(semi-)automatic unclaim of packages with more than 2 weeks of inactivity
hi, today I unclaimed for LTS: -angular.js (Thorsten Alteholz) -opendmarc (Thorsten Alteholz) -tiff (Thorsten Alteholz) and none for eLTS. -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: (E)LTS report for October
Holger Levsen writes: > then, just for the record, this was discussed with Raphael and me. Please > don't do more hours than assigned without coordination. See "What should > I do if I work more than the hours allocated?" in debian-lts.git for > more info. Huh? I don't see anything about requiring coordination here. Just bill the hours for your next month. Did I miss something? === cut === What should I do if I work more than the hours allocated? ~ If we allocate you 10 paid work hours, it means that we can pay you 10 hours for the given month. If you are not ready to offer the supplementary work hours, you should manage your work so that you don't go over this limit. If you want to cross the limit (in month M) because you want to wrap up the thing that you are working on, you can do it but you should count the supplementary hours as anticipated work hours for the following month (M+1). That is, don't mention those extra work hours in your report for month M and don't invoice them for month M. Instead, in month M+1 you start your month with those supplementary hours counting as work already done. To continue the above example, in month M, you got assigned 10 hours but you made 11 hours. Your invoice and your report mentions 10h. In month M+1, you got again assigned 10 hours but you will only do 9h of real work. Despite this, the report and invoice will again be of 10h because they will include the supplementary work hour done the month before. === cut === This can happen if you have unexpected urgent work to do when you have reached your hours for the month. For example a regression in a previous upload. -- Brian May
Re: RFS: ruby-haml
Hi Holger, On 10/11/19 10:22 pm, Holger Levsen wrote: > On Sun, Nov 10, 2019 at 12:18:37AM +0530, Utkarsh Gupta wrote: >> I've fixed CVE-2017-1002201 and thus request for someone to sponsor the >> upload of ruby-haml. >> The package is tested and uploaded to mentors.d.net and the relevant >> .dsc could be found here[1]. > thanks, uploaded. Thank you very much! :D >> I'm also attaching the DLA file for the same. > will do, once it has been accepted by the archive. please make sure to > put this DLA on www.d.o as well. Announced! Best, Utkarsh signature.asc Description: OpenPGP digital signature
[SECURITY] [DLA 1986-1] ruby-haml security update
Package: ruby-haml Version: 4.0.5-2+deb8u1 CVE ID : CVE-2017-1002201 In haml, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code. For Debian 8 "Jessie", this problem has been fixed in version 4.0.5-2+deb8u1. We recommend that you upgrade your ruby-haml packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
Accepted ruby-haml 4.0.5-2+deb8u1 (source all) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 09 Nov 2019 22:27:34 +0530 Source: ruby-haml Binary: ruby-haml Architecture: source all Version: 4.0.5-2+deb8u1 Distribution: jessie-security Urgency: high Maintainer: Debian Ruby Extras Maintainers Changed-By: Utkarsh Gupta Description: ruby-haml - Elegant, structured XHTML/XML templating engine Changes: ruby-haml (4.0.5-2+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the LTS Team. * Add patch to always escape `'` in Haml::Helpers.#html_escape. (Fixes: CVE-2017-1002201) Checksums-Sha1: 4ac2daf830e1c9e540c3e67b1c54439449d5ead8 2213 ruby-haml_4.0.5-2+deb8u1.dsc 87f66e798443a9d0d7143628ba03fc786434b0f6 114866 ruby-haml_4.0.5.orig.tar.gz 23dd22d8f0e2b424d874539558023134ccea6b2c 10332 ruby-haml_4.0.5-2+deb8u1.debian.tar.xz b8e273c56afbed886ec4fd2c173e5ca3f23b3588 125158 ruby-haml_4.0.5-2+deb8u1_all.deb Checksums-Sha256: 6589fd66657f7500f410d1bc1f21a606f1695acf93862014a9450abe0bfc5dae 2213 ruby-haml_4.0.5-2+deb8u1.dsc b4c9a95af568e3cc2768f35d5a718402d8e5232f299e3df871337643edeb253f 114866 ruby-haml_4.0.5.orig.tar.gz 0a375c7c2a93b5aad08ba67cb569697d85a565ab447a9903b7806b16ba231fc9 10332 ruby-haml_4.0.5-2+deb8u1.debian.tar.xz 2d770c9c958133fb5c9b76ab915b1bd67df63f47cf34219429a4e90ee2d3c109 125158 ruby-haml_4.0.5-2+deb8u1_all.deb Files: 8306519592183cc0ae05240308df7397 2213 ruby optional ruby-haml_4.0.5-2+deb8u1.dsc 5784e74d761e1aae56f42d385a2b2467 114866 ruby optional ruby-haml_4.0.5.orig.tar.gz 686502f5c69a23fba13d1fef9d2ef0df 10332 ruby optional ruby-haml_4.0.5-2+deb8u1.debian.tar.xz 59e2383c613be8f225574489ecb737ea 125158 ruby optional ruby-haml_4.0.5-2+deb8u1_all.deb -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAl3IQAEACgkQCRq4Vgaa qhz4ThAAlmfhniP1unuCc3sho3GMELnirrJFLva52tXr2q1ypqcCnoDDZxo/QVZT fLbrCE0vFO+gLFTZevjqxEm6D2N9/TSEymnLG5TqJO2ZZGQKxxwWJljOZDOVO2Fv tOATAJQJ/YyHGHF4FKlYyxsa/y9FkZOxeH8XPhkkHJFDKrhelwGVHQqNUqduqJZ/ hLfl1Z0deX78Wa3B1358I0Kz6Z05GkJosKN4kKueHBnyyZuJ1Xq0sVqPLftnDkLk T+/DmGkHsI5ZB6YHdau56Aio0dW5DH1bGjYIxNuJRK7yy3ZPJtbhXRIFWWblIJnv IJIVlsOE1y4Y+Hi2KsHRIeqJitz2o4ZltY0s4VaxetX4Vcqxpea7kM+ieoXvseML CzWOFKfaZ60TRlM75WfC4cgoJYgHZ6oleVg2obFs5I40EitUvB5k4k40hhByvon1 bnc0TBv8m8LEsIfKcSiejJ22FKiACDI1YIWDHF4n/lewJEWTKBGtWwFa5kZYCHrD zsoxlzmsgpKVJh94MOSCrtk2PEuJR5SgBxxEbFLQQqQh9V2CISG2JIdfwsYqqWBX g4w1HOKspFS3Y6Tnhkpqy+fT+/Nsf2OOAP9i/0fg8IVYSbLPfqLIxOZ+WlqtRgCK KEJc7Dl81upvdOEt4xKxFUwdQiVosiY2spg7NE0gAxSYV95QQ/E= =gcOQ -END PGP SIGNATURE-
Re: RFS: ruby-haml
On Sun, Nov 10, 2019 at 12:18:37AM +0530, Utkarsh Gupta wrote: > I've fixed CVE-2017-1002201 and thus request for someone to sponsor the > upload of ruby-haml. > The package is tested and uploaded to mentors.d.net and the relevant > .dsc could be found here[1]. thanks, uploaded. > I'm also attaching the DLA file for the same. will do, once it has been accepted by the archive. please make sure to put this DLA on www.d.o as well. -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: (E)LTS report for October
Hi, first: thanks for your work and the report, Emilio! On Sun, Nov 10, 2019 at 11:07:02AM +0100, Emilio Pozuelo Monfort wrote: > Since the hours spent on LTS were higher than my allotted time, my November > hours will be used for that, as well as a few from ELTS, and I will work on > the > remaining tasks on my own time (finishing the Thunderbird update for jessie, > as > well as fixing the armhf build). then, just for the record, this was discussed with Raphael and me. Please don't do more hours than assigned without coordination. See "What should I do if I work more than the hours allocated?" in debian-lts.git for more info. -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
(E)LTS report for October
Hi, During the month of October I spent 72 hours on finishing the Firefox ESR 68 update. That update took so much time due to the necessary toolchain updates, which included rust & cargo, LLVM, and GCC, and to several issues which were encountered with some of those components and with some old versions of packages in jessie, and with the Firefox build itself. The work was done for both Debian jessie and stretch, so that we can keep supporting Firefox when stretch becomes LTS a few months from now. In addition to that, I spent 3 hours updating tzdata and libdatetime-timezone-perl for LTS and ELTS. Since the hours spent on LTS were higher than my allotted time, my November hours will be used for that, as well as a few from ELTS, and I will work on the remaining tasks on my own time (finishing the Thunderbird update for jessie, as well as fixing the armhf build). Cheers, Emilio
[SECURITY] [DLA 1987-1] firefox-esr security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: firefox-esr Version: 68.2.0esr-1~deb8u1 CVE ID : CVE-2019-11757 CVE-2019-11759 CVE-2019-11760 CVE-2019-11761 CVE-2019-11762 CVE-2019-11763 CVE-2019-11764 CVE-2019-15903 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information disclosure, cross-site scripting or denial of service. Debian follows the extended support releases (ESR) of Firefox. Support for the 60.x series has ended, so starting with this update we're now following the 68.x releases. For Debian 8 "Jessie", these problems have been fixed in version 68.2.0esr-1~deb8u1. We recommend that you upgrade your firefox-esr packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAl3H3VEACgkQnUbEiOQ2 gwIvXhAAkRI0XXZDmG8//koXAxGAPLJsvYSixbr4idDiCmh2i5Pha1t1FzGQYKBq zhTj0PG9opf0FyQTrggUNrUwlkReXqUHYsJgBMZLZLGax+joZ46+2He2bSc8YC6u KQH7EPvYD1soPNVnW+EzzPZPhBJOE+zFWBsWYiughkOCjd8xOawBakByt/fa+GF3 6aOB+eq7dezsthwzL0Th3m57bE2htPwIWvmKA40rSwae/zRC8rzSTTtSIzAsBv58 CE5aklqWcJtxRfFJDbbFh4FL6WZwTkDNPlGjLJYyyN1EGDi8EJ17ARGeWvixSHS5 dgiPyCmT9rHGUheFnlHTGUhmxbhUxAgfKs/+eXOfG5e/ZYB+qm4ASl/o4BVA+c78 8pjFhxJbjBjV7ENjOAyS4E9+4GjSuhSNlkO3zP9BI73qy2sAUHnfkynSWhA+829U rD9M5PvVDaDBLuVrTDFPuObHVzRCflpKSnQ0sSLXnuL82HQSqwUb+maDFPlc9A7h r1rqf7j+bOpHA5S8XAxbwvGwQy5oZzhQx3MtWDySBqyTnE1ks1VAhiEQLJYSsMZ3 dvbXfDLOd9xHONfEjCpMOT32En3SMnpxYfsm4ZAXs67Xx/TEZO3SiwDyMj0TgK3W R4eCx0HxSBhRMLzuTatBBUS03ENYzzem4o7dI3k1xDqtRbRR5E4= =1L3U -END PGP SIGNATURE-