.3 in stretch updates. I can then see that most of the changes that I'm worried about is not included. This means that I will take the .orig file and include a sub-set of the updates. The remaining updates will be: - Symbol updates (unavoidable I think). - Copyright update (not sure if it is necessary but I'll include it anyway) The rest will not be updated. Best regards // Ola On Mon, 15 Apr 2019 at 20:00, Ola Lundqvist wrote: > Hi Scott > > I have now walked through the difference in the debian directories between > the version in jessie and stretch updates. > I think there is more work than just a simple changelog update. > > 1) The changelog file contain a lot of changes. I wonder how we generally > should it. If I backport a package from current stable should I keep that > changelog and just add one entry or should I pretent that the jessie > version still apply and add one entry from that one... Not sure myself. > 2) /lib/systemd/system/clamav-daemon.socket is no longer installed and a > patch introduced to not depend on it > 3) Config file moved > from /etc/systemd/system/clamav-daemon.socket.d/extend.conf > to /etc/systemd/system/clamav-daemon.service.d/extend.conf > 4) Changes in postinst. Not sure if it is backwards compatible or not yet. > Preliminary not. > 5) Debhelper compat updated. Should be ok. > 6) Build dependency changes. > 7) clamav-dbg package no longer provided > 8) so files moved from /usr/lib/libclamav.so to /usr/lib/xxx/libclamav.so > and pkgconfig moved accordingly. > 9) Support for llvm introduced. Should probably be ok. > 10) A LOT of symbols changed. They are delared private so it should be ok. > But you never know. > > It would be helpful if you can help me judge if any of the above means > backwards incompatibility. > > I'm most worried about the following: > - Socket change > - Config file change > - Postinst change > - clamav-dbg > - Symbol changes > > Thank you in advance > > // Ola > > On Mon, 1 Apr 2019 at 15:13, Scott Kitterman wrote: > >> I believe you've misunderstood. >> >> The version in stable is 0.100.3 and does not have a soname bump (nor >> does it >> need one). You should be able to update the LTS with that package with >> little >> more (maybe no more) than an updated changelog. >> >> Scott K >> >> On Monday, April 01, 2019 02:46:34 PM Ola Lundqvist wrote: >> > Hi Scott and LTS team >> > >> > Thank you. I'll see if I can backport the required fixes. That may solve >> > the library issue. >> > >> > Alternatively we state that clamav is not supported. Maybe someone in >> the >> > LTS team can advice on that. >> > >> > Best regards >> > >> > // Ola >> > >> > On Sun, 31 Mar 2019 at 22:35, Scott Kitterman >> wrote: >> > > Comments inline. >> > > >> > > On Sunday, March 31, 2019 09:37:46 PM Ola Lundqvist wrote: >> > > > Hi >> > > > >> > > > I missed to include the clamav maintainers. Sorry about that. >> > > > >> > > > // Ola >> > > > >> > > > On Sun, 31 Mar 2019 at 21:21, Ola Lundqvist wrote: >> > > > > Dear maintainers, LTS team and Debian Secutiry team >> > > > > >> > > > > I have started to look at the clamav package update due to >> > > > > CVE-2019-1787 >> > > > > CVE-2019-1788 >> > > > > CVE-2019-1789 >> > > > > (the other three vulnerabilities are not affecting jessie or >> stretch >> > > >> > > as I >> > > >> > > > > understand it) >> > > >> > > That's correct. >> > > >> > > > > I have understood that the clamav package is typically updated to >> the >> > > > > latest version also in stable and oldstable. However when doing >> so I >> > > > > encountered quite a few things that I would like to ask your >> advice >> > > > > on. >> > > > > >> > > > > First of all to the maintainers. Do you want to handle also LTS >> > > > > (oldstable) and regular security (stable) upload of clamav? >> > > >> > > Stable is already done through stable proposed updates (which is the >> > > normal >> > > path for clamav). We leave the LTS releases to the LTS team. Base >> your >> > > work >> > > on what's in stable. >> > > >> > > > > Question to maintainers and Security team. Should we synchronize >> the >> > > > > efforts here and have you already started on the stable update? >> > > > > >> > > > > If not I have a few questions: >> > > > > 1) Do you know the binary compatibility between libclamav7 and >> > > >> > > libclamav9? >> > > >> > > > > I have noticed that the package in sid produces libclamav9 while >> the >> > > >> > > one >> > > >> > > > > in jessie provides libclamav7. Do you think this can be an issue? >> > > >> > > Yes. It's guaranteed to be an issue. We have a stable transition >> > > prepared >> > > and will do it (once the srm blesses) after the next point release in >> > > April. >> > > Note that the security team doesn't support clamav. >> > > >> > > > > 2) Do you think backporting the package in sid is better than >> simply >> > > > > updating to the latest
Re: [Pkg-clamav-devel] LTS update of clamav and call for advice
Hi Scott I have now walked through the difference in the debian directories between the version in jessie and stretch updates. I think there is more work than just a simple changelog update. 1) The changelog file contain a lot of changes. I wonder how we generally should it. If I backport a package from current stable should I keep that changelog and just add one entry or should I pretent that the jessie version still apply and add one entry from that one... Not sure myself. 2) /lib/systemd/system/clamav-daemon.socket is no longer installed and a patch introduced to not depend on it 3) Config file moved from /etc/systemd/system/clamav-daemon.socket.d/extend.conf to /etc/systemd/system/clamav-daemon.service.d/extend.conf 4) Changes in postinst. Not sure if it is backwards compatible or not yet. Preliminary not. 5) Debhelper compat updated. Should be ok. 6) Build dependency changes. 7) clamav-dbg package no longer provided 8) so files moved from /usr/lib/libclamav.so to /usr/lib/xxx/libclamav.so and pkgconfig moved accordingly. 9) Support for llvm introduced. Should probably be ok. 10) A LOT of symbols changed. They are delared private so it should be ok. But you never know. It would be helpful if you can help me judge if any of the above means backwards incompatibility. I'm most worried about the following: - Socket change - Config file change - Postinst change - clamav-dbg - Symbol changes Thank you in advance // Ola On Mon, 1 Apr 2019 at 15:13, Scott Kitterman wrote: > I believe you've misunderstood. > > The version in stable is 0.100.3 and does not have a soname bump (nor does > it > need one). You should be able to update the LTS with that package with > little > more (maybe no more) than an updated changelog. > > Scott K > > On Monday, April 01, 2019 02:46:34 PM Ola Lundqvist wrote: > > Hi Scott and LTS team > > > > Thank you. I'll see if I can backport the required fixes. That may solve > > the library issue. > > > > Alternatively we state that clamav is not supported. Maybe someone in the > > LTS team can advice on that. > > > > Best regards > > > > // Ola > > > > On Sun, 31 Mar 2019 at 22:35, Scott Kitterman > wrote: > > > Comments inline. > > > > > > On Sunday, March 31, 2019 09:37:46 PM Ola Lundqvist wrote: > > > > Hi > > > > > > > > I missed to include the clamav maintainers. Sorry about that. > > > > > > > > // Ola > > > > > > > > On Sun, 31 Mar 2019 at 21:21, Ola Lundqvist wrote: > > > > > Dear maintainers, LTS team and Debian Secutiry team > > > > > > > > > > I have started to look at the clamav package update due to > > > > > CVE-2019-1787 > > > > > CVE-2019-1788 > > > > > CVE-2019-1789 > > > > > (the other three vulnerabilities are not affecting jessie or > stretch > > > > > > as I > > > > > > > > understand it) > > > > > > That's correct. > > > > > > > > I have understood that the clamav package is typically updated to > the > > > > > latest version also in stable and oldstable. However when doing so > I > > > > > encountered quite a few things that I would like to ask your advice > > > > > on. > > > > > > > > > > First of all to the maintainers. Do you want to handle also LTS > > > > > (oldstable) and regular security (stable) upload of clamav? > > > > > > Stable is already done through stable proposed updates (which is the > > > normal > > > path for clamav). We leave the LTS releases to the LTS team. Base > your > > > work > > > on what's in stable. > > > > > > > > Question to maintainers and Security team. Should we synchronize > the > > > > > efforts here and have you already started on the stable update? > > > > > > > > > > If not I have a few questions: > > > > > 1) Do you know the binary compatibility between libclamav7 and > > > > > > libclamav9? > > > > > > > > I have noticed that the package in sid produces libclamav9 while > the > > > > > > one > > > > > > > > in jessie provides libclamav7. Do you think this can be an issue? > > > > > > Yes. It's guaranteed to be an issue. We have a stable transition > > > prepared > > > and will do it (once the srm blesses) after the next point release in > > > April. > > > Note that the security team doesn't support clamav. > > > > > > > > 2) Do you think backporting the package in sid is better than > simply > > > > > updating to the latest upstream while keeping most scripts in > > > > > > oldstable? I > > > > > > > > had to copy over the split-archive.sh to be able to generate a > proper > > > > > > orig > > > > > > > > tarball. > > > > > > No. Use what's in stable proposed updates. > > > > > > > > - I personally think the package in sid have a little too much > updates > > > > > > to > > > > > > > > make that safe, especially since it produces new library packages. > > > > > > Agreed. That would definitely be a bad idea. > > > > > > > > - On the other hand, I had to do some modifications already to make > > > > > > allow > > > > > > > > the package to be generated and I have not even started building > yet. > > > > >
Accepted libxslt 1.1.28-2+deb8u4 (source amd64) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 15 Apr 2019 16:56:54 +0100 Source: libxslt Binary: libxslt1.1 libxslt1-dev libxslt1-dbg xsltproc python-libxslt1 python-libxslt1-dbg Architecture: source amd64 Version: 1.1.28-2+deb8u4 Distribution: jessie-security Urgency: high Maintainer: Debian XML/SGML Group Changed-By: Chris Lamb Description: libxslt1-dbg - XSLT 1.0 processing library - debugging symbols libxslt1-dev - XSLT 1.0 processing library - development kit libxslt1.1 - XSLT 1.0 processing library - runtime library python-libxslt1 - Python bindings for libxslt1 python-libxslt1-dbg - Python bindings for libxslt1 (debug extension) xsltproc - XSLT 1.0 command line processor Closes: 926895 Changes: libxslt (1.1.28-2+deb8u4) jessie-security; urgency=high . * CVE-2019-11068: Prevent a bypass of a protection mechanisms in the xsltCheckRead and xsltCheckWrite routines that permit access upon receiving a -1 error code; xsltCheckRead returned -1 for a specially-crafted URL that is not actually invalid and the attacker was subsequently authenticated. (Closes: #926895) Checksums-Sha1: 5c2657baafd8af39225c8aa47f7a8fa77641289b 2403 libxslt_1.1.28-2+deb8u4.dsc 4df177de629b2653db322bfb891afa3c0d1fa221 3435907 libxslt_1.1.28.orig.tar.gz 5ef43a90f66e77b86e6510fce1bb4ff5602d5e81 38864 libxslt_1.1.28-2+deb8u4.debian.tar.xz 61e97d61e7fab1c69c44f9c0d760814624588cf0 232302 libxslt1.1_1.1.28-2+deb8u4_amd64.deb 4a3592b597275578c71f8cfc31059a0dcd474ff2 513288 libxslt1-dev_1.1.28-2+deb8u4_amd64.deb 13858a79849a21834bed501044c62949adb75abc 479598 libxslt1-dbg_1.1.28-2+deb8u4_amd64.deb cabd30920c080b736e5efd4fd1164c68d9bd842b 118694 xsltproc_1.1.28-2+deb8u4_amd64.deb 26c519232e87df7880e925252307e0b44f9b3873 138940 python-libxslt1_1.1.28-2+deb8u4_amd64.deb 80ed667b02f6977427a8db22cceb31fec920846d 222350 python-libxslt1-dbg_1.1.28-2+deb8u4_amd64.deb Checksums-Sha256: 40350976d950555c803753069fa2415a1d768331c087c1959a47f83157731229 2403 libxslt_1.1.28-2+deb8u4.dsc 5fc7151a57b89c03d7b825df5a0fae0a8d5f05674c0e7cf2937ecec4d54a028c 3435907 libxslt_1.1.28.orig.tar.gz c7cad1c1c6fe0e2e96d05f258869b4e6a62c82c1c8631f71bad56ac7f4ca6dbc 38864 libxslt_1.1.28-2+deb8u4.debian.tar.xz b3b33978c64bd5ce0643202825690c99ad971bc483e09ccea2eca6a8efe04983 232302 libxslt1.1_1.1.28-2+deb8u4_amd64.deb 0d635486440dec8161e68a83b85364be00c272cdcae0e9bf577c5a7ee338ca9c 513288 libxslt1-dev_1.1.28-2+deb8u4_amd64.deb c04a4f241e252a376c4eafc80767dd9d3b4eea6dfcbe7057f09408b95078c1a3 479598 libxslt1-dbg_1.1.28-2+deb8u4_amd64.deb 97a3c354988fe0d37a9871143ca9e2176c74810d442f51ae1b88bb6c6f732968 118694 xsltproc_1.1.28-2+deb8u4_amd64.deb 1a8557b1b5c46d26790a809e2b43458151d02506418d241aee7373baf9b83624 138940 python-libxslt1_1.1.28-2+deb8u4_amd64.deb 3318241502279b2e597bc4b7c4821c0a7f886658661362e78985b48f2142447c 222350 python-libxslt1-dbg_1.1.28-2+deb8u4_amd64.deb Files: fde17cc9aba28993a570f519c9769bc0 2403 text optional libxslt_1.1.28-2+deb8u4.dsc 9667bf6f9310b957254fdcf6596600b7 3435907 text optional libxslt_1.1.28.orig.tar.gz 81812364a51dd512b4700704463dffc7 38864 text optional libxslt_1.1.28-2+deb8u4.debian.tar.xz c7cdcdd40dc6fc68887a82315f20826b 232302 libs optional libxslt1.1_1.1.28-2+deb8u4_amd64.deb 8dc3632329f5ec323c9616f44d335dbe 513288 libdevel optional libxslt1-dev_1.1.28-2+deb8u4_amd64.deb 4e3a597271df8ce39bfb899ed5dac97e 479598 debug extra libxslt1-dbg_1.1.28-2+deb8u4_amd64.deb ef47c0f327ca1370f6aeddf77519c6f7 118694 text optional xsltproc_1.1.28-2+deb8u4_amd64.deb de8caab5c778c20f684693fc18745100 138940 python optional python-libxslt1_1.1.28-2+deb8u4_amd64.deb c527f4278c3e79fb1cb82672f7684019 222350 debug extra python-libxslt1-dbg_1.1.28-2+deb8u4_amd64.deb -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAly0q78ACgkQHpU+J9Qx HliD2g//RC7Bq4MoeLprIX6TENrpzMHglcUfpHLkSKQNXFH2xMQCXin134KOGXY8 v+ADNlKhQCa/9krE+RKi5e37DyLMxQlfvHqrLEFWwN2Tf20tXYVtjClj7h/rDeKe kZ/WHGoOmIO3Ie17EkBsGLkKrG3DIf6w7jutVg21TrfNv+sWAiv4XQ1JNpmluvQx X4Vz7YNuB9tuBILyf7HH05nHd31517gDyWZS4mOCPYppXo7lFfPgCNtWeYvv35Cg ew23fvBSNbquXf4rUkcgj4uk9ALklkKozjxmHUmsxtmzog3xuuuOQCmEL43KZpwQ wdWGou3m6qXwzD2AI5tt62isWTfqpXvxNnIb4GJMy5+/BfHHwjWkGLG7oGjnUXmi LmeuJqO/xBsMYPzAOC/R2ujqQT96A3P7TucTaocKO7LZkh4TUbhaHCuKiDe9hKEf 9yGFUsaPMhMHjT9aYVUgr6b712eQSAj2AfAYoV1/Po5EWkOmEM714u/6lsv6/TnQ dMsGs/VXAPCgDIJXRDxHNv5OrTh2iaCMjGtU3aow8TIhT9fzcHDLqVkaYGa8nYJD xC3yVAPCVFnlvT8e8ahpKmXSMk4v2B0NAZ+nOkORyP95wmime4zbXrlJJrLKA5z6 LD1+wEwkdCifr2Yhi8ob67ry2pSU9yMzFVRtFmh38tLxEqgmDYg= =bv4J -END PGP SIGNATURE-
[SECURITY] [DLA 1756-1] libxslt security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: libxslt Version: 1.1.28-2+deb8u4 CVE ID : CVE-2019-11068 Debian Bug : #926895 It was discovered that there was a authentication bypass vulnerability in libxslt, a widely-used library for transforming files from XML to other arbitrary format. The xsltCheckRead and xsltCheckWrite routines permitted access upon receiving an-1 error code and (as xsltCheckRead returned -1 for a specially-crafted URL that is not actually invalid) the attacker was subsequently authenticated. For Debian 8 "Jessie", this issue has been fixed in libxslt version 1.1.28-2+deb8u4. We recommend that you upgrade your libxslt packages. Regards, - -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAly0rE4ACgkQHpU+J9Qx Hlg1Vg/8D+4zAN887+Grk7O0mgxnphSiJjVueeeC4DUEYAoAk6dgv4WCe951/avL RWvxpPVYmVnbg66MzWAyZiY3zNEDsj5G1tBtCJfQx8ITuVOh/W20IxANCOdnN8fw FaEoYbAj4OiAcuR+exWw/JuUUkByEQzHVssrbISlB0SoQpoOe+tBB1kAyuCc01SX UyEWIXWFYw9Oj2VQEvCAx7E4uSfQ9clFWpnyR27cValR5NrYCYKKq4exXr4/JxAt fNhRGgioiMisC5d4vZNp3K+Go+v0vydHDGSTFvK8+KccnUi9T+ioqVQFdq5HHlOk fOkaxxrtrgDgN4xMVQrhgSL1XFn7/UOqUOqkTRNLUfnwbL8+Ye3E/W2Mnv+J42ng 09l7t41eBWn6KyNbCsgk3DTthZ42TMoaJQHbaNNL4OCRnubbH132nY3VQp1OGrYX 6Mr0TdkDudSNsRu473vFw11ShYEmEjvXgpNYmVKMj7k4l2TXSjjw3e+MZOMIe99K r8QYrfZzoHk4yXbzodFr9rv2pwVvowwboZWqpgg/OBnOiKj+thBec8Qp8cj+ctrg YqYlncIQ2SlaWuIO/ni7k3dnLijWmoTad7XWiTyqMomJpeBg122NKKVPxFTFgcHK yW4umtmPcngIGaSlQiuhNL9R8jWmym7GuAY8Qw1FiRdJJipEhdA= =67Zv -END PGP SIGNATURE-
Wheezy ELTS?
Hi list, Seems Wheezy has been removed from security.debian.org, but isn't added to the archive server. Is this usual, or is it an error? TIA, Mikael
Re: 31 DLAs missing from the website
control: retitle -1 7 DLAs missing from the website (or not) thanks Hi Brian, many thanks for all your fixes on this bug! On Fri, Apr 12, 2019 at 04:03:25PM +1000, Brian May wrote: > > ERROR: .data or .wml file missing for DLA 1130-1 > > ERROR: .data or .wml file missing for DLA 719-1 > > ERROR: .data or .wml file missing for DLA 706-1 > > ERROR: .data or .wml file missing for DLA 659-1 > Looks like these are all mine, I have copies of the outgoing emails, but > from my private mail archives, not in the public web archive. So I guess > that means I am the only one who can fix these :-) and you did. Many thanks for that! > > ERROR: .data or .wml file missing for DLA 772-1 this one has been dealt with > > ERROR: .data or .wml file missing for DLA 607-1 > > ERROR: .data or .wml file missing for DLA 567-1 > > ERROR: .data or .wml file missing for DLA 377-1 > > ERROR: .data or .wml file missing for DLA 267-1 > > ERROR: .data or .wml file missing for DLA 115-2 > > ERROR: .data or .wml file missing for DLA 145-2 > I can't actually find these - or anything like them - in the mailing > list archives or on my computer. I believe those DLAs were allocated but never used. We will need to double check and then probably provide dummy/empty DLAs documenting this. > * I can find DLA-567-2 but not a DLA-567-1; I suspect DLA-567-2 was sent > instead of DLA-567-1. fun ;) > > ERROR: .data or .wml file missing for DLA 580-1 > > I suspect that might be this email: > > Date: Mon, 1 Aug 2016 12:05:55 +0200 > From: Balint Reczey > Subject: [SECURITY] [REGRESSION] [DLA -] graphite2 regression update > To: debian-lts-annou...@lists.debian.org > Mail-Followup-To: debian-lts@lists.debian.org > > Source: https://lists.debian.org/debian-lts-announce/2016/08/msg0.html > > Impossible to mark a positive identication, however the email was sent > after DLA-578-1, before DLA-582-1, and the package name matches, and the > security tracker has similar title. seems like DLA 580 indeed. -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
(semi-)automatic unclaim of packages with more than 2 weeks of inactivity
Hi, I've done this again, today I unclaimed: clamav (Ola Lundqvist) jruby (Abhijith PA) -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: libvirt / CVE-2019-3886
Moritz Mühlenhoff writes: > We're tracking at as it's currently assigned by MITRE and it's their usual > practice to split out secondary angles to a separate CVE ID. As such, you > should rather reach out to them via https://cveform.mitre.org and request > a separate ID for the part that affects 1.2.x as well. Request submitted. I hope... -- Brian May
