(E)LTS report for May
Hi, During the month of May, I spent 33h on LTS working on the following tasks: - openjdk-7 security update - qemu security update - security-tracker reviews - sqlite3 triage - sox: backported patches, run into stability bug in jessie not happening in sid, bisected it but fix was too invasive so released other fixes - jruby: investigated build issue reported by Abhijith - samba security update - firefox-esr security update - started to look at how to handle firefox-esr 68 for jessie - thunderbird security update - CVE triaging - php5: started with the new issues, but waited for official upstream release - backporting fixes for poppler issues For ELTS I spent 12h on the following: - openjdk-7 security update - intel-microcode: backported security update - php5: backported fixes but waited for upstream release - CVE triaging / frontdesk Cheers, Emilio
Re: RFC: remaining CVEs on libspring-java
On Thu, Jun 06, 2019 at 12:06:42AM -0400, Roberto C. Sánchez wrote: > On Tue, Jun 04, 2019 at 12:56:21PM +0200, Markus Koschany wrote: > > > The Spring framework is a very fine but > > also complex web framework. We use many parts of it as > > build-dependencies for other packages. I don't believe that a serious > > Java developer will build web applications with our Spring package, and > > a look into packages-to-support seems to confirm my suspicion. I would > > upload what has already been fixed and then follow Stretch. > > > Your mention of packages-to-support caused me to go look, where I found > that libspring-java is not listed. That makes me think that it was > mistakenly added to dla-needed.txt. Given that it should not have been > listed in the first place, that supports wrapping up and uploading the > work that I have done up to this point without going any further. > Emilio and Mike pointed out to me in IRC that I was misunderstanding the role of packages-to-support in LTS. Thanks to them for explaining the situation to me. That said, I'll still go ahead with your recommendation. Regards, -Roberto -- Roberto C. Sánchez
[SECURITY] [DLA 1815-1] poppler security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: poppler Version: 0.26.5-2+deb8u10 CVE ID : CVE-2019-10872 CVE-2019-12293 CVE-2019-12360 Several vulnerabilities have been found in the poppler PDF rendering library, which could result in denial of service or possibly other unspecified impact when processing malformed or maliciously crafted files. For Debian 8 "Jessie", these problems have been fixed in version 0.26.5-2+deb8u10. We recommend that you upgrade your poppler packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAlz4+F8ACgkQnUbEiOQ2 gwIubw/9HiHWpAwhmT2kN6QO9G38iG7J/q3HR38jGa5rDC4rE7dT4iAs3jeU5okY PszkoqZkc63OOhNf+5M5alVD6HIAEbSeH/FALKVTZ+OxLNX2VFUu/tvoH/RTpuT5 VCjgZ4vcPtzqRiuxPVjw/AmVWfVXIVNgHiAf2j+9Zw5d/xdbhIJwFnhYTC/sLaEZ UkSZkQMKHrImbq1lspAg2U0HgVuK+Ybx0yHRiOkYkr3J/XH3+gGktXqvmmR5IXbh 3rSh22mXLnKWErrwEWnWE36/YU0UUzq5vRvafCYkNE9MKyYYpCUpAb5m2dTYzfh/ NgSqJlrt3eG9XrgS9oByvvurZpeYXY1TzKcsTL5GTnJbAK8F70FRKCBKj4lkbJvW 2HOfJvATTRBjlEg6vPNBYdO674UG864j+/BXg35or047L2BF4A6FeR/+ISz+r+Ek 2J7yAdeCu2WmMlZyVZZu5n+e4DgcW55zAm51JDUE66JnC8uSnVJW68C6WYfk8Z7Q 1VesubpqT76FnhAh6cTjP93oEi/QBM1eCzMjUjGEt7gjGNb+42zsda9v2n6v4VE4 ZUCrYaV66wC0MWqGSwiFFYMaG/muMo3o/oFN8z9vmLEMpmTlfZ7I+OlzAxtH2no0 tOmLNN8ix+QPPcXWcLF8KgGxNbHvM8wj53sCdUjo//iRuB6yLbI= =YmfQ -END PGP SIGNATURE-
Accepted poppler 0.26.5-2+deb8u10 (source amd64 all) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 06 Jun 2019 12:02:44 +0200 Source: poppler Binary: libpoppler46 libpoppler-dev libpoppler-private-dev libpoppler-glib8 libpoppler-glib-dev libpoppler-glib-doc gir1.2-poppler-0.18 libpoppler-qt4-4 libpoppler-qt4-dev libpoppler-qt5-1 libpoppler-qt5-dev libpoppler-cpp0 libpoppler-cpp-dev poppler-utils poppler-dbg Architecture: source amd64 all Version: 0.26.5-2+deb8u10 Distribution: jessie-security Urgency: medium Maintainer: Loic Minier Changed-By: Emilio Pozuelo Monfort Description: gir1.2-poppler-0.18 - GObject introspection data for poppler-glib libpoppler-cpp-dev - PDF rendering library -- development files (CPP interface) libpoppler-cpp0 - PDF rendering library (CPP shared library) libpoppler-dev - PDF rendering library -- development files libpoppler-glib-dev - PDF rendering library -- development files (GLib interface) libpoppler-glib-doc - PDF rendering library -- documentation for the GLib interface libpoppler-glib8 - PDF rendering library (GLib-based shared library) libpoppler-private-dev - PDF rendering library -- private development files libpoppler-qt4-4 - PDF rendering library (Qt 4 based shared library) libpoppler-qt4-dev - PDF rendering library -- development files (Qt 4 interface) libpoppler-qt5-1 - PDF rendering library (Qt 5 based shared library) libpoppler-qt5-dev - PDF rendering library -- development files (Qt 5 interface) libpoppler46 - PDF rendering library poppler-dbg - PDF rendering library -- debugging symbols poppler-utils - PDF utilities (based on Poppler) Changes: poppler (0.26.5-2+deb8u10) jessie-security; urgency=medium . * CVE-2019-10872: heap buffer overread in Splash::blitTransparent. * CVE-2019-12293: heap buffer overread in JPXStream::init. * CVE-2019-12360: stack buffer overread in FoFiTrueType::cvtSfnts. Checksums-Sha1: 95f455f48156f724b50ef71f8e9bc44b6cc74a8a 3306 poppler_0.26.5-2+deb8u10.dsc 12937666faee80bae397a8338a3357e864d77d53 1595232 poppler_0.26.5.orig.tar.xz af94d56c5d4190ecdb751a23ba4dbb81cf361db5 46520 poppler_0.26.5-2+deb8u10.debian.tar.xz 881173b2323eb2f1c2021a7903eadf29edd32da4 1213004 libpoppler46_0.26.5-2+deb8u10_amd64.deb 0f6f4f9d2d023be7b45aace95dd8325e4acf2f38 768898 libpoppler-dev_0.26.5-2+deb8u10_amd64.deb aeb520358a851f75091c3edc02f83e5ec5662e16 181364 libpoppler-private-dev_0.26.5-2+deb8u10_amd64.deb f17d1ac82d3f273c68f6baea4a931fbd77a30696 122624 libpoppler-glib8_0.26.5-2+deb8u10_amd64.deb 3a058abfd884c8c148caec92dbbc2cd86108e5ad 164576 libpoppler-glib-dev_0.26.5-2+deb8u10_amd64.deb 6f27cd655f795f30fec0a18b93315328d3191cc3 86920 libpoppler-glib-doc_0.26.5-2+deb8u10_all.deb bfc2c01883bcd45e841455d6d76f2270a7a26985 35090 gir1.2-poppler-0.18_0.26.5-2+deb8u10_amd64.deb d2b1caa44150494495fdaa06dc0b1ab00fc5f014 128798 libpoppler-qt4-4_0.26.5-2+deb8u10_amd64.deb 0c789fd73b575c59d78e4eb09bd6b96730e4148d 159508 libpoppler-qt4-dev_0.26.5-2+deb8u10_amd64.deb d9597894799b1e068794d69fb5b319272f9c2def 133152 libpoppler-qt5-1_0.26.5-2+deb8u10_amd64.deb 980703b57ff0a4151afb1fc9eeaf7439dfae8e7f 166482 libpoppler-qt5-dev_0.26.5-2+deb8u10_amd64.deb 25482dd7b2c516184bffd10086f7634c811b5ad6 45700 libpoppler-cpp0_0.26.5-2+deb8u10_amd64.deb e4a715e8590b55c5c3c4dfe08802019ccb29d582 50136 libpoppler-cpp-dev_0.26.5-2+deb8u10_amd64.deb 7873cf6f0917ef2a565ad5e07457219e5859769e 142530 poppler-utils_0.26.5-2+deb8u10_amd64.deb 134d12a2b9683e77f29255e632c0333de7aae474 7684674 poppler-dbg_0.26.5-2+deb8u10_amd64.deb Checksums-Sha256: 02e5ff978e8fb83cd5236b98b01e8a5c12f4a073239dfe76607c85ef34959459 3306 poppler_0.26.5-2+deb8u10.dsc de7de5fa337431e5d1f372e8577b3707322f1dbc1dc28a70f2927476f134d1ee 1595232 poppler_0.26.5.orig.tar.xz 5de1b4284034a5810dd03fc0b384ad85aa11b740873a478029ca3f41c9210435 46520 poppler_0.26.5-2+deb8u10.debian.tar.xz 0310907d60d1cb931d368d585b744f3964e2f04f75f6e63943270c49ed09109e 1213004 libpoppler46_0.26.5-2+deb8u10_amd64.deb f2ac6f9a34c70adfd3429f320d3321391c388a28f9fdb4ef20b0f53036e47ff7 768898 libpoppler-dev_0.26.5-2+deb8u10_amd64.deb f958d6eb9887397d9beeeb443aaf1be1722a7be2d8c43a630e9e1614981837b9 181364 libpoppler-private-dev_0.26.5-2+deb8u10_amd64.deb 9e37ed6c0a47661a649e5f55270358a8bb35a638ac2d62c98f116332506b6ef0 122624 libpoppler-glib8_0.26.5-2+deb8u10_amd64.deb 30f5472f10955be84cc5b172f883d736d40b6ee7abdc0f9dd3bab9d0195783dc 164576 libpoppler-glib-dev_0.26.5-2+deb8u10_amd64.deb 9be704ae0d5e757da197846844bc7bee17c53afdc07a67a19634dde347c257df 86920 libpoppler-glib-doc_0.26.5-2+deb8u10_all.deb fdc2ca2334fab9cf191007a58317f7f3e0cdf50f88be7d426d478292c97407d0 35090 gir1.2-poppler-0.18_0.26.5-2+deb8u10_amd64.deb 28418a19617f3704aa7af7de84c717de0dafbbbf1ae1398a826674b57171ab68 128798 libpoppler-qt4-4_0.26.5-2+deb8u10_amd64.deb c6016b10a2c082fb14b550fc84f59869c8d428d4e1fbf878512452c0b7aa56f3 159508 libpoppler-qt4-dev_0.26.5-2+deb8u10_amd64.deb