[SECURITY] [DLA 2737-1] openjdk-8 security update
- Debian LTS Advisory DLA-2737-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Roberto C. Sánchez August 09, 2021 https://wiki.debian.org/LTS - Package: openjdk-8 Version: 8u302-b08-1~deb9u1 CVE ID : CVE-2021-2341 CVE-2021-2369 CVE-2021-2388 Several vulnerabilities have been discovered in the OpenJDK Java runtime, resulting in bypass of sandbox restrictions, incorrect validation of signed Jars or information disclosure. Thanks to Thorsten Glaser and ⮡ tarent for contributing the updated packages to address these vulnerabilities. For Debian 9 stretch, these problems have been fixed in version 8u302-b08-1~deb9u1. We recommend that you upgrade your openjdk-8 packages. For the detailed security status of openjdk-8 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openjdk-8 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
Re: always check and update (d|e)la-needed.txt (Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do))
Roberto C. Sánchez wrote: On this past Friday, Raphaël put me in touch with Thorsten Glaser, who had already prepared openjdk-8 package for jessie and stretch. I reviewed and sponsored the upload, and the packages were literally in the process of uploading when I saw this message. I will publish the advisories in a few hours, after all the binary packages are built. Oops, this explains the REJECTs I got :) I know I will be extra careful going forward. This especially as in the past I have been quick to become frustrated at others' mistakes. I appreciate the patience you and Emilio have shown toward me. It is very much appreciated. Np, we all make mistakes. Cheers, Emilio
Accepted lynx 2.8.9dev11-1+deb9u1 (source all amd64) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 09 Aug 2021 16:25:40 +0100 Source: lynx Binary: lynx-common lynx lynx-cur Architecture: source all amd64 Version: 2.8.9dev11-1+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Debian Lynx Packaging Team Changed-By: Chris Lamb Description: lynx - classic non-graphical (text-mode) web browser lynx-common - shared files for lynx package lynx-cur - Text-mode WWW Browser (transitional package) Closes: 991971 Changes: lynx (2.8.9dev11-1+deb9u1) stretch-security; urgency=high . * CVE-2021-38165: Correctly handle authentication subcomponents in URIs (eg. https://user:p...@example.com) to avoid remote attackers discovering cleartext credentials when they appear in SNI data. (Closes: #991971) Checksums-Sha1: e258a06416634e80d13d2d90fc6f6cb9c54fafc5 2356 lynx_2.8.9dev11-1+deb9u1.dsc 021f65355146333d42590ae220a21927ca239f0d 2665470 lynx_2.8.9dev11.orig.tar.bz2 8715bcb6e89a20eeb7634d482537866d948c901f 28024 lynx_2.8.9dev11-1+deb9u1.debian.tar.xz ce085459c9254b2feaf877d16f7d18839b08ed1c 1097904 lynx-common_2.8.9dev11-1+deb9u1_all.deb 5fb7ee458df88b62b150cbbd6bca0ffb5acf8d61 239784 lynx-cur_2.8.9dev11-1+deb9u1_all.deb f80b37e88bd145f5be2c5efcaa783fc117f40e37 1550574 lynx-dbgsym_2.8.9dev11-1+deb9u1_amd64.deb 871dd70356ce5bf51c8cca8d3129591a9b50caf7 7829 lynx_2.8.9dev11-1+deb9u1_amd64.buildinfo c5df05ffa5b04cd58f64fa79499c4b4523319a63 631766 lynx_2.8.9dev11-1+deb9u1_amd64.deb Checksums-Sha256: e2ad6d55e77177b1d733219e9a5e313f9477d22acc15f3ba23db36c828c3cb0b 2356 lynx_2.8.9dev11-1+deb9u1.dsc 2a1092f2cde76f109e4f1df1760c1d2a8792ba7018ab7ff3cc2b01d14e0c15b3 2665470 lynx_2.8.9dev11.orig.tar.bz2 8d63f125c8720755a7bfe1e93637ff58ce829a5704a159c0ace0d8097b30c574 28024 lynx_2.8.9dev11-1+deb9u1.debian.tar.xz df4cdb30d3a63bb717f8c3564e354ca6a77aa05c8d0cc4af219e73ac88be984f 1097904 lynx-common_2.8.9dev11-1+deb9u1_all.deb eedccc53e0e6a6812735bd75e190e1c5faef2f47085f45378348901ea40849e8 239784 lynx-cur_2.8.9dev11-1+deb9u1_all.deb 160617e6de2f8f024e5ab871c6652c29983762e7de70be5e093dae6f2c9fb1bb 1550574 lynx-dbgsym_2.8.9dev11-1+deb9u1_amd64.deb adcdf6fdf7c0341c69142f53440be9b4c4d4fc6fddfc2e9e57d840d38d6baf4c 7829 lynx_2.8.9dev11-1+deb9u1_amd64.buildinfo 91705518e145bbb72b8a8b9372f1e6d6ff2471dfe8e6f40d6d041c2dda9025e5 631766 lynx_2.8.9dev11-1+deb9u1_amd64.deb Files: 4f5e2130e6ceb1360d8aa78bec23a666 2356 web optional lynx_2.8.9dev11-1+deb9u1.dsc cb40c1d3421a38f2fa4ab8665b892e3a 2665470 web optional lynx_2.8.9dev11.orig.tar.bz2 20dccd97943bd3a1158539450f30a2ea 28024 web optional lynx_2.8.9dev11-1+deb9u1.debian.tar.xz 937cc3aaa47f36d93ddf54c69357a02c 1097904 web optional lynx-common_2.8.9dev11-1+deb9u1_all.deb 2b5eacac579ef312ca8b867f48f2b0f2 239784 oldlibs extra lynx-cur_2.8.9dev11-1+deb9u1_all.deb 0cb1d7e0940092c50d8e8f72c81ca7e8 1550574 debug extra lynx-dbgsym_2.8.9dev11-1+deb9u1_amd64.deb ce1c16a7706ac34f24728bfd0675969c 7829 web optional lynx_2.8.9dev11-1+deb9u1_amd64.buildinfo 08579f1bea846c9f30dbecbb2aa142e2 631766 web optional lynx_2.8.9dev11-1+deb9u1_amd64.deb -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmERStkACgkQHpU+J9Qx Hlj9RQ//abgCJPxBJtHyGUVUXDVJQbD1azqr8vEi6sXRbIDG8p995Fw444uPIpxh WLfaY3evOebPUP4a1KOaqHOZm7qBjrk+buqjtnYgKc2r96E6CGCeHFxYlbq5xzUy uiODRcdMeZ3CGMfEcLSIMaEM6IV9Q0ymxL9OFxlD18jDrrfgq5mkELCQG5RCArZ0 ogx8jWLk/okDafRNmmBb34MTI51SIm6uxKBkl+dMmtCjpe/Dwc3aS5SDNmygd8bQ awQhbHgR84rgt7VNhJ3hfuD4YjSZx2PeyyXmxN8Tjho/mfchpPHxRyKzpczJsyFQ BEQmpriMvwNoFP7d3djMl4hC3X8JzEThlGCRUx6iTK+y9SKVCc8a5+OzVtIyopRV Im+5+GgBk2N0ETvlOeW4UOrYeiSNBfMmkjqXBdSgimpq0FKq5z3+irbIpwJbJq/E VkDkn02rlRyWdHfdkWsFmdUv44631YnhlH18H8dQa2QVXGgIE7u11JcyouSdh9Ai hkMZCudqXaq3A04Xc8oXG6lVqY/T64rcV/aasz3sFLoyakjawptvBpHaaktd65Mp 18FzWNvLjP8EWlDCB6UDXhMlwCY4b3sfbImd1Is5TQYwpiJmSVqYuITHAFno5WVU nmif1b592VovZbdXIJ5noflZC3sUJH/WOA5CmBOgtb4lWPHzlFw= =yyPR -END PGP SIGNATURE-
Re: always check and update (d|e)la-needed.txt (Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do))
On Mon, Aug 09, 2021 at 10:52:00AM +, Holger Levsen wrote: > Hi Roberto, > > On Mon, Aug 09, 2021 at 06:38:15AM -0400, Roberto C. Sánchez wrote: > > It was completely my fault. [...] > > Mistakes happen, thank you for owning yours! > > > The update to dla-needed.txt > > and ela-needed.txt did not even cross my mind. > > Mistakes happen. I'm just emphasizing "the wrongdoing" so everybody > learns and in future updating (d|e)la-ndeed.txt will be forgotten > less often! :) > I know I will be extra careful going forward. This especially as in the past I have been quick to become frustrated at others' mistakes. I appreciate the patience you and Emilio have shown toward me. It is very much appreciated. Regards, -Roberto -- Roberto C. Sánchez
[SECURITY] [DLA 2736-1] lynx security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian LTS Advisory DLA-2736-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Chris Lamb August 09, 2021 https://wiki.debian.org/LTS - - Package: lynx Version: 2.8.9dev11-1+deb9u1 CVE ID : CVE-2021-38165 Debian Bug : #991971 It was discovered that there was a remote authentication credential leak in the "lynx" text-based web browser. The package now correctly handles authentication subcomponents in URIs (eg. https://user:p...@example.com) to avoid remote attackers discovering cleartext credentials in SSL connection data. For Debian 9 "Stretch", this problem has been fixed in version 2.8.9dev11-1+deb9u1. We recommend that you upgrade your lynx packages. For the detailed security status of lynx please refer to its security tracker page at: https://security-tracker.debian.org/tracker/lynx Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmERSs4ACgkQHpU+J9Qx HlgucA//c7ki+LbLuP7LPja0/T1XRQjxPvAVvnHixMw+OY/r+FhuP3EsnGyooAVJ FDKQ8K3lynoOl15bedITEXfYZp3sg4l4mfOP3kF1OYaIow+ONuLjc2IhWNqUf6aD INZBav/Qlqkr5YA3Gn9xtoQyW12F4DkwsdnsoeT9d+O1XzOphMQi+3q5KurHTak8 7PRhbK5WchNfgTpiXA3u1cBUEJqdLh97kcDTTV6F+YNBJszYZSMqINXS9exdj1ud 51eRVHFsF4G8JDwZSf5+GQH6IGrc8usUPuH/YsDoaEhs8V5QSPP6R7TmPhHSSrOD p0VXWaVCYzw1PKHjgJhe2n04/T7Vywt/vt4JebJJ0P/o4BpZVbfb8QNeXtqbIaQ9 X/U9SrCd0N29reOk8b9G+VeEZhwe0zCBwTiZUFoTIV6LMXwLHPVYcY/1FXTnt5hu QX0MNm9k20heJ4YVFJmNi12mG5NE5vKEGOgplN3biiQEsofkIu4Hx5oXraGILN2e Nv1YLSKe1H12xzlJFExcGDbre1J4pssQjvyKPYVG8L9uYWX86vbTryVReeGMxq4j ROEjImDJBH1KtEoK9Bp36VjhD/AStzSii4kQ52LJ+CGrytO/Ft+rhxX3pzRyvpEY EfNSNzWKbWi4tNbkps6FawMUlVHXfQAxTURY3yJYozDVb/AXz8s= =ig9O -END PGP SIGNATURE-
always check and update (d|e)la-needed.txt (Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do))
Hi Roberto, On Mon, Aug 09, 2021 at 06:38:15AM -0400, Roberto C. Sánchez wrote: > It was completely my fault. [...] Mistakes happen, thank you for owning yours! > The update to dla-needed.txt > and ela-needed.txt did not even cross my mind. Mistakes happen. I'm just emphasizing "the wrongdoing" so everybody learns and in future updating (d|e)la-ndeed.txt will be forgotten less often! :) -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ⠈⠳⣄ The planet will be fine. We won't. signature.asc Description: PGP signature
Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
Am Montag, dem 09.08.2021 um 06:38 -0400 schrieb Roberto C. Sánchez: [...] > > It was completely my fault. According to Raphaël and Thorsten, Markus > was not responding to emails. I assumed that because Raphaël requested > someone get in touch with Thorsten, that I should simply contact > Thorsten, review the packages, and upload. The update to dla-needed.txt > and ela-needed.txt did not even cross my mind. My apologies if I have > over-stepped or caused problems with my oversight. Emilio has been taking care of openjdk-8 for several months now. You probably confused the two of us. Nobody contacted me in regard to openjdk-8. Regards, Markus signature.asc Description: This is a digitally signed message part
Accepted openjdk-8 8u302-b08-1~deb9u1 (source) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 30 Jul 2021 03:00:20 +0200 Source: openjdk-8 Binary: openjdk-8-jdk-headless openjdk-8-jre-headless openjdk-8-jdk openjdk-8-jre openjdk-8-demo openjdk-8-source openjdk-8-doc openjdk-8-dbg openjdk-8-jre-zero Architecture: source Version: 8u302-b08-1~deb9u1 Distribution: stretch-security Urgency: medium Maintainer: Java Maintenance Changed-By: Thorsten Glaser Description: openjdk-8-dbg - Java runtime based on OpenJDK (debugging symbols) openjdk-8-demo - Java runtime based on OpenJDK (demos and examples) openjdk-8-doc - OpenJDK Development Kit (JDK) documentation openjdk-8-jdk - OpenJDK Development Kit (JDK) openjdk-8-jdk-headless - OpenJDK Development Kit (JDK) (headless) openjdk-8-jre - OpenJDK Java runtime, using ${vm:Name} openjdk-8-jre-headless - OpenJDK Java runtime, using ${vm:Name} (headless) openjdk-8-jre-zero - Alternative JVM for OpenJDK, using Zero/Shark openjdk-8-source - OpenJDK Development Kit (JDK) source files Changes: openjdk-8 (8u302-b08-1~deb9u1) stretch-security; urgency=medium . * Non-maintainer upload by the LTS Team. * Provide builds for wheezy, jessie, stretch, buster, bullseye * Disable tests (debian/README.source documents why they fail) * Effort sponsored by ⮡ tarent Checksums-Sha1: 71e45932001a7548490f9afe2e92d84d8b9225a9 4489 openjdk-8_8u302-b08-1~deb9u1.dsc 40632d2996e4a148eb05da12b6edfd92ea686492 73568624 openjdk-8_8u302-b08.orig.tar.gz 5ab9803fa9dd8165c22c9f50671c4f29283e5d67 174244 openjdk-8_8u302-b08-1~deb9u1.debian.tar.xz 37663c72e921ed9b654adf280ddc8093f211e22d 17701 openjdk-8_8u302-b08-1~deb9u1_amd64.buildinfo Checksums-Sha256: c1f3816403dbecd8c689959d602c801f045141dc775dffd4f4c3108b363a5e4c 4489 openjdk-8_8u302-b08-1~deb9u1.dsc 204b1cd01aaf91345ae47e593115e7faa2cf285f0f0f137862440b70284631d8 73568624 openjdk-8_8u302-b08.orig.tar.gz 20df763e8b055779cb61cbe9d31ba2930f9031e7bd7abfd5b79f510e6bf41666 174244 openjdk-8_8u302-b08-1~deb9u1.debian.tar.xz 872210fb1a89c425184cabd3d6fa5965ca7fbd77e3719ab953f82f91a11f14e6 17701 openjdk-8_8u302-b08-1~deb9u1_amd64.buildinfo Files: 205dabb5c9b0311549cb8d2075cc0250 4489 java optional openjdk-8_8u302-b08-1~deb9u1.dsc 46d5821e1299c5770aa312c759405476 73568624 java optional openjdk-8_8u302-b08.orig.tar.gz dd3f9712e08138ab37ee53eb9878399f 174244 java optional openjdk-8_8u302-b08-1~deb9u1.debian.tar.xz 73e5fc8b397e7c92e9d0f18c08affb61 17701 java optional openjdk-8_8u302-b08-1~deb9u1_amd64.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAmEQ824ACgkQLNd4Xt2n sg9zDA//avQB7+BO48fAcVcrmj/aHDAsIsBFa7wBrD5jr0kbSXZBe+wkLq/owg79 bDtjHjnJEoRKW9b+74/U/eIZnHpyYEab7ZTe2JTShSh3/i3ipYD555oBOsoAHDSv euSl8L86yhfxkfT96+BdZW4vSmKU8vLkbjSPMT94zk6dY7jfgQdMbWG32/egOqo7 RJ0jUoIgrP/GgLfjovIX0aadtMIkcJAwkDtQZFn9ImfBrqtS7uw35ImNNsrHlq1Y 0CkjJykoDhm5nc1f6INzwq1jE/cuxIUMmk/40T2GXx1P1a/SmVdybHeaok9H+uXc pSduAy+6UnxjNTES/bTf/uSI16O/xTtaRx/bFHLjk/L80rj3962aJlNt9mHBpjf7 OyH3BZTutXAZMyzmzEUEM4GcqSR+/kFim+Q8cjVp2+/CNMzp2YXL7IiD337A0rJ5 uV8dQOmUkeS1CpnDpUAMsKbrVLt8w3N6kaLFJOMevoyRdhkZ36hX3qXEzJsouOUl OXVjZ0nF9tRfzk0aHOLm0FKVEYH45UtWxX9IV47RQgSL8/1KAcqH4dh0OX+B+K8X neWJuwQFzj6WcToD2IF8ddU2DlE3EwxCeKxtsJ9myjiD6j7ISGK+ldxNVRVooE1t zH1dwheEJ54m5Dr67x8QW8CgKFYDZ8r7WaJk+Kv5tr+Lyvb4zPs= =qeKr -END PGP SIGNATURE-
Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
On Mon, Aug 09, 2021 at 10:32:54AM +, Holger Levsen wrote: > On Mon, Aug 09, 2021 at 06:20:43AM -0400, Roberto C. Sánchez wrote: > > On Mon, Aug 09, 2021 at 08:43:34AM +, Holger Levsen wrote: > > > today three packages were unclaimed for LTS: > > > - openjdk-8 (Emilio) > > > > > > and three for ELTS: > > > - openjdk-8 (Emilio) > > > On this past Friday, Raphaël put me in touch with Thorsten Glaser, who > > had already prepared openjdk-8 package for jessie and stretch. I > > reviewed and sponsored the upload, and the packages were literally in > > the process of uploading when I saw this message. I will publish the > > advisories in a few hours, after all the binary packages are built. > > I'm surprised you (nor anyone else) updated dla-needed.txt in the process. > any idea why not? > It was completely my fault. According to Raphaël and Thorsten, Markus was not responding to emails. I assumed that because Raphaël requested someone get in touch with Thorsten, that I should simply contact Thorsten, review the packages, and upload. The update to dla-needed.txt and ela-needed.txt did not even cross my mind. My apologies if I have over-stepped or caused problems with my oversight. Regards, -Roberto -- Roberto C. Sánchez
Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
On Mon, Aug 09, 2021 at 10:32:54AM +, Holger Levsen wrote: > On Mon, Aug 09, 2021 at 06:20:43AM -0400, Roberto C. Sánchez wrote: > > On Mon, Aug 09, 2021 at 08:43:34AM +, Holger Levsen wrote: > > > today three packages were unclaimed for LTS: > > > - openjdk-8 (Emilio) > > > > > > and three for ELTS: > > > - openjdk-8 (Emilio) > > > On this past Friday, Raphaël put me in touch with Thorsten Glaser, who > > had already prepared openjdk-8 package for jessie and stretch. I > > reviewed and sponsored the upload, and the packages were literally in > > the process of uploading when I saw this message. I will publish the > > advisories in a few hours, after all the binary packages are built. > I'm surprised you (nor anyone else) updated dla-needed.txt in the process. this also lead to more work wasted now: Markus just claimed openjdk-8 for stretch... -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ⠈⠳⣄ If you own several guns but no guitars, you are doing life all wrong. signature.asc Description: PGP signature
Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
On Mon, Aug 09, 2021 at 06:20:43AM -0400, Roberto C. Sánchez wrote: > On Mon, Aug 09, 2021 at 08:43:34AM +, Holger Levsen wrote: > > today three packages were unclaimed for LTS: > > - openjdk-8 (Emilio) > > > > and three for ELTS: > > - openjdk-8 (Emilio) > On this past Friday, Raphaël put me in touch with Thorsten Glaser, who > had already prepared openjdk-8 package for jessie and stretch. I > reviewed and sponsored the upload, and the packages were literally in > the process of uploading when I saw this message. I will publish the > advisories in a few hours, after all the binary packages are built. I'm surprised you (nor anyone else) updated dla-needed.txt in the process. any idea why not? -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ⠈⠳⣄ Our civilization is being sacrificed for the opportunity of a very small number of people to continue making enormous amounts of money... It is the sufferings of the many which pay for the luxuries of the few... You say you love your children above all else, and yet you are stealing their future in front of their very eyes... (Greta Thunberg) signature.asc Description: PGP signature
Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
On Mon, Aug 09, 2021 at 08:43:34AM +, Holger Levsen wrote: > hi, > > today three packages were unclaimed for LTS: > - nettle (Emilio) > - openjdk-8 (Emilio) > - pillow (codehelp) > > and three for ELTS: > - nettle (Emilio) > - openjdk-7 (Emilio) > - openjdk-8 (Emilio) > > Utkarsh probably claimed too many packages: > - amd64-microcode > - exiv2 > - ruby2.3 > - usermode > On this past Friday, Raphaël put me in touch with Thorsten Glaser, who had already prepared openjdk-8 package for jessie and stretch. I reviewed and sponsored the upload, and the packages were literally in the process of uploading when I saw this message. I will publish the advisories in a few hours, after all the binary packages are built. Regards, -Roberto -- Roberto C. Sánchez
(semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
hi, today three packages were unclaimed for LTS: - nettle (Emilio) - openjdk-8 (Emilio) - pillow (codehelp) and three for ELTS: - nettle (Emilio) - openjdk-7 (Emilio) - openjdk-8 (Emilio) Utkarsh probably claimed too many packages: - amd64-microcode - exiv2 - ruby2.3 - usermode One DLA which already has been reserved has not yet been published: - DLA 2733-1 (05 Aug 2021) (tomcat8) Have a good week! -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature