[SECURITY] [DLA 3817-1] thunderbird security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3817-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
May 20, 2024  https://wiki.debian.org/LTS
- -

Package: thunderbird
Version: 1:115.11.0-1~deb10u1
CVE ID : CVE-2024-4367 CVE-2024-4767 CVE-2024-4768 CVE-2024-4769
 CVE-2024-4770 CVE-2024-4777

Multiple security issues were discovered in Thunderbird, which could
result in denial of service or the execution of arbitrary code.

For Debian 10 buster, these problems have been fixed in version
1:115.11.0-1~deb10u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmZLBnwACgkQnUbEiOQ2
gwJl/RAAsyI2RUHJ/+UF9LZ2PqYGa5zI8o9nFTc4C9T1H5p3LVTx+4jOIa/xryDY
h7c/Z0fJx0T49bsWNVGgrYnGAIWqEcAReJpZmHwPp0wt4r6IOOxAwrkcHGI6qSXG
Mrw0nmA+j0dqocIbD8WnV55jCj/rffuhG2C2UZKtO8q3b6U98mG9GjKv53dx0CN7
znX+R8hYDLuKLlGJENIP+Wq+CLIRvC5N9oA7clob4j30tFLSrNjPfP+/ShOKmPil
r3AJOwRsshEAabRHSUhYhcGNPYy6GiP4OklCcoGdYqZ0rHZor/0guwAdszl1QFJV
1HRlM67BKHn5aP0h3re9quyJ8Ex3dTleCLfBT7lKzhv1dJxywox73QfjmB5tr2ez
4xVJNQwcI+QFSJHYY2Ft606TufzpcjKzhfdnrezEk2Zvkl4fN3vAmN8o5p7W3rUG
fRwfvKR2WHJnXFP067G3C5rG2IYQHnoM3Fry9tjp91MANRWXHG0z7j6YZF6+Desm
3F1wZLyS252kcnuP0krXJNoI97UJ5mkVE0Q6wVtXsUQmGqxJ392S/X6whYHJ59Wl
BnCIZjPqofY7AcdhfNEKNPrA9M+jQw2rs4EUy3+BDexu+aEAyjsSPpirvFo4FmX+
5WyhDOOZbzP91rnABwPGytLmMwuMKaoUxVI5MwGeDt2vlNARo/U=
=r4Qc
-END PGP SIGNATURE-

[SECURITY] [DLA 3815-1] firefox-esr security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3815-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
May 16, 2024  https://wiki.debian.org/LTS
- -

Package: firefox-esr
Version: 115.11.0esr-1~deb10u1
CVE ID : CVE-2024-4367 CVE-2024-4767 CVE-2024-4768 CVE-2024-4769
 CVE-2024-4770 CVE-2024-4777

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code or clickjacking.

For Debian 10 buster, these problems have been fixed in version
115.11.0esr-1~deb10u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmZFsrkACgkQnUbEiOQ2
gwIwtQ/+LedFNznXvmGjWnQH6pXvjPj9xB2jrnfTM/B0E+7Wz0ZqkB71nWMIKTCP
oQaNBvug0IjSJ4/Qs5ekgu70h1UJpP7lpAIQwuzu2if+t1Az5mJXZU7zxqL8CGN9
dFwJd5J0nsZEfxkR4G2Q20QlUMOLtvbWvlEw0VQll59XZDMv+Y+2Ej55bz67rqn+
3FqGsYQakWLl1lxMH1LuHdjg2WyAb4zwMPhE0ILVD6yBridjo1ulPL0BF9MDnTtQ
U5T8Vr2X/RReiLlQHcJSWxl+jWfLiLEj20mQ2fANQBEEGt5eU5kjJjYA9X+WTq85
J9SR05StfAT5GpbzaV0AR5yV7d6dlPIg6WS6J/356MWpEhtR2xwcrzyGX6r6n4dP
6MEAlxeOi2vhdRZ+xqftMoIPS1UinHCewUtXmoUgH9SaisZGajtdR2aoGBuN90Tm
mctfKOdc+5siriOKD5+8oVk0pq1O4+IK5IZ3bKAhc3BkNmkJnGcb8z4LJfSGGxI3
RFPfsQqDpK7irie7teSXfNOyUDDgNV72ZrinMRP0tzoDZOuuy1VsnEXhIi8tW7n5
bIAHrz1/0W7/08R3OZ2yO7Ki1FR7lU4fdbiGZTGfnxfzYz4EPuu8Hd8C3QlxsDsF
VSBkXY642X0NV/ivgKmgUlmOyPqTRDLZptF2Ee15EgobZV2nQH4=
=RES1
-END PGP SIGNATURE-

[SECURITY] [DLA 3793-1] openjdk-11 security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3793-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
April 22, 2024https://wiki.debian.org/LTS
- -

Package: openjdk-11
Version: 11.0.23+9-1~deb10u1
CVE ID : CVE-2024-21011 CVE-2024-21012 CVE-2024-21068 CVE-2024-21085
 CVE-2024-21094

Several vulnerabilities have been discovered in the OpenJDK Java runtime,
which may result in denial of service or information disclosure.

For Debian 10 buster, these problems have been fixed in version
11.0.23+9-1~deb10u1.

We recommend that you upgrade your openjdk-11 packages.

For the detailed security status of openjdk-11 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjdk-11

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmYmalsACgkQnUbEiOQ2
gwIb5BAAgckmLknQW0Z63GDHdzfLRwTsK0919P+ZuEXkoeWLGfRyD6HTHcMuiuoU
ogIwwkE9vTWE396C0dP98q4NcyY7dESXG12XzHyIgRZv0rnYeNO4vMy+E6HDc/tE
Ox6018UyjsHGdegjJ2MtYxLSShyonV/xHQCC2MAFGPhgadDqfuKJaDptuy6hLz2a
o+01vYQqrl/7n4/dEv3V9BvSDOrq0FhdOTyXXp/mH5r+L7W5X16b8RMMf4yX+1BN
oRxgVYu1DuxkEL7JB90m7udIoBWIY9IIYL087ZwQMO/yo6bSIl5N+0UPq5oBAOX+
MEk26wUohEQGZs5qebVci3H7WnxqUJYVq3K5Yq+VLWun1f6Va02m6ug8kUTNQVY0
fG6NA2QRcIdXrFGICBTnIqAZioSvImQkMrZcUATfjsuJenZGgBF89CwKxeHJ4cc5
kUkct8kYGacTsEb3MQX0L9Yr7wHj9EBPOgxzb3rh0DRBlNIn7WO4wShopPaLPNUQ
e2Ruia8FiNmTr3b5TI8fzIi1twyOJfNfStFOQsknv++2+3aDUhxh1/159bgQ4vbd
pPbe1Ypby9JENqEwD8Wwj2zyMJFcpVbj2ECjzDmENGhFshkqAFgXeIo3IID/UKRA
a39h6pd34XSpODtw9vr5BNYdXRxM+iGnktChuT+T2Al7BjWirBU=
=aiXn
-END PGP SIGNATURE-

[SECURITY] [DLA 3791-1] thunderbird security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3791-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
April 22, 2024https://wiki.debian.org/LTS
- -

Package: thunderbird
Version: 1:115.10.1-1~deb10u1
CVE ID : CVE-2024-2609 CVE-2024-3302 CVE-2024-3852 CVE-2024-3854
 CVE-2024-3857 CVE-2024-3859 CVE-2024-3861 CVE-2024-3864

Multiple security issues were discovered in Thunderbird, which could
result in denial of service or the execution of arbitrary code.

For Debian 10 buster, these problems have been fixed in version
1:115.10.1-1~deb10u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmYmJH0ACgkQnUbEiOQ2
gwIQ1A//TyjC/KoCSUceHOil+UKFnoxBl+7AG0khIFn7gT+roJRgKtkBUFni/10a
Bbo4SbbZNZwQo6QVQEtCtvYvHsWqYKkPOOFUGODCXPkPbwGzTXVlcHRY+BR+Gsf1
YIv8AxkkVdgAQdu53acvLUXfkQuOVbjYAGdvZQmppjWPh32Frp0f0V4LaUWrI3uF
MBowGM2J4kUC/KIrPjec7EGo+otnHzcSTyl9xO/RQDISHLc8xqenI6hBVAxW9EaC
/kBdDRku/wC6mwYRIKJMvekwC5NI21y1Qa0VcvrSdzk8tCwetpzaKAeucJFfAl0C
sqz8vI0OF1BgBph6Jif3Rwc99Up9tSc8BUkqvISONJeKb9x3gbtAN90hDicP+aF6
3MPQLNuebLn/zJWyL9EPzIQ5V02hXk2s3YXJlS+aXuCjyQf6VV6bd5ISYgyRHe8u
UhBxFaKDhcrDoAC55FPOE4Ywx9fyvCD1uXzHjeqIj29jARLWRHP9rq8bqPFpxHXq
XX3te9jDewzWeu7Uze483cSNf/izSUmZNbaB+iHZsScI7im7PYw92RLBKuxJ46hT
PJNLVKPu9dW2EI9ugibDoDIoblEDndDQRUtFZn1P0Trk7zaPhlGKQn4zgL9y5kEL
fy2DxO0N3XFz2XijCgyAYTz5CQUlGtR2ARXba6E8+Skrxs5oy1k=
=QHOD
-END PGP SIGNATURE-

[SECURITY] [DLA 3790-1] firefox-esr security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3790-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
April 19, 2024https://wiki.debian.org/LTS
- -

Package: firefox-esr
Version: 115.10.0esr-1~deb10u1
CVE ID : CVE-2024-2609 CVE-2024-3302 CVE-2024-3852 CVE-2024-3854
 CVE-2024-3857 CVE-2024-3859 CVE-2024-3861 CVE-2024-3864

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code or clickjacking.

For Debian 10 buster, these problems have been fixed in version
115.10.0esr-1~deb10u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmYiSekACgkQnUbEiOQ2
gwLDdw//Se9KFK8DGedq3gALJsodnMHsth1qAzwv6g23XTPCq+Jsl69fZXwT0pM5
VXB5wg5XbPa622MtrEPUJqwjfEB7iAd3Jchb2mPkeI3MyaSZXChduCxwE6G4zHrT
mkF++OVNyqehEWEYnN4tM9jo0xKG2j2duo2NnFgBwAMjYUkizjvRARrdvOVHqst4
v+1QMCQlbRitl7pNpe+elcTaA4e+5WIheN3jS+Y6Nd5k67ZCd80TSsw+JhkN
VuQRLqP4PVG2S9pTMBbZVF06FYhEAJSIfHZ0UmokgEXKo0SyDTdQW1oqyTid9iVu
iwu6cSxknAetqvKHa2hk45Z1VdD3RCqZB/i7n8ybGBW9Ol9jXfVpbLpSR4BZkCSs
2Ffl1amXwmyI1OAR95c4aaekEzGyHlebDrOJ2WWnnbdzF2tagJC3dCNjYSiYiwvl
rSeAOmBiqvd8HrX6z4yCAvhN3mn2VCG0+IY3z0ex+YZdm7+jGoeC1g87lgWLcGt3
ynQ9mnrS2c9Jiw+GhhpS4chEDUVF+KNbeU1/3ozQeb5KAssBcJY3isXWx89Nf1TG
kAQbsGxVCLqQuTUJOk6miE8BwmPSCbatKUETZ2PP8zlOpENc2toSbvtgA7/RZzdP
MKn7L/bYE/G7B3UiJ1czAmfO13/xXhUC/icjyml9yvTVkNjqywA=
=pOlm
-END PGP SIGNATURE-

[SECURITY] [DLA 3789-1] libdatetime-timezone-perl new timezone database

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3789-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
April 18, 2024https://wiki.debian.org/LTS
- -

Package: libdatetime-timezone-perl
Version: 1:2.23-1+2024a

This update includes the changes in tzdata 2024a for the
Perl bindings. For the list of changes, see DLA-3789-1.

For Debian 10 buster, this problem has been fixed in version
1:2.23-1+2024a.

We recommend that you upgrade your libdatetime-timezone-perl packages.

For the detailed security status of libdatetime-timezone-perl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libdatetime-timezone-perl

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmYg9iEACgkQnUbEiOQ2
gwL/vA/+M7cEX4QpXEnej1g8YGxevHSarO0zsoF+ZT4nA6vOPrgrjS3bzinNLOv9
GimLTVYUnLfUw0wO9HOp97yn46ouShGS4pdqJc/vqDhzbe1iaoeP6rTmsAFZ2wo0
TcI7N2ysQGrcj5pyRaJ4iLMkvklHqGDx5iqEBFxQugMSseXwmBtAamIeMMHgG02K
tLS1lK0swzmvj4mCneVxqkyrqLp1inUqv6UTJZ6EnEonhGySRye0KRfpISxd5QdN
6liCeiHuDo3M0bS3+haSxfIuZt10tCnLN8WlnAuGOEhOqaciz2xnB/wz/me+gr0C
usJOnCD81mQzbZVhtaVoJSKYmrx0SMmLj6WBnGJa1oYWxlkNzIPxjUNKr0kLyloE
CEFUuMUYBHL9ZwdoKpO5lWax4/ld6EZZ+FGZLid8XXmzCgyqcaBdtg8TXiJhutOB
vW8tjcR9Vwf9Q6x9vaLMBc0dOJ8CLeWKp+GBN0rCWXSMi+9pGL7NvgdHq4IE/LcS
3PbEipOKxR5SRYMi1H0LG2I9Kd6XzR5Ev34kf08d8dEi/2VwQvIW0YhihMXHYVne
Oi/fguZOl6f4EV3TwQsi+5EFx/yW2TLUY9dkJXf0V/l0eBhCThlE7K0tIqhNAbOp
zYhRKeU4DLStVKDszqLEwwygo/+2qZ32BIQrnkfVvKl8mXoHqDY=
=kuxb
-END PGP SIGNATURE-

[SECURITY] [DLA 3788-1] tzdata new timezone database

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3788-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
April 18, 2024https://wiki.debian.org/LTS
- -

Package: tzdata
Version: 2024a-0+deb10u1

This update includes the changes in tzdata 2024a. Notable
changes are:

- - Kazakhstan unifies on UTC+5 beginning 2024-03-01.
- - Palestine springs forward a week later after Ramadan.

For Debian 10 buster, this problem has been fixed in version
2024a-0+deb10u1.

We recommend that you upgrade your tzdata packages.

For the detailed security status of tzdata please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tzdata

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmYg9a8ACgkQnUbEiOQ2
gwLz4w//UNjAq0XpDKr9mFWvT2TxXbd1Kq7PVGB5LOhkeUe8i6s7Z4itiVaheXV5
BIZ/w/pPxU8NDokEtJx+j3IfHZbwoA0pjWjTkILE6lPdG6x8sOEvDiQD8Epa4MeL
MVzniprv6aFsMPfbwXQ9M1IUlc7DsVWa9fUyHh1MBOnIl8wLL9tpWvYHco6+R9sK
eLpqqJOLvKV/ieeh/w5UEo7hUSrusOGgoWqLtLGDmXrcvk4pUywtM73X6rCYFJLW
ZX/XuDb9Bn6XYu0O5SaXSLuoz5YVZJ3/WMeQNxKvb5hQtjl8uasn0alNp13QqJJz
hLssTz97FA5rKS2GSSmsbWXZDdKb8etQbOMuKJUtBMalglnlCPgVd7y2/8v6G0V4
RcXG/sw5BV2QTNRAdPUBFK3KOFv1oIbiBTLM6yCviGXcRwp91dp32LlWiEFxc5zJ
gjr/1SBA4aN8P46b0T6TgGC5fdlQHU3LTLvedLeIogS3CQ9ocmW6PuD1BlRgdbzt
kjZMGbQ9sTRNBr/t5oEYzNBNIwfoe8cmx9na+r5LaQ87TiJmbTO1cZTlcfjM30MW
vRCoQcYCPLssbqy2sPBNA6CODiZRgGR7WOHrI9WCGk4fmTf5NW+hVPrcSumegixw
XQIGiBmh0QFSmrfRjun83weZ2wEJVgt2hyKOn8wSRJ0Jg6oX6oQ=
=evTg
-END PGP SIGNATURE-

Re: gtkwave update for {bookworm,bullseye,buster}-security

[Emilio Pozuelo Monfort]

On 29/03/2024 00:06, Adrian Bunk wrote:

Hi,

attached are proposed debdiffs for updating gtkwave to 3.3.118 in
{bookworm,bullseye,buster}-security for review for a DSA
(and as preview for buster).

General notes:

As suggested by the security team in #1060407, this is a backport of a
new upstream version to fix the 82 CVEs.

I checked a handful CVEs, and they were also present in buster.
If anyone insists that I check for every single CVE whether it is also
in buster I can do that, but that would be a lot of work.

As already mentioned in #1060407, the ghwdump tool (and manpage) was
dropped in 3.3.110 from the upstream sources, and is now in ghdl-tools.
For bullseye and buster it is therefore readded.

As mentioned in #1060407 there are different tarballs for GTK 2 and GTK 3.
Looking closer I realized that this is actually one tarball that
supports GTK 1+2, and one tarball that supports GTK 2+3.
I did stay at the GTK 1+2 tarball that was already used before
for bullseye and buster since there was anyway a different upstream
tarball required for the +really version that is required to avoid
creating file conflicts with ghwdump when upgrading to bookworm.

What does the security team consider the best versioning for bullseye?
In #1060407 I suggested 3.3.104+really3.3.118-0.1, but now I ended up
preferring 3.3.104+really3.3.118-0+deb11u1


I saw this earlier but I couldn't think of a better versioning scheme, though 
this looked awkward. Now I have thought of a (possibly) better one, so I'm 
stating it here in case we find ourselves in a similar situation in the future 
and someone remembers this thread.


I would have gone with

  3.3.118-0.1~deb12u1
  3.3.118+gtk2-0+deb11u1
  3.3.118+gtk2-0+deb10u1

Similar to how we do +dfsg or +repack. The +really is usually used for going 
back without adding an epoch, but here we're going forward, so perhaps such a 
naming would have made more sense. It also makes it clearer why there's a 
different tarball.


Cheers,
Emilio

[SECURITY] [DLA 3775-1] firefox-esr security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3775-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
March 25, 2024https://wiki.debian.org/LTS
- -

Package: firefox-esr
Version: 115.9.1esr-1~deb10u1
CVE ID : CVE-2023-5388 CVE-2024-0743 CVE-2024-2607 CVE-2024-2608
 CVE-2024-2610 CVE-2024-2611 CVE-2024-2612 CVE-2024-2614
 CVE-2024-2616 CVE-2024-29944

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code or information disclosure, bypass of content security policies or
spoofing.

For Debian 10 buster, these problems have been fixed in version
115.9.1esr-1~deb10u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmYBmt8ACgkQnUbEiOQ2
gwJwEhAAmyRjcvzEvVABt3uxa4OjpFBc9DX/4VCN3hGFYvNwwgs2ISdZefClY6ru
okS56UBLGArB6kCm7JEn2dbRTveEKSX5QMSuK8f8d3dttF6Prdb7iry0kbmNwG0B
VXD2MR2hue/LxGh69utkYMHAOdXFCOpq6h/qOq5RigoJY2Vj9Q2Y+XhHsTL6r5OX
V+ek5V8ndV0Ul6FIgxy/uLG2EU5yvF+aGMuWJhI3FJtOtwswHZ8kLB+oU/H0+zbJ
eZceFSM91CO89V1GrHUzex22RjH9qgYyYJp86Cn9SDYCbtxeF9gFBuSlJtznr5pt
sfzEiQS4GF4b1/P/V6lfmWZ7KwBSX4reSAodkJDbmMBGRBivYBLNjihVQaUROOM6
iKHEEcGqA1SQ1jJI/s466a5ElwAUAX3QWhDK/8C5kBhUceXtTFZdjlI6BdJYy7ev
EHXfhGRUiLOHFXa01nACuvyWCdkEfuUJm6MrBgXgtDKK63s0zpeSzVa5P3bThkAT
kBvZm8og2l5EpSu4zkLZZsNly4mDvPMNZY9fsAFlNyMHrICeU+YvpW1h7A8VkgYE
wzF3ePBQMRAbtCA56CW5Ck+eBWgDxUWFI32ozEc/hzuIffXyNYldI46MkIq/Y/39
J6f97aDmOXD/76GriYtND8CTTVCY2nYIt0ZPtxdr51B/8+NsEBw=
=6Jci
-END PGP SIGNATURE-

[SECURITY] [DLA 3769-1] thunderbird security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3769-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
March 23, 2024https://wiki.debian.org/LTS
- -

Package: thunderbird
Version: 1:115.9.0-1~deb10u1
CVE ID : CVE-2023-5388 CVE-2024-0743 CVE-2024-1936 CVE-2024-2607
 CVE-2024-2608 CVE-2024-2610 CVE-2024-2611 CVE-2024-2612
 CVE-2024-2614 CVE-2024-2616

Multiple security issues were discovered in Thunderbird, which could
result in denial of service, the execution of arbitrary code or leaks
of encrypted email subjects.

For Debian 10 buster, these problems have been fixed in version
1:115.9.0-1~deb10u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmX+u3gACgkQnUbEiOQ2
gwIQyA//fsFeM6KFIQR/Zi0u+vV9AV3VTP6hf1PgFtTJhtIDgiaqOvhqIqRa2Blm
8zf8J/p51ZJsQCCyurreS0uFqHL3fxKtRy75AprJ38xUz9z7xEWxX1QPuJmxn6+1
OT8uyg2qm6G6Jfw5ywsDmGzokes0s/qaQAVEw7a/QyGZ/xarbc+oXKeCRSavzPKu
xahmLH4PWYBo4FDfvCzENVO8Rh4S2yArSdZRIsXvbbQd4gq55M1kNULVi1be/iXn
sj/b+QqG+4tVJ46QZVWCY5fZBQ8Sn8fK+bxBOW/rfnLoroJd84y69Drj9rDv4FCy
Vrb1HK5Oc0fbUiZpv8NIV5H8zpQmeJ6al8elxRJ0J9YHAELiTkfPaysxMrlow2IR
F/fW/NjF/NDQplDQ1YGi+StKBJbfk+qTaCOVz6E0ASLzeMvcsilfmnVtbeOqfSzX
kiRssGjOXiqSYbtWhTIn5guG3ZLPugupvC6mBJnz+RbYq65iQRp+B0WdyuUe6gPl
/rRCY0Ie2V2x+0rDPrvLulRam+Zq4PEpT25hl0GMhxySfU+h3zjMZi/atwvNdoJG
7MOy7w4AFLGaJw6ejvdST/1fG97JhNBOIWFEyFypR4vufPYGYm4RRHHF26N/Ji3w
O33zs7OUdMOBmxAN3aH5+ZtIS8K2OyVuL+qMJPqFHmpu99TBNjw=
=aoyJ
-END PGP SIGNATURE-

Re: c-ares, CVE-2023-31147, CVE-2023-31124

[Emilio Pozuelo Monfort]

On 23/06/2023 10:21, Moritz Muehlenhoff wrote:

But in fact the view in the Debian security is a little misleading, given
that it displays "vulnerable" all over the place, e.g.
https://security-tracker.debian.org/tracker/CVE-2023-31147

It would be nice if that "unimportant" issues it would instead display "non issue/no 
impact"
instead of "vulnerable.


See 
https://salsa.debian.org/security-tracker-team/security-tracker/-/merge_requests/167


Cheers,
Emilio

Re: Security releases for ecosystems that use static linking

[Emilio Pozuelo Monfort]

[ Adding debian-dak@ to Cc ]

On 22/12/2023 09:54, Moritz Muehlenhoff wrote:

On Thu, Dec 21, 2023 at 07:30:51PM -0300, Santiago Ruano Rincón wrote:

So let me ask you: are you interested in addressing the infrastructure
limitations to handle those kind of packages? and having some help for
that?


Foremost this is an infrastructure limitation that needs to be resolved:
security-master and ftp-master use separate dak installations, which makes
binNMUs in the current form untenable since every package would need a
source-fule upload first (the same reason why currently the first upload
of a package to foo-security needs a sourceful upload).

One solution which has been discussed in the past is to import a full copy
of stable towards stable-security at the beginning of each release cycle,
but that is currently not possible since security-master is a Ganeti VM
and the disk requirements for a full archive copy would rather require
a baremetal host.


What if the overrides list was updated regularly but the sources were only 
imported on-demand? e.g. upon a new upload

- trigger override update from ftp-master
- if upload is sourceless and source is not present:
  - try to import source from ftp-master

This would also solve the current problem that an update on security-master may 
have the same version but different orig tarball than the one on ftp-master.


Thoughts?

Cheers,
Emilio

Re: Guidance for CVE triage and listing packages in dla-needed.txt

[Emilio Pozuelo Monfort]

On 14/03/2024 21:36, Roberto C. Sánchez wrote:

- if a CVE is 'fixed' in LTS but 'ignored' in (old)stable, then the
   security team should be contacted to see if they would be willing to
   change to 'no-dsa' so that a point release fix can be made


Small nitpick: a CVE 'ignored' for (old)stable can still be fixed via point 
release. The sec-team could be contacted to update that triaging, but that's 
only ignored for (old)stable-security, not for (old)stable, where other criteria 
applies. The reason following the ignored triaging may give some more insight as 
to why it was ignored and why it may or may not make sense to fix in a point 
release.


Cheers,
Emilio

[SECURITY] [DLA 3748-1] thunderbird security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3748-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
March 04, 2024https://wiki.debian.org/LTS
- -

Package: thunderbird
Version: 1:115.8.0-1~deb10u1
CVE ID : CVE-2024-1546 CVE-2024-1547 CVE-2024-1548 CVE-2024-1549
 CVE-2024-1550 CVE-2024-1551 CVE-2024-1552 CVE-2024-1553

Multiple security issues were discovered in Thunderbird, which could
result in denial of service or the execution of arbitrary code.

For Debian 10 buster, these problems have been fixed in version
1:115.8.0-1~deb10u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmXlfiYACgkQnUbEiOQ2
gwLl/w/9EBysc+b7Q29J2AbsVaT9oljBrPTBYLpx0uxJHLM0XM6n9zoDUmi1Adzh
MJktZAV7w+Fio1OwjQhrBraBTP98a3cVlC4kQtEJMkDj5KC91dT9F/1DcvUrb6QX
pK+WvX464Ck/CQJSR7xKYN57lcOZFcw4Q4m8AUp/MqoBEiimBg/obpBdjjEacANN
te8eZpDTzSrAasqcsWhToi2E6ZID/WIjpHvMYuWwReiCrRuE9aNRRbEMZRBHXPfu
+zkUlSa3yF/SjGWL08bqHbuLVxkemWOncqHJ3nc76unkANCPon2rhJaEQIEmGjQy
1s88Fn7mE35MPHuhXHonLjeUTNkVfLUnInn2KPxChPrBlXR6kaVYCY8bZdP0IA5K
+VPKTiuRw22p5XQva/9T5KR23t2FXHlwfpnkMznEQ5TKOHRnPRk53RkukNwf4rLn
+jUeRA4fFgQ7+cbenhjEJ5BdG1KUpC/M2oBIaJy2emu1bpyvqIZ3ie+JAGzky45o
0v8PEIkk+YbMROMX3Xv5ta5movAvY4vYXirKRMHT0T4qeLxO0tcrZ0ehznkdMq05
uopTo1eijcJebUUkpbqeq7wujXT9gmxRXsIakPioR8dv9GMiXiHe3Y7hakMKiIfv
mMgMXmIVIxvk5ilfKXb1BOs0q6h1WsE4Cf15LNQonzCTSqbah+s=
=lUs9
-END PGP SIGNATURE-

[SECURITY] [DLA 3747-1] firefox-esr security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3747-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
March 04, 2024https://wiki.debian.org/LTS
- -

Package: firefox-esr
Version: 115.8.0esr-1~deb10u1
CVE ID : CVE-2024-1546 CVE-2024-1547 CVE-2024-1548 CVE-2024-1549
 CVE-2024-1550 CVE-2024-1551 CVE-2024-1552 CVE-2024-1553

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code, information disclosure or spoofing.

For Debian 10 buster, these problems have been fixed in version
115.8.0esr-1~deb10u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmXlfbUACgkQnUbEiOQ2
gwICEg//WyCKez7kQj0ncUzW/DKkYtCMkGtqmpyWE8VbuTamlbX2TmclQ0MFU6dx
5jlOI8s2Le0NCh08Le7AepYqOwLk9ypXIXcltGTMzctxQFXPPVBlhwbM2LRl9cka
MMLr54JRi9MKgBbZNmxEiEGOZTu9IRFKJLvC8Lkz5Sx0iJepPuoWWNsHjcOvtuqb
cEoeZd7wj1xCe6ekZJLSj0hxTrH80FBSCInpG80tDztd0gAIkoKLhI4rTmPlQs+A
wDpW3U0qJiOvTBPVXJmUbLHnSwiaUkaRymrRahPRoS7LQ0AbOViY16QDtEre/1Jq
qXCxvKeQiYIuHekFp1cIHNEIhDs7yIjvEptvYp2EnW2DFWA2P8OmVHMwM4UsPFuR
xqnulZcfsZgCO682HL91NI03pe0urFIFR4RbzwvUuuXNtbUcea8lNxjfsXVknjfi
M2vBPY3N/JEk+NRKv4sWhzImjEj1NqN0trLvZ94TxJA5EVAEYOf2Yp7QAN7uK98c
hIUziyQlE1dgUxRqFPfHJ9gVKGyl1W9e176+4ulFo4JRLQemI8PVI5fzTLpAShh4
FiqVfE+L6j02u4qJsbseK7jrP+Ehv/XbKBf2u1b9lNWTPVW7ySPBi7IlXsdXL7yw
SZDBABOMVsRHe96ca1Y5us7rRxTFVSQjOSN72rKAniA4OJVEotc=
=nell
-END PGP SIGNATURE-

Re: [SECURITY] [DLA 3735-1] runc security update

[Emilio Pozuelo Monfort]

Hi,

On 19/02/2024 07:11, Salvatore Bonaccorso wrote:

Hi,

On Mon, Feb 19, 2024 at 03:28:00AM +0100, Daniel Leidert wrote:

-
Debian LTS Advisory DLA-3735-1debian-lts@lists.debian.org
https://www.debian.org/lts/security/   Daniel Leidert
February 19, 2024 https://wiki.debian.org/LTS
-

Package: runc
Version: 1.0.0~rc6+dfsg1-3+deb10u3
CVE ID : CVE-2021-43784 CVE-2024-21626
Debian Bug :

runc is a command line client for running applications packaged according
to the Open Container Format (OCF) and is a compliant implementation of
the Open Container Project specification.

CVE-2021-43784

A flaw has been detected that may lead to a possible length field
overflow, allowing user-controlled data to be parsed as control
characters.

CVE-2024-21626

A flaw has been detected which allows several container breakouts
due to internally leaked file descriptors. The patch includes fixes
and hardening measurements against these types of issues/attacks.

For Debian 10 buster, these problems have been fixed in version
1.0.0~rc6+dfsg1-3+deb10u3.


The DLA reservation for this update in data/DLA/list seems missing,
can you push the changes there? Otherwise there is potential that
there will be a duplicate DLA assingment apart that as well the
tracker will not show up correctly the fixing information.


I have added it to avoid the conflict if somebody reserved a DLA as they would 
have gotten the same number.


Cheers,
Emilio

[SECURITY] [DLA 3728-1] openjdk-11 security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3728-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
January 31, 2024  https://wiki.debian.org/LTS
- -

Package: openjdk-11
Version: 11.0.22+7-1~deb10u1
CVE ID : CVE-2024-20918 CVE-2024-20919 CVE-2024-20921 CVE-2024-20926
 CVE-2024-20945 CVE-2024-20952

Several vulnerabilities have been discovered in the OpenJDK Java runtime,
which may result in side channel attacks, leaking sensitive data to log
files, denial of service or bypass of sandbox restrictions.

For Debian 10 buster, these problems have been fixed in version
11.0.22+7-1~deb10u1.

We recommend that you upgrade your openjdk-11 packages.

For the detailed security status of openjdk-11 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjdk-11

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmW6aA8ACgkQnUbEiOQ2
gwIJ8hAAzjD/ul+5uRmOBBwtdQ6M4vLoyHseEFFU9K4ETZ+CL9gLOibevJqGVUi5
27yrw+nV0Bit0eBJrf/qjJCsQPySixRa0sFy60hVhLXbvFAgG0h8NABHQuVszD5v
lJdq3UuzasYD/0u95UiUMgX6naz/gYOo6SDMN5PZokwpAAivay8sgA3AP1IcnGrp
R3wVOvWg7pbuJueiSZk+mEK4dlYlAsU4CmaOlsh0Pn0YkJh4qe9hLyNxnQUnFhFo
AdoI5jIWgVHBoc7LQBhtK4WH3siog1dzogW5QlufarVtMHoSdla8zgnfmObsQdIR
n2m/5K2CBRoxEnNzrRmf9vpbKmM3qyL4BYE113UuzhMnEpOhRVkIo0G1GVlXaAdW
ApVwPhzDOS1NmhUGWPZ9w0Tvnp+BGy7rrcls/dhPftWE3WA6hlbkQYM1PAfo5lQp
dtN7LhkrmC7U3Xg2yVeWoYQhNhCkL/VoYYsufS1FibgvVB4sdpQMNKIdXCTaAwhm
LHX5/eFVdqm1wUubF0pBDblZSbu8Zgmlu+A221igz0G0b5Gz6noU5tpzJ+AdzRoW
1ZdtX2cNjXiBtlSG5uj0R/FQao7IyX1iEn5e9GwnT2q1fhRUyaCEm2jpeu9QHYVC
UdmeNOa6yKRXRAtbyDkK8brsWblwguQppBAYMu4fK1+T9YSzUH0=
=whvw
-END PGP SIGNATURE-

[SECURITY] [DLA 3727-1] firefox-esr security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3727-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
January 31, 2024  https://wiki.debian.org/LTS
- -

Package: firefox-esr
Version: 115.7.0esr-1~deb10u1
CVE ID : CVE-2024-0741 CVE-2024-0742 CVE-2024-0746 CVE-2024-0747
 CVE-2024-0749 CVE-2024-0750 CVE-2024-0751 CVE-2024-0753
 CVE-2024-0755

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code, phishing, clickjacking, privilege escalation, HSTS bypass or
bypass of content security policies.

For Debian 10 buster, these problems have been fixed in version
115.7.0esr-1~deb10u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmW6ZD8ACgkQnUbEiOQ2
gwLwtRAAkrRo4Tp7+yx/1wUz9/TR5vREOCXoszy2WdVQvuTgiNYwkSAMDL1TpId1
M2mNLtL8v3QCCNoZqA3rIDVsixrBwZWdDLUA1OMjqyB3ChuX45lcyu3A+71v9MkI
2VaOIlkaWicu9rxNSQOYuPqItl2ydFLTUmVgR1pR4J+NstP/imijiEbPAiG5BM4n
U8L0IiUs8J+DQxeft5SWwFbMjbS8pi2R845z7p9RjGkIMPJF3CUdpsKnQcItCQIV
Ncc4YzVc8h7qpR4IWgLsGMoqA0EOtQB6NzFHZlASItgLJhDJSCVx/9/kUggjkq2D
DYTz5SoXW5P2QhX6rhkzYb8PVzyd9OQLXk2gEqEq4mtAidKO0IYl9ImwiCsnUoQp
HGz/e3QzFd2g1PVZ2RrjXjHAVe3r2wX3hv/eU8zZJadMR7/FcuYGKUPM897iov0K
Pac32GKpDdr7+x+LABrpzit1RjaULdzfOIa8EakOKtnnmtzH2KTf7nkLG8+KshfL
L5gmaWeBj1korqswg6p6ptPgm/KaqTK9ycyHZnwWNOdtDmAedfYJqITWgWZLP/nx
WzElPEQgqL521o/oFpAQ3Dp+OqNrjPV47oP5xdHQrdj1VJ0omc6F3GtJIvh182ak
HDKoTxdvLigeN4l9HnIdNqSFNRrsjNUbFjf2LdvdHYM382R5W9s=
=hLRb
-END PGP SIGNATURE-

[SECURITY] [DLA 3720-1] thunderbird security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3720-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
January 25, 2024  https://wiki.debian.org/LTS
- -

Package: thunderbird
Version: 1:115.7.0-1~deb10u1
CVE ID : CVE-2024-0741 CVE-2024-0742 CVE-2024-0746 CVE-2024-0747
 CVE-2024-0749 CVE-2024-0750 CVE-2024-0751 CVE-2024-0753
 CVE-2024-0755

Multiple security issues were discovered in Thunderbird, which could
result in denial of service or the execution of arbitrary code.

For Debian 10 buster, these problems have been fixed in version
1:115.7.0-1~deb10u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmWyPNUACgkQnUbEiOQ2
gwJUfBAAii62ZY/Ii3bdR/NHircg99wh+aBQpFQqQaDmuobl3h3PuNttJvBF6xfV
bgUKzv224LAlADMmxK05h3nvuCmYvu+wsx58EekwEJlTGI7ED7zDqKx9UUrxPMwX
Ojl5aSfI6RYbw5lQ/NcyI/NOGdU3ds21xadbKkDG8h2iKxpVcTXTpqpFOqToCDax
FHChrj1FeNJADuL+w4w7Eice2+I2ArgvsAGkMuLH2CxG9gdQMon05eOwL571bU1+
MqueuTY1T9tFZC+7+Q2qxixorw4p/AMV3xXl1zAfb1cCx8wOKXt/86ElgyRyc14X
eIDcPh9o98bnyU30fVYViGYAzIEmJ5+CcPkXOcI0YIF41krOHSSnptmOE8Hxj9h+
deiUjHLAKQ6Ncyu/jnCltrSeFvRnfamagh9B28VMyV2Q/gY/LC3yzzfYgsBVGfmT
jjNgPWU2IoUSzyfqz8kPyqRffTj3kDDlVkdJc2afobkpcx88afxYXO+x95ilcVYv
I+rgsjU4BKitdA0GcXiC8JMcFulrZZg9un6zfMZjYipPlJX6x2XEllwpUv30IdiT
wGlKUeC04jrD9X2kxTCdijAKIZJMRJzspuHERgLWEOmJSo9k1zlbFxPzrVq5RgTk
mwkkF9Lvgy7PrnuvkDmcYwSx9FEHb+D6dMM8e/UiRwZu3s3R150=
=fQo/
-END PGP SIGNATURE-

[SECURITY] [DLA 3698-1] thunderbird security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3698-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
December 29, 2023 https://wiki.debian.org/LTS
- -

Package: thunderbird
Version: 1:115.6.0-1~deb10u1
CVE ID : CVE-2023-6856 CVE-2023-6857 CVE-2023-6858 CVE-2023-6859
 CVE-2023-6860 CVE-2023-6861 CVE-2023-6862 CVE-2023-6864
 CVE-2023-6873 CVE-2023-50761 CVE-2023-50762

Multiple security issues were discovered in Thunderbird, which could
result in denial of service, the execution of arbitrary code or spoofing
of signed PGP/MIME and SMIME emails.

For Debian 10 buster, these problems have been fixed in version
1:115.6.0-1~deb10u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmWOm1kACgkQnUbEiOQ2
gwIMSQ//akgeGKZJRMxhWlIhr6l4QGytlZACPYzs6iCuxU9o8AP5tI3suobFfk3d
ZSIWTj3l9bORw1Zfwr/gRQMXnk8oNPLHblqyKaHozoqoKjuCQW89pclXbDZVml3N
OAofqzbAtFlSB9r0pSq7Edn9FH90iFnE4CHeJoRLbq1Qr1Ee2nzk/UoiaPSlymrp
3pKlSzlmSRmDGFUWZIkTdwLsg8j0YSlMrTRqlkbldlbXxJxxknXL5TO9A6YRPt1B
d5wndr1hYVPmWJ0PGcuk7dSDfvOktBhvdKa/KdUpSaaPFsN7xPzGtRBtHwcvtK3f
G+747I3xD8g2dKYpOWkZlm9KiQZ0AwsapJsfLFc5QpWD25aTryUpOzqRiXkLTDQR
Wob1GWUrrTaVNbeVkrwhvKHSQl6QPI3BoTn3Ejx6qHJjf69RG6255/ZqJsJO0JPa
awf9dZPymdfl0MlfzSrkRls2qXj0L0bTxbtIXRkY5aHxfOVy6hPp1h23fX1GE8KU
4bwmrKLEexoqFHbFfjDuHj6Wdu2UdZQ8uibV2cHh1Hxrur0DlkPGrdItCtxqRMHO
NZ57IbH87PpNzz+iMnK0MUBck5aX7PcCnyIDzTqodT968al2BLJ60IuPr4zvjPmp
dXIWEjTKFv+CC1xvudbJ4wENmTStMRACyiLpyBT2cBUhwJhB8cE=
=9fdH
-END PGP SIGNATURE-

[SECURITY] [DLA 3697-1] firefox-esr security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3697-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
December 29, 2023 https://wiki.debian.org/LTS
- -

Package: firefox-esr
Version: 115.6.0esr-1~deb10u1
CVE ID : CVE-2023-6856 CVE-2023-6857 CVE-2023-6858 CVE-2023-6859
 CVE-2023-6860 CVE-2023-6861 CVE-2023-6862 CVE-2023-6863
 CVE-2023-6864 CVE-2023-6865 CVE-2023-6867

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code, sandbox escape or clickjacking.

For Debian 10 buster, these problems have been fixed in version
115.6.0esr-1~deb10u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmWOmqoACgkQnUbEiOQ2
gwKefhAAoZQBSJoZAdBQQsntXnHOjR09PpxPBhtc+Rl8OkjDlYrCUXiXBTtdvPit
+q1XLz5W2yxGptoqI8iMzkk4y9MpX6c6ncTSVLkDwBA9t91P+omKnC8IPUwsFRyT
4L7dncZsm0vuiJwHJWCigpSreEt1zlQhSULgj0g4h/bRAwDMz5zQ/qFmPe2ocLfn
0Lx+8xpcd/n+/jTI1lqAy62lAqIhKLzhotWrrmBV8V1jLLscjTAX5uhJc6yaHhfW
01kvZpY4X+YSpqYoCWlZP2LXnG4JGRpQk4kX3Xt8F3wZVqA+t8yquyK/PloEqdVO
emChkZTPzzfOhR1CgdVi3P4VAw8xaq9CiHAr5xhhEyHDtW5AIAxNN9676B9P6cAg
5XVfQ2Yb4tMboG7y4ojxKXSAUEsOT55RVtAHK6iGyjUX0C4qPltJErJrno255ErT
GtleR8pqXWr72lZWioul9BI3EB5EJw8JCw7WL7/ixUBZGwcrJj9hR5G0/dPSUDbe
KajpGYN1LrMf2ZpLE5pF5IDD+63zQBqzk+iQa/ghmrkXCW9B0Q2yYBFpmZc7Wt5W
LCoKQzSME0ft1uRL9ZooWtH19mV+SSmu++nb0lGkdQDdLG1qt/ZPh4Brz+9jXJ6E
f65JpUC3tUopHTNxJAn4R2Adl422xt7rplwOlc/UMM30+rGnkz8=
=1jYk
-END PGP SIGNATURE-

[SECURITY] [DLA 3684-1] tzdata new timezone database

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3684-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
December 07, 2023 https://wiki.debian.org/LTS
- -

Package: tzdata
Version: 2021a-0+deb10u12
Debian Bug : 1036104 1057185 1057186

This update includes the latest changes to the leap second list,
including an update to its expiry date, which was set for the end of
December.

For Debian 10 buster, this problem has been fixed in version
2021a-0+deb10u12.

We recommend that you upgrade your tzdata packages.

For the detailed security status of tzdata please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tzdata

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmVxklIACgkQnUbEiOQ2
gwKXkA//VAf+MJcfNwI9XKXcnruXwU/0kvPeEoHhpAdBGZEjx2S7jTz/hTtFFPVD
69lR9eCW//mYc0DSOxuvowYWh6gwBXdLqD2jIyZm9zSyLQDtrEGSr5dZxSZ2ACVx
mS2FkORpvnfwG3kxwL98cvXuuxQGPm6hdUSUJNfQo1sJjK6ErmY+7mucqXILei6P
cdclalBc+cU6NGS3++fZXIAAmd2N/DSWjtlsOVGL314s98AymG2/pOXX6t5PxoBW
Z1sjiuiHO9A3mhA2YkYVWuLorjlfUQzh4QN5kAEb3a1fRLOgpWQqHICdDNDG5OIO
DnDG89n8fu+7gxQU/jSW0R6EInJfpQ4472b60DfoVNiIsBlrXYjA9PIPxtvw3HdN
Hu/Z6kOZgcewDXGxnMqEgTy+5RNmGSbEI+8rwuj8cb+SqRHVk7OwvIb/VxwduWzp
NoljXGQc05/Lkytqhgb3q5Bm8Az2XCJCu6kKYTGCu6loK5lLlVVtBlpSFtOvB7kg
m8tBeneLKvy9DV6uaRld14mfMciHpJkn3SaztgkwdeqYmnMUtup5PgBySkYng3PC
RbzkUd2mbJIxQ2QDaxedh71+TChXjrozZpsQhNaduTRFbz4rnRn7sMyG7ZSeeRAT
mdiUktZR2Yoy+ZAHnPpLd3beSBSzVzJVK4su/LMYACItHKuMT2w=
=PC1F
-END PGP SIGNATURE-

[SECURITY] [DLA 3674-1] thunderbird security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3674-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
November 30, 2023 https://wiki.debian.org/LTS
- -

Package: thunderbird
Version: 1:115.5.0-1~deb10u1
CVE ID : CVE-2023-6204 CVE-2023-6205 CVE-2023-6206 CVE-2023-6207
 CVE-2023-6208 CVE-2023-6209 CVE-2023-6212

Multiple security issues were discovered in Thunderbird, which could
result in denial of service or the execution of arbitrary code.

For Debian 10 buster, these problems have been fixed in version
1:115.5.0-1~deb10u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmVom4AACgkQnUbEiOQ2
gwIsRg/8DPpGw7lm6m9KnWU1B1HLHBk0qiBslBOTF3n8G2P+N3yZ6WxVC1cBIzkC
AkhAxxr4DKIr0vPH5LDx6QpcN/uk8UwYPPBPfqw2pu1cO5gpduNKNEeHyboLhrn6
wH4J9LK62VqPcsRtwm/H+wl/fOPw0+U5j66lMHKCWRhxizlBYqHhZOxnkianAyoM
zpRuz6zXE5a9JT8SdDuLnMXztziowjfyghAZM0vgDlyM4r/UxUisyH3zBip6845q
EjCdCdEUN4uUk5ngELNICiwt/ociRLpIN7NXdAH108qGmBUIDB/mJHIdDOECfiZr
wrM/lg0HqOupHZ8dVfTv9wxXbVmEcVhFx78frIM0Pi1trWrNNN4X5uceZ2GrWiKz
h1tQBcbRA1LVgno2Jdfdk9IA2XSksFEpYHvwte9gp0kc8dGpwkSZJwKjxj+VHg7D
X1/Ldmuqd6D81yKa8Rm84wqgsU9HpXAYWl2amWxLRceeZ1QKIxLrV+p3SdQwMQEe
W2e08hRT4ProNa2e13HL2DWMIcl4ga9H6gVRPpR6NFWR2+RT9NCQtIE6eAbjtcvz
chPbtXXJCRpszxpp/0YAZ9EdRLwhiTFme/RasNBgy7okDfUB5oR0j8+HnpCAN5fs
uZvSijNmtwprIc2TrpUl0tPcc2T8rnO1WRneoXzja8vJoz2yXEg=
=kU0m
-END PGP SIGNATURE-

Re: tinymce git repository

[Emilio Pozuelo Monfort]

On 30/11/2023 09:29, Sean Whitton wrote:

Hello Anton,

Ola added tinymce to dla-needed.txt.

I found .

Could you let me know why the repository was archived?


It's an empty repository, with no upstream sources or anything else. We decided 
to remove those so that one can use and/or fork the main repository[1], which 
would be preferred instead of having a completely disconnected repository with 
no git history.


Cheers,
Emilio

[1] https://salsa.debian.org/debian/tinymce

Policy queue in buster-security

[Emilio Pozuelo Monfort]

Hi,

We're in the process of setting up a policy queue for buster-security. That 
means that uploads to buster-security will end up in the policy queue, and get 
built there. Once things are ready (builds have happened, tests have been done, 
etc) the update can be released to buster-security and the DLA can be sent out.


The benefits of doing this are that builds will happen before the actual 
security update is out, which will help in case a build failure is encountered. 
autopkgtests on rdeps will also be run (this still needs to be set up after the 
queue is enabled), so that if you are uploading a library, you can see if the 
autopkgtests for rdeps still pass before the security update is actually out.


In order to release (or reject) an update from the policy queue, a GPG-signed 
command needs to be sent to security-master. However to simplify that, Helmut 
has written a dcut plugin for dput-ng. I'll let him post that. Once that plugin 
is fully stable, the plan is to get it into dput-ng and then backport it as needed.


I'll send more updates as the queue is set up, which may take some time as it 
needs coordination from various teams.


Cheers,
Emilio

[SECURITY] [DLA 3661-1] firefox-esr security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3661-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
November 23, 2023 https://wiki.debian.org/LTS
- -

Package: firefox-esr
Version: 115.5.0esr-1~deb10u1
CVE ID : CVE-2023-6204 CVE-2023-6205 CVE-2023-6206 CVE-2023-6207
 CVE-2023-6208 CVE-2023-6209 CVE-2023-6212

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code, information leaks or clickjacking.

For Debian 10 buster, these problems have been fixed in version
115.5.0esr-1~deb10u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmVf1VMACgkQnUbEiOQ2
gwKx2g//cqVwCVC+aoRuCgS8+4sqTngnc0uNIaRmGIDH7AzQiKzUlpeRgytHXbqn
l5BUjdfPFyNH/HVNlArklkyyCIfoRRuF/Ts6oEGUDdQlT5gRwFIf1HRSajE+VcGW
4cK1urBuATPTQiBaVpVz21liVKdnWCxpf2ELOzp2/4z2uiI78OZJgNvprcWcNa5T
fhQK2KIhv4S/4d0E43olBSp4sm4v37PUmKXvEbn7C84qox9RUJL/eFF7YauXX2zz
KTwJBPfmwshhgbWIVDwv8msI7zvJPTtZlqqyRhLOpyPsTCawr8DYJvyKd4ErB5Sz
tYvuHezd7M5LzU+dhG402oG2hjMXaUvD9wsGvEbMaZYjDjYi+9Ep3gZO6D8a5/rJ
U/hAg+gIRl3NSrBJ3E/RDp4FKKMdaTQAYUQyzruGOrkROgxXAF2909aCIK7dFbBR
VwjeyJWeWvcE9rg8ea1my3gu0/7t3EkkCba9e81I/lDE16cRyD5F7WAvQbxkm3FH
fNlHaUn6gxW3jk2T+9deGq7CQFaGwmAiuPn/MDFDzXNG92SNG3FYPUryne7Lz06D
CRtI3Hq/asww2++hG9HKvGXPJh7F6MBVCik87ShuHD5jGFMy9vu1D5wuIPY5dZys
l00Bz3iddvQyGhoBwixFICrI1NKgbvn5nJZpxblQ6wwJW4ytKPg=
=zSdd
-END PGP SIGNATURE-

[SECURITY] [DLA 3653-1] libclamunrar security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3653-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
November 15, 2023 https://wiki.debian.org/LTS
- -

Package: libclamunrar
Version: 0.103.10-0+deb10u1
CVE ID : CVE-2023-40477

A buffer overflow was found in the RAR code used by libclamunrar, which
could result in arbitrary code execution when processing malicious RAR
archives.

For Debian 10 buster, this problem has been fixed in version
0.103.10-0+deb10u1.

We recommend that you upgrade your libclamunrar packages.

For the detailed security status of libclamunrar please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libclamunrar

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmVUkx0ACgkQnUbEiOQ2
gwJJmg//UBkIeCV+sPjkEMVEGseS+E41Ajv9pmnA7yqvRaX/4EHdegf7YUtinrsN
5q2A1ndfJhWLQ9FJk3S3Ht3/ya8iAs5XwaroHOCB3zShMNn17qR00YVG9sdwG5WV
D2C9XFKQBh5j7rEb7O2/r7IXPU/7skjFh1tKRtPHmPn/1UrM1u5YyF+Y5sYZ8sQH
ortjx6lNWjV0QXdNRVvwCLf7nxm3utAow+xIDUJsZMaOHyx7Tb7nBO4gqmsskjYU
Rq9Zb7P2XBHPIX5IokhXYoiAsAidS9ggrWoB7AvYPyzOOsL3+LWB5TmOO3hGQpsK
Yw4eRy1h6O9Dn+qsaD3nNaS2vZJvOGMhP0StD1v377uAmQE7wPeUkALamQr/lzzp
VCWzXlvstssMwYDJ1Gh3W+eY4wGAYBu4R5IsHLldZqgKhayzWvIM7AhjTHID1TAb
x3ekq4BNEvHQK/LfMpZmV7AD7q/6nWrxYeVcYgVtgzavFE0KIK8lg5lnizQxAZ9h
T68+eG2vTCva9f47vxTfNGR4YLrVh1pbJzV/DuQSfkyCmRiTDxZnoc3SoMkr6hxl
FbObheHSWRZKEkEidbxNWY4ia8+1x0enJoy4K+Wd9cAvmjVbOpErttgOP+RnkukN
He6+8m2yk0p1i3sEOYcmYYZFQ+IP8WHtswnwRDPvKWoAgay9skI=
=7Iqo
-END PGP SIGNATURE-

Re: Question about the status of libclamunrar9/libclamunrar and CVE-2023-40477 in debian buster aka oldoldstable

[Emilio Pozuelo Monfort]

On 13/11/2023 21:29, Markus Koschany wrote:

Hi,


Ist there any chance that the patched version (0.103.10) will be back-
ported from bullseye?


Thanks for the heads-up. We will update clamav in Buster to 0.103.10 as well to
include the patches for libclamunrar.


clamav is unaffected in Debian as libclamunrar code is removed and split into 
src:libclamunrar (non-free).


I'll update the package in dla-needed to reflect this.

Cheers,
Emilio

[SECURITY] [DLA 3651-1] postgresql-11 security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3651-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
November 14, 2023 https://wiki.debian.org/LTS
- -

Package: postgresql-11
Version: 11.22-0+deb10u1
CVE ID : CVE-2023-5868 CVE-2023-5869 CVE-2023-5870

Several vulnerabilities have been discovered in the PostgreSQL
database system.

CVE-2023-5868

Jingzhou Fu discovered a memory disclosure flaw in aggregate
function calls.

CVE-2023-5869

Pedro Gallegos reported integer overflow flaws resulting in buffer
overflows in the array modification functions.

CVE-2023-5870

Hemanth Sandrana and Mahendrakar Srinivasarao reported that the
pg_cancel_backend role can signal certain superuser processes,
potentially resulting in denial of service.

For Debian 10 buster, these problems have been fixed in version
11.22-0+deb10u1.

We recommend that you upgrade your postgresql-11 packages.

For the detailed security status of postgresql-11 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/postgresql-11

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmVTMR0ACgkQnUbEiOQ2
gwKkWA/+OQzQp8pIexZAkx0WbBdZZnkZ6GknkC2rxoOxmhUaPO/SUtx7dzxmnZUa
o18Xwke5jdDbUV/LotzyPHd5E3s2pxMRq1nBheysQkkVk7fl+9wyluWsETNxcaek
/EtoS5h9bXjngRng94dLACj64Ls2ECA+nBbsILRfq6e8a3eGlFTtPfb+LyVFjUok
czcPXkbK1wQCCZRNh7FPyMtm/vrsO+GQDVgK7T2IWJX7FvygNXihqVRfDxO5a19B
1p/8aH6bgR2ASbr48EI592QMlJjvpz+qrnHJcQATZeiA3V+o+UFdkhhWhE7MfKtJ
XPccRdhzgofgKLcnfWP4nPvXkZvUL7+bjDDj/odp4GMcvUMABHtKwU7wxlAJpsBu
kITE4hklfNtIHPLbU8YDl14MRGLAtFLdBLce8SNkKXe0Eg/049sMFyBmml5H1ZGF
hBkcheI+/QDngbXhXiSB4O8iKQnSyb7UiRBnemm7urNrsqfZKTblSlp/yuEyzWYx
owqzTBqXPKPIPxeXLJtuRSjjLPQpntwUzTQSxikl8c1aU2C31pduvAD2xbAkijaO
uuSwS05XSc5jnVx/QzoUubMyH5nxHULrQu3ZgOcNrvcc9bFEDoUgXGfJNLRVEkaK
Y4NnNFRyiglrMfSShPd+5zLMZitm1aN/3724orHVGijpv2Ha1x4=
=qtSE
-END PGP SIGNATURE-

[SECURITY] [DLA 3637-1] thunderbird security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3637-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
October 29, 2023  https://wiki.debian.org/LTS
- -

Package: thunderbird
Version: 1:115.4.1-1~deb10u1
CVE ID : CVE-2023-5721 CVE-2023-5724 CVE-2023-5725 CVE-2023-5728
 CVE-2023-5730 CVE-2023-5732

Multiple security issues were discovered in Thunderbird, which could
result in denial of service or the execution of arbitrary code.

For Debian 10 buster, these problems have been fixed in version
1:115.4.1-1~deb10u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmU+IHEACgkQnUbEiOQ2
gwKXEg//b6Jc5n3x3BVo3CCWQH06CFYJdsB3FanNEApRJaI+f+4o6UdCRs0rvisa
LSOEeYBr/zMAEbFV9LvIf4wK6BJynb7JE7LEP0tQu6aJKRwGaELDH7F2Z4s0E3qG
mexXJ2dleaLq1HQjsGzmgy4ECvWqomM1YbiixVQ/XDOy01HiHtMW1OjJtDCyK9BX
hwK0oj4BwFuwValfTap0azGliDuALn+sBSWTaKb7g3dGYAD6nXbs5hytQsSlrCEt
s6CdgJ1Ol55HyjEWwUUFuXxjRnAb8Ap20M/OTyYS7HGeY30avAV2lfehliUlwzf+
fVnZfWk/xEUgb3EGM5iUPPFMHnvyl4Dxenx0SHcptVyEKTFQjAKkBMbc3umWrlBY
zO20CQGISlukxpizfl2Urwa+DfYgFiObcCMdExnkKDLTJbRvld1H6lwfZTOS+gWo
FcygvbXVQdX6yoUlnJ8ayQnfU12XyGC02j3DN0JDzM5gRaWH18VWp8O0YqTM3FMd
7jVRFpG79kV89JgPMPN/IBoa+79iShZG80vfjjKKYjDNpSr0BMol+ArqGbNByG9p
z7U+CcaZ3ID3AjIMAfC0fiFs5VH7StYZ45FG67SFzWHPhYm0FP7PWx/VUgjeVWwA
57tfk+BBJb5Ueg13M0yyczvOxqeqV1EnYvFyRlaVQXWgcrsNn+I=
=ztSy
-END PGP SIGNATURE-

[SECURITY] [DLA 3636-1] openjdk-11 security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3636-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
October 29, 2023  https://wiki.debian.org/LTS
- -

Package: openjdk-11
Version: 11.0.21+9-1~deb10u1
CVE ID : CVE-2023-22081

A vulnerability has been found in the OpenJDK Java runtime, which may
result in denial of service.

For Debian 10 buster, this problem has been fixed in version
11.0.21+9-1~deb10u1.

We recommend that you upgrade your openjdk-11 packages.

For the detailed security status of openjdk-11 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjdk-11

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmU+FOgACgkQnUbEiOQ2
gwJXIw//aBWnhU1zQSXVJDHCFmskdZvdSmnnsM5n6wj1KlrSWVIvDt9xo4lKC1Ss
QT7ocZlWydtvz3WwSEF//ml+CNGJR7F47lt3b99CaU9u+yTYmwYS5QDRtq/4a35Q
/ggJnq6wkG4vZo/Yzuxuh66m0BWcVMPAWJdexNJpEqBLhJvduRC50oZiKbeUnNzo
E28E5MwxD1IgNgEtEnmRDybDdGZrX44NwbV0qdxy4e6hIr+zI+GQV2XjBRL6NCnC
8dIVMyyvo1/C8Ygp71IWrymYsHU4fZgpCDJ4qyAmEgiamKNwl9oqtSa5KpheVqab
y9qIvrglJRA/p+7IJbpq5DnAxCfq4N3iKmfHlvq3Y+L95ZQP6Oqkc1bGSB0+CIGV
jZejlv+ijODlZSpEX3JQYw4kg64LrRjwio77gMpkTyMU24wLp9V6boJDqhBZe5bU
AMR6aOflSFGlSSsFvVfA3WrSCt7bz3YmxevpYrnjMVY04k8xD0GJaCk8ns7Gy8Bc
Dtmh/hFoehLSr+E0nJFrFwACXxySuv99yMIwaHyvZd3VED/5McxzTtxDHje34PW6
PWY7mhtShmeDHEBVYb6Gsbj9NypOZZaXoWHxqOsaGWIJPj2gdp7VIFcudkr3Lo8p
WOJ4m72sI1izXRO1mypjHCWGWOXyaC0auNvZlITxCD33wCL+WjY=
=IIx8
-END PGP SIGNATURE-

[SECURITY] [DLA 3632-1] firefox-esr security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3632-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
October 27, 2023  https://wiki.debian.org/LTS
- -

Package: firefox-esr
Version: 115.4.0esr-1~deb10u1
CVE ID : CVE-2023-5721 CVE-2023-5724 CVE-2023-5725 CVE-2023-5728
 CVE-2023-5730 CVE-2023-5732

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code, clickjacking, spoofing or information leaks.

For Debian 10 buster, these problems have been fixed in version
115.4.0esr-1~deb10u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmU7Wy4ACgkQnUbEiOQ2
gwL/tw/+KOHqxlJH5toRwkeZkVux4hwONODuzQ9kkFueh/e/Lh9xr41bOmFq18Rr
aGoeADneC1rt5NosFTJcPA9eudjjph/l/KvGwEhDt6oUO0qdqhWKyLdDxWclW+2T
EKtxclCLexRoXvQOHB6C4GoXctqs78ue0tj8JmA5f60zOqNB0Rnv/7aJwHhPUjpk
msHGxD3cINpI1RdIP8qLCZ5g8azU7uOhJCKpk6lfXuoqj1Bq9ApXwPkXULKYP94P
uxxu0lJwrt8UqgrjH38yqHDy9nzdH9L0tGMJjzNEh7KRBhUJHs9cfPvEeDf09uJ2
uJbOTaLYIcQeCAO9rbN412eFEPqgpAT//NpRbq0pd2Cjhv6cpzvpQocg1+PP76mh
mAmE1pSith0aasECD58BNPyF+V9JpZEBFrKOB4PvVD6jk1TjELhipg6TIxrd+fh/
0KtGlJuWRYnf6b2QQbXgMDYzVEP8JzHVy+umQBGW80HxeuK3LMHHruwAMEkAiauH
ZyGvMK8TFBUXsRBvXa3TevWsoLsG/Cqf4TpLoeal52HYjjFXrEpZzAwzXX7HymPc
AXMVKWnak2oa0yHU8xHIbM/0Zu9zTlGur6MV4q/qtGPrxilwHodIcspJCjdWrjrI
owzOnfzhshF4SG5Qo3IYAM61b/NSX2hMt0TwcJaCa0rhd7ovmpM=
=Zpgp
-END PGP SIGNATURE-

[SECURITY] [DLA 3628-1] dbus security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3628-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
October 23, 2023  https://wiki.debian.org/LTS
- -

Package: dbus
Version: 1.12.28-0+deb10u1
CVE ID : CVE-2023-34969

It was found that D-Bus, a simple interprocess messaging system, was
susceptible to a denial of service vulnerability if a monitor was being
run.

For Debian 10 buster, this problem has been fixed in version
1.12.28-0+deb10u1.

We recommend that you upgrade your dbus packages.

For the detailed security status of dbus please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/dbus

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmU2dy0ACgkQnUbEiOQ2
gwLC2A/+PnnueS+EWUlX1LQVVrTQgbQjnGjV75yy4Pd+0PR2WXGhFtx5nTDHNSMr
Pv/u+C4GP3m35Gdp8TbPGFxKvxbokp4vhBxTnEGgxdvgDoz8u4hyOHH4BKHDwEEQ
InqE/qE8rM7Gjk45I25E7swG6KS8SGYdK9cnH7kD0zlcxer2a3z+8yOYrbLZXZ+H
KNkf0GHILo7TC1Vz51Rn8xDLpu6t32Ced/3qMc36sgSlhMeYVhOa22/bZ96jvcT8
aMvaEAp2CmXBa0MpFEqxfZlgk7vqQU6vRdnI/bfWd5qbCpU5PErEcTvJrMhLzuY2
eR6Go8FYYKPTabl3iRetxZZMRmIWDSOwe1o+TaqbuZevz5yYJz/ct6iWiFSwhbmk
KDIlNgMmlENfuEWkHhf57cagPwecpcvz1IzDdnZl8C7xH/bN7q9RCmOYcqljKEW8
/IzCpNDHukEayHdsMGdP/6Ly6UBKwHiB16xi2OIa2UTnKXop2ctHkkjikioE7O6X
4hBFC0wwP129iylP3O1RnbVhwDLivfp2sEt2j2+PFCXT0c2TN/cbCS2NQC9GP9SJ
aPD3d4L4ARi6gdEdaWZkRnMl6pQAOj9NY88yK99jcDXgboXxKrKSd5jHA4BqkJ4z
bi+0OCjNr9HTh0Ftl6tL7VkcIr/7SCxx80aBNhBH9M8Agqtrg88=
=9+1o
-END PGP SIGNATURE-

[SECURITY] [DLA 3613-1] curl security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3613-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
October 11, 2023  https://wiki.debian.org/LTS
- -

Package: curl
Version: 7.64.0-4+deb10u7
CVE ID : CVE-2023-28321 CVE-2023-38546

Two security issues were found in Curl, an easy-to-use client-side URL
transfer library and command line tool.

CVE-2023-28321

Hiroki Kurosawa found that curl could mismatch hostnames with
wildcards when using its own name matching function.

CVE-2023-38546

It was discovered that under some circumstances libcurl was
susceptible to cookie injection.

For Debian 10 buster, these problems have been fixed in version
7.64.0-4+deb10u7.

We recommend that you upgrade your curl packages.

For the detailed security status of curl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/curl

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmUmi6sACgkQnUbEiOQ2
gwIV1w//Swi6FnJN8nI3vJufW38P9xrrHmf+uzCTBRpxLvIDsseP706kKBiwfclM
lgzrSbrruoyfIG0Xp7IWBgwzHtY6YOcjMmzmBeC0NGPbfSn/eTPI9NxXbCu8bk/O
q9F9pTB5/xuvjpkEvrgqwHwx+A74Oge3tmIAevlNgl5rgveD3rUskuRZJJ1GiU5+
girSf621bFVvQ5HGwIAXq2MKsx76maZI3OczooL9/r8Y9s55FWpP5hBU+T4ElZLy
DADIOIoAnuUrfxwRy/KJQ/l3/TqA3RxAQPolMIMPKNSk3rNAP/PB38aHDQF1Lsvp
SxrshdHox4H5IfapOJRstWxgsqoPFzA1uK5SXuAdew9Wi2XwYj60tyPurGj9XRoI
hoRwmA0+Nd+0BcKfjIBRIKfwAuetfZpZVa1otFIWEDFtR2luP5EnUMGNPJMlQdwq
nMp40fhROtQHHQbwaJxJA91usWcsk2tsuMu3BaYXXlNz0/CXrb1ThNB1+p9TQK+E
Ogelt/LRKvc92mpcFWkCQxYzxVpPfqRknE0H4y/C2JyUY8HnM6/mESMKr50ayghK
89pWwlycAOzFmlggyfm+WWz6tfL1zlTmia6DTiFc0IH/6xj7JJaL9sPTl2EUJILs
pW9xwjaqCL/qVJIk1AIRdx+9+6r0a38bbRO1A/i8rg5y+7/B3Gg=
=6f9o
-END PGP SIGNATURE-

[SECURITY] [DLA 3601-1] thunderbird security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3601-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
October 05, 2023  https://wiki.debian.org/LTS
- -

Package: thunderbird
Version: 1:115.3.1-1~deb10u1
CVE ID : CVE-2023-5169 CVE-2023-5171 CVE-2023-5176 CVE-2023-5217

Multiple security issues were discovered in Thunderbird, which could
result in denial of service or the execution of arbitrary code.

Debian follows the Thunderbird upstream releases. Support for the
102.x series has ended, so starting with this update we're now
following the 115.x series.

For Debian 10 buster, these problems have been fixed in version
1:115.3.1-1~deb10u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmUkBcgACgkQnUbEiOQ2
gwKkoA//byX7prEJu5iSULK1AZJuPpayXsi7juQUBW4sSq+OHdvWl9qbbdEvk13s
6R/j9oeClpO6/eeUmrPZ15Fd/02dri9ApYAzTJdsSsZJJRLKWkEEESq189u6S9mE
vtN9NUgbvRvR7DjJL/rMb54HN98RGt7mi6wpIay8mOJ3KupboEF+NVxvBOPaPjz5
xY39HSO6dXAjuYiZw5DfNzYLJPEAM2o9soME/4F3OitNVRuEpQsz7Cej0LxLVqI+
sVviOA7VfbF1zuSaON4Rx4mAsfQJyPswj796l1z1mRbYcEc+60SD174tO/xZ4DIg
BqtuitedDkJsdpOdGMBmKmvgUW1GeO3KwvrXkwTSPjdasjY1mmRoDpFlXJ8BOA8O
gqfAPwI/WX8qgEDTYPbPcCEX2z+14jlJJZFm0PkrLy8idyI4o2veE6gIgv+y2iWr
fU6peVU4tLvDHCAYzHIelRLaRt184heOWM/LUhTjdq0acjbuf5i7Ke+FIVAos4O2
JrF2Tjm+Y3WfURA1+KWMPej6NZHIhswqtwWTQ+ScHk1sl604zm+8shk/rTIMmsjw
APCG+prmzUO0AFZd5vxGqp7LEGXQNcBUzeX18uus4NTkIhrgEQ88LGW4QIIPUPub
URxBXIu68BhGNFhuL38GYXax95HX89kKOkLmdJBc0hwoJUk25H8=
=0R9n
-END PGP SIGNATURE-

[SECURITY] [DLA 3603-1] libxpm security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3603-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
October 05, 2023  https://wiki.debian.org/LTS
- -

Package: libxpm
Version: 1:3.5.12-1+deb10u2
CVE ID : CVE-2023-43786 CVE-2023-43787 CVE-2023-43788 CVE-2023-43789

Several vulnerabilities were found in libXpm, the X Pixmap (XPM) image
library.

CVE-2023-43786

Yair Mizrahi discovered an infinite recursion issue when parsing
crafted XPM files, which would result in denial of service.

CVE-2023-43787

Yair Mizrahi discovered a buffer overflow vulnerability in libX11
when parsing crafted XPM files, which could result in denial of
service or potentially the execution of arbitrary code.

CVE-2023-43788

Alan Coopersmith found an out of bounds read in
XpmCreateXpmImageFromBuffer, which could result in denial of
service when parsing crafted XPM files.

CVE-2023-43789

Alan Coopersmith discovered an out of bounds read issue when
parsing corrupted colormaps, which could lead to denial of
service when parsing crafted XPM files.

For Debian 10 buster, these problems have been fixed in version
1:3.5.12-1+deb10u2.

We recommend that you upgrade your libxpm packages.

For the detailed security status of libxpm please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libxpm

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmUemYMACgkQnUbEiOQ2
gwK/4hAAueKBDWLicIYT1Q9bQBbaAyBuGYdtLCSOLkyRysuBKaxHR+NtGsOgbsMF
hxA0xtWc1r3KB+baimCYlia7t9ksbaCkhh7WutfBhuSfTBNo0k1sAnYfsWO+AsQ9
nOf6dtCDng4iDtpT1B20yFD8HCRTGmtqeIUCuGPtW1QlOVLAgy4NIOV3a4FAjYGr
k22Y3bPi9fYuyEcLarC+AICafeibHhIvs3/gTNZfmX9tIS+or95e4GS24dlBbXyn
9TRk3njYEhEkIILXoFi4HhTzuJaTqswQIXaRxcW8hrdvuip06QJaLQiYQmrA+mZo
sJVFiDwVQYOoFj3BOxiyvKKjdhPQI7HnHmjBgFc/7LMUUZ5CCjV0H6XSjmmPrLL0
Xlpc4B/9qinH+0VcivlN48UxDmBOHvjhyaOA9s+nVsQWXLd6I+yfAksyygj6474l
Lme52YocDin53XvtywtpeC1h+VDqbJSi6TNl/To1Ptbu+PklNLLdF7IyiGxYpXCA
JbkMlt3JzdmipAWKJcNstutbTL6tWnP/gz14FuX7lHPBUp7RgGJypdGFJ2rKAYOv
l5K+f+D1it1mNJzgpIIh/n0EAocUh46xK7cOwc4SHJSITQ/7rs2guhBEBodHTKUX
oADMggNSCkAdn6NCu3/35afbH95EdYeqDlxrZj/VvZIoRc8UDbA=
=WuDF
-END PGP SIGNATURE-

[SECURITY] [DLA 3602-1] libx11 security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3602-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
October 05, 2023  https://wiki.debian.org/LTS
- -

Package: libx11
Version: 2:1.6.7-1+deb10u4
CVE ID : CVE-2023-43785 CVE-2023-43786 CVE-2023-43787

Several vulnerabilities were found in libx11, the X11 client-side
library.

CVE-2023-43785

Gregory James Duck discovered an out of bounds memory access in
_XkbReadKeySyms, which could result in denial of service.

CVE-2023-43786

Yair Mizrahi found an infinite recursion in PutSubImage when
parsing a crafted file, which would result in stack exhaustion
and denial of service.

CVE-2023-43787

Yair Mizrahi discovered an integer overflow in XCreateImage
when parsing crafted input, which would result in a small buffer
allocation leading into a buffer overflow. This could result
in denial of service or potentially in arbitrary code execution.

For Debian 10 buster, these problems have been fixed in version
2:1.6.7-1+deb10u4.

We recommend that you upgrade your libx11 packages.

For the detailed security status of libx11 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libx11

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmUekk4ACgkQnUbEiOQ2
gwK1sw//ai6rFAnWS1H7P7YFadvk+nKoF4feKNHOQJHm8iz8N0F5XJdwxMK11wqh
xWsvYwh4pR0TD/LXGilFj/ruG6CjBXbPeQAKm6gJTIogH/yrJwALKmaHU6086Z/Y
eO9jPivkZ7Sg70ju7oHM2yz0c5CFB5S5keR1h1UKGK9d+pEtHNaCRZnVN/exVFbY
ujsXz5wYXuCyIS86TNKpgEeBmoFVQd+2tdatjKV9cPrGttpvuStJd0zAXzIuw1nE
7n+lwwOwq/q1QuKAObcugBW5/7JiV9FjBbBEtnbOejlWhr/XhBiflqy6evykjjnZ
/R0wRrI61iDj/g3N4DZMmlfMezY3e7bx846DlcVtLuPjNP/64vX0DunSANATRKWn
EqbI75sffr1q88tVq4xC82u8Q9mRjfuPj/gFkid0LEznqCGpTUfnre1n58x+v+ck
d7I3hSWFCXfvQ8ZnXet0xd9wG4G4fkic+YT6dSiIqbMi21zrX4NNPKpS4z1flER8
+EYzy3fcLUQWzTAigGWO2XqiE2oWRFlJNsvkm4KQ3A0ziI/9Sqy+iWsypj0D7/uq
qTg7pZRlFaa3zMNIHLu1/T4HsnFQ+73o1Q7EBGCQYlm75qkuSL8pyN4L/tt1A3is
tiKz6V9RXeFG3RGKlI8J9kiiUHEY9dQpZbBDALh3/pixJ6qtm9w=
=qFN9
-END PGP SIGNATURE-

Re: Accepted libyang 0.16.105+really1.0-0+deb10u1 (source) into oldoldstable

[Emilio Pozuelo Monfort]

On 27/09/2023 13:58, Markus Koschany wrote:


Let me know if you want me to take care of the above.


Feel free to take care of it.


Done, libyang 1.0.225 uploaded and built, and frr rebuilt against it. I tested 
various upgrades and it all seems fine.


Cheers,
Emilio

Re: samba status update

[Emilio Pozuelo Monfort]

Hi Lee,

On 22/08/2023 13:10, Lee Garrett wrote:

==
(samba) functional test framework
==

In the context of the July 2023 Windows update that broke samba running as a AD 
DC [3] it became clear to me that the unit tests in the autopkgtest suite are 
not sufficient to check the functionality of the samba release in a Windows 
environment.


As such I spent some time building a framework that automates:
- bootstrapping a buster VM
- bootstrapping a Windows 11 VM
- provisioning samba in various configurations
- making the Windows 11 VM interact with samba in various ways

On a technical level, it uses Ansible to drive all those steps, allowing it to 
be fully automated. kvm/libvirt is used for virtualization, as there is already 
a fairly well supported inventory plugin for it in Ansible, as well as various 
modules that allow provisioning of VMs via guest agents. The buster VM is 
bootstrapped via vmdb2 (though this step may be replaced by an alternative in 
the future). The Windows 11 VM is bootstrapped by downloading the Win11 trial 
VMware image, and converting it to a libvirt compatible image via virt-v2v. 
rhsrvany is used to inject the guest agent and spice agent to provide it at 
first boot. rhsrvany was packaged for Debian in the process [4].


Sorry if I missed it, but do you have a link for this framework?

Cheers,
Emilio

[SECURITY] [DLA 3598-1] libvpx security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3598-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
October 01, 2023  https://wiki.debian.org/LTS
- -

Package: libvpx
Version: 1.7.0-3+deb10u2
CVE ID : CVE-2023-5217 CVE-2023-44488

Two buffer overflow vulnerabilities were found in libvpx, a multimedia
library for the VP8 and VP9 video codecs, which could result in the
execution of arbitrary code if a specially crafted VP8 or VP9 media
stream is processed.

For Debian 10 buster, these problems have been fixed in version
1.7.0-3+deb10u2.

We recommend that you upgrade your libvpx packages.

For the detailed security status of libvpx please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libvpx

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmUZ08AACgkQnUbEiOQ2
gwLBfRAApWxwahMmr/aM7fK4erTCfE2s11ahAyy/IvM7S3PlTbDv3ZZdiP6reHRx
I7MaUMQsvyIfKuymea05TfdW2VVKCe8/DkR3znVi+2QaWOPE+Y30bpjBTCEwLLTK
oykWrAijaW8niSRJfgN4CLqk2v0k5808O37RURTlH8ZVw17bOoTJdoSZo4aVSh1H
Kdy8EH4JWUV32CpkxSoGpdzver1AhAG3kpGArF1Jol3YUaJ4FNS8+ujbaCkIvZ27
TFtn3kXEHX9nQYbRnm+VjmYVo+gwKMvmO6MC5h2VWM5sBgpMd6boWGjPVdejiu23
EMVGlesXlz6gwbq4yrhYqh7UnCETXljzfIcrv/5iU6a5zaIyEPQlWimy527Yw8pj
GEnD1n6y7j+Pk3UJrJzc1ib6l9OVpvaiQDT0wGPdYcjhjI6Ew5qLiwrd9KVAQS9S
6eZanLjUoU7EuLqrKAdrtguCkZ46STGvdbIVtGc6FEJ9H919tTGy0ug1P1hA79D9
25GRBMB5fGTX2y2R6mjdpkUKxtY6r79Duao3JDo4RmV08EQpJ4LwyrP1sfpvmRWi
JvkJm1g7tAzCbs/7mHpyKTvqdyJbOQd9FweW3qZidualaANpNHrdcbId5Xtkxr2e
6eQUQtdy+D1gZ6tqa7+I5veHAmEY6dJ+xBNRkhmbFUwsoUFrVEk=
=wbKN
-END PGP SIGNATURE-

[SECURITY] [DLA 3591-1] firefox-esr security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3591-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
September 30, 2023https://wiki.debian.org/LTS
- -

Package: firefox-esr
Version: 115.3.1esr-1~deb10u1
CVE ID : CVE-2023-5217

A buffer overflow in VP8 media stream processing has been found in the
Mozilla Firefox web browser, which could potentially result in the
execution of arbitrary code.

For Debian 10 buster, this problem has been fixed in version
115.3.1esr-1~deb10u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmUX9ZcACgkQnUbEiOQ2
gwIP6xAAtuc6GGskmK8cBvYeZhSjJIJqemaf+BuELWk82Qn7+979Czjs2DutG8tf
oO7PwEIk99NjJ/zMuQ1FGCXlH6K4JSC9YXf6a6/Ih01aMXgjoeGBVEQJyifsXEgy
cPemi2GDxcur14RLbPEvs6dhtuHlwDInWR26yiq1R3xnsmZKMD8B7vORSkx70+i1
ssjt155KhTkKLbq2qklLR9Fp05KluA76krlalb9jEtLjrrMtuQnzIOEq3WuC4i1T
Ph+4J/eB/slx3JpgS7dvYMntjKYNiw85+TsxNoFudzKspFyN+eGpQER+L+dWHTQ6
Yr4iC1o1yrHHjZNZdPvJN393WN+3Jwhysxu5cgnbvZt07FmmP0bqTmBBE55uNjkY
bnYrcNkUabBIXRRtLf9gSCYBb8StvbOSCQheIXC5J6lMK/41/2oNZvPYfZU3Yq5/
3SQPKJC+5zJfc+dORGseAxPqIgGfqkYa0h/KWYpQ14sRTCDLkUKM/H4ffMSWas2X
jJWDw8dxPQ3a3q3/KJSW/BHAXUdWzxBDBESm8Ye/75BDz2W7uERO51V2KrOG6G87
jnSD577vIDVzsQhjj7iSNhaKW7hUSAGorFsGlH5/a+4k+aEx4JvmE+0Mubhi9fxS
OGQZmKDS70BbiC/lRhbJdzfv8k52CNtNhtsO7v0hP6bQd1l/Sf4=
=PS4w
-END PGP SIGNATURE-

[SECURITY] [DLA 3587-1] firefox-esr security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3587-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
September 29, 2023https://wiki.debian.org/LTS
- -

Package: firefox-esr
Version: 115.3.0esr-1~deb10u1
CVE ID : CVE-2023-5169 CVE-2023-5171 CVE-2023-5176

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code.

Debian follows the extended support releases (ESR) of Firefox. Support
for the 102.x series has ended, so starting with this update we're now
following the 115.x releases.

Between 102.x and 115.x, Firefox has seen a number of feature updates.
For more information please refer to
https://www.mozilla.org/en-US/firefox/115.0esr/releasenotes/

For Debian 10 buster, these problems have been fixed in version
115.3.0esr-1~deb10u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmUWxAQACgkQnUbEiOQ2
gwLwzA//eES77brDFOYCg0hpfoyGjrcoyobWj+IVSSjQuhZgrP84qLqn9NIi9A1L
RgkItzWxLgYReukJf6HoAVdjyfrdRBmWtIH4wszm4VdWoIjGUy22IEVXCHstqZD6
WU1ZcJqTrxIxQQgKNfuxU6dGsVLdn5XESjzFG1HpOImcakQfiLaRl6Gtzk5HMIxx
KA+3i49haICaeX4tzTOi8Hmrf2DQ53qQ2nz5epgaFl0Z5zUmJpDjII9KktRWzyfg
68hiBBN5AqfcCinVjdibgLKTWJ9esYhp0QjZvlLV7ZoZYChBfWulr5jx+hKrc+GX
l2qH0/SXS5bXPFfruPTEg90nMlOIFTauksx4WcnWujIFrws9Hli2aRrWKQ11DSUc
JEKXuWkI9r7nuzLB0pcmYpQbNDiaQJdXiJjskir9Hy/RzgOsV0gYr2VpVveB//tO
6Loj7ysza1UP8SK40A7d/TfoJJYHicp/w6nwGJcninj0kwCmr0JPpL9efCSMNaMM
kiiioabZ2omFr9vv803XJ5KN14Cfx3lFP2SydsQsPIw5vwCgAeV4FU8qWVCCfesA
04oyirxjzJOOV6ONyHftN5Dh/+zKebIYhlFQhJIi9nWamC0TxPYqRQNfqjftOnBS
zJjmgfLXK1E0RR+mJAfTjFZp8aWXDDdgkoYXu71EtlwIQxXUXF4=
=+zT4
-END PGP SIGNATURE-

Re: Accepted libyang 0.16.105+really1.0-0+deb10u1 (source) into oldoldstable

[Emilio Pozuelo Monfort]

Hi,

On 20/09/2023 15:22, Markus Koschany wrote:

Hello,

Am Mittwoch, dem 20.09.2023 um 10:17 +0200 schrieb Emilio Pozuelo Monfort:



I'm unsure about the version here. I see buster/bullseye have:

libyang    | 0.16.105-1+deb10u1 | oldoldstable   | source
libyang    | 1.0.225-1.1    | oldstable  | source

So if you backported bullseye's version, there would be no need for a +really
version afaics. Usually the +really hack is used when going backwards, not
forwards. It could have just been 1.0.225-1.1~deb10u1, couldn't it?

Also I'm confused about 0.16.105+really1.0-0+deb10u1. Is it 1.0 or 1.0.225
like
in bullseye?


The version of libyang in Buster is code-wise identical to the version in
Bullseye now. The major difference is that I did not bump the ABI version to
1.0 which is usually reflected by renaming the binary packages. I did that to
avoid a delay in the NEW queue and I wanted to keep the current packaging
layout.


Hmm, so upon closer inspection, that new version ships libyang0.16 but it 
contains libyang.so.1. That's bad as it defeats the purpose of versioned library 
packages. For one it breaks all libyang0.16 users, whether in the archive or 
outside of it. I don't think avoiding a trip through NEW should cause this. 
Usually NEW is not a problem for security uploads.



Also upgrades to Bullseye still should work as expected.


That's not true, as now bullseye's libyang1 ships files that are in buster's 
libyang0.16, but without proper breaks/replaces. Obviously the fix for that is 
not to add breaks/replaces to libyang1's, but to fix the buster package. See 
this quick test in a clean buster chroot:


apt update
apt install libyang0.16 libyang-dev
echo "deb http://deb.debian.org/debian/ bullseye main" > /etc/apt/sources.list
apt update
apt dist-upgrade
[...]
dpkg: error processing archive 
/tmp/apt-dpkg-install-tQ319q/20-libyang1_1.0.225-1.1_amd64.deb (--unpack):
 trying to overwrite '/usr/lib/x86_64-linux-gnu/libyang.so.1.10.17', which is 
also in package libyang0.16 0.16.105+really1.0-0+deb10u1




The version in
Bullseye breaks against all versions of yang-tools << ${source:Version}. If the
version were 1.0.225-1.1~deb10u1 then this would not have worked anymore and
the upgrade fails.


I don't think that matters, because those breaks are in the new libyang-tools 
package, which break/replace the old yang-tools package. It's a package rename, 
but it comes with a transitional yang-tools package, which pulls the 
libyang-tools package. Thus the upgrade should have been clean, only that a user 
that had yang-tools would end up with libyang-tools plus an empty transitional 
package yang-tools, just like in a buster->bullseye upgrade.



Thus +really1.0 appeared to be the logical solution for all
these problems and just indicates that the new version is part of the 1.x
branch with its new ABI. Besides frr was the only reverse-dependency, so I
could rule out a negative impact on unrelated packages.


I think the way to clean this up is to switch to the bullseye packaging and move 
to 1.0.225-1.1~deb10u1. libyang1 will need to gain extra breaks/replaces for the 
file conflict, and thus with this fixed in buster, the upgrade to bullseye 
should be clean.


Let me know if you want me to take care of the above.

Cheers,
Emilio

Re: Accepted libyang 0.16.105+really1.0-0+deb10u1 (source) into oldoldstable

[Emilio Pozuelo Monfort]

Hi,

On 19/09/2023 19:00, Debian FTP Masters wrote:

Format: 1.8
Date: Tue, 19 Sep 2023 18:39:19 CEST
Source: libyang
Architecture: source
Version: 0.16.105+really1.0-0+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: David Lamparter 
Changed-By: Markus Koschany 
Checksums-Sha1:
  fa498e1692e7f2321b3608abd077622f4546dd54 2513 
libyang_0.16.105+really1.0-0+deb10u1.dsc
  60bcf84282cc042f395c072ffc63c59690485ef3 1667054 
libyang_0.16.105+really1.0.orig.tar.gz
  7277f9d81b38c055b8be848d0ef0c7ac6f713f19 11608 
libyang_0.16.105+really1.0-0+deb10u1.debian.tar.xz
  05dae28f20187b13e53b71268fde017406a071c2 9524 
libyang_0.16.105+really1.0-0+deb10u1_amd64.buildinfo
Checksums-Sha256:
  28c671651812dcf5998d3ba728f85cea7b5f45a2cb2085b4ae86b63df4b7205f 2513 
libyang_0.16.105+really1.0-0+deb10u1.dsc
  1b736443d2c69b5d7a71ac412655e6edab0647b18f35f7bf504b0a24e06cb046 1667054 
libyang_0.16.105+really1.0.orig.tar.gz
  ba734d90e3400959ed42abfa0b422cba36f70ca4a0fc4316ba345a15d1c67074 11608 
libyang_0.16.105+really1.0-0+deb10u1.debian.tar.xz
  7ea6fb5ed4e2878186ab2471adbe5062ec40007bed03a30643260685f1d3668f 9524 
libyang_0.16.105+really1.0-0+deb10u1_amd64.buildinfo
Changes:
  libyang (0.16.105+really1.0-0+deb10u1) buster-security; urgency=high
  .
* Non-maintainer upload by the LTS team.
* Backport Bullseye version of libyang to facilitate security update of frr.


I'm unsure about the version here. I see buster/bullseye have:

libyang| 0.16.105-1+deb10u1 | oldoldstable   | source
libyang| 1.0.225-1.1| oldstable  | source

So if you backported bullseye's version, there would be no need for a +really 
version afaics. Usually the +really hack is used when going backwards, not 
forwards. It could have just been 1.0.225-1.1~deb10u1, couldn't it?


Also I'm confused about 0.16.105+really1.0-0+deb10u1. Is it 1.0 or 1.0.225 like 
in bullseye?


Cheers,
Emilio

[SECURITY] [DLA 3571-1] openjdk-11 security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3571-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
September 19, 2023https://wiki.debian.org/LTS
- -

Package: openjdk-11
Version: 11.0.20+8-1~deb10u1
CVE ID : CVE-2023-21930 CVE-2023-21937 CVE-2023-21938 CVE-2023-21939
 CVE-2023-21954 CVE-2023-21967 CVE-2023-21968 CVE-2023-22006
 CVE-2023-22036 CVE-2023-22041 CVE-2023-22045 CVE-2023-22049

Several vulnerabilities have been discovered in the OpenJDK Java runtime,
which may result in bypass of sandbox restrictions, information
disclosure, reduced cryptographic strength of the AES implementation,
directory traversal or denial of service.

For Debian 10 buster, these problems have been fixed in version
11.0.20+8-1~deb10u1.

We recommend that you upgrade your openjdk-11 packages.

For the detailed security status of openjdk-11 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjdk-11

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmUJUZAACgkQnUbEiOQ2
gwJmLw/7BrUD5uFP+rNfDM4iDBJeJCMNrM35oE/uckmsMDD1ofXuMltutcIFKaOc
eCbzVVDdnsWEv15k1M3mJk7sbKWc+nV0O/kSRmGCJDmRlljLelfmdpgD28VRJafD
wEkH/1/q6xBXdd3si4A/XL6caznW3QkDERHbNyqtPfqZBDmnq+b85tTL+vE7Sz3V
jA5ovqgH98us3parQ8hx7bfxgGpqSaxQGwdsJx2RGfk17R5nAYVRIl9kgOZkQSPq
2Qp8LVX3lQW5FkC3o1nF1k6K/Nxk/yE0BsJnjjfnOzgKpGS7qTTiG/33OPilQ4ET
PvMHqX/YNs8MtT9ObzSxQYmU+cDILuptDYlPkw/7fk6yYeRKAInSWKC6imhzCV7B
/CV3AqTiuMnmZcH49mlPwSzXbSgxtDbSmeXV5W3r5d9sWlZTf4wVjwHc/IwDQZsR
rOocz88O2w02GA6ZKYfmw4tuHdo7giLWs7bcV7WNhI/KddWqpA/spbhrm2ektNSr
sVhA0HHlt4JNKXJUb03hrA2Cj0dMD7M/EpjT24jvnZ7O+nYpp14HnCw4+/kDdW1d
A/Sk+JaRtPu9MxIqBvc68Mmo8FAv+TDO7tX2mgneyNJivJWw4JEv9uVQVhepEaPY
/cvUuRPsZZmt2pJn5XnKO8SRiFhXsHuowwvAD8EHpWQSwluEPrA=
=VXRb
-END PGP SIGNATURE-

[SECURITY] [DLA 3570-1] libwebp security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3570-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
September 18, 2023https://wiki.debian.org/LTS
- -

Package: libwebp
Version: 0.6.1-2+deb10u3
CVE ID : CVE-2023-4863

A buffer overflow in parsing WebP images may result in the execution of
arbitrary code.

For Debian 10 buster, this problem has been fixed in version
0.6.1-2+deb10u3.

We recommend that you upgrade your libwebp packages.

For the detailed security status of libwebp please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libwebp

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmUIPWMACgkQnUbEiOQ2
gwJSYg//dPLbV1YipC9oXXVYzWIwRy6Im3cygpoBxIALg4n/MbpR5n7x7tXPRiCf
pKZaIyzlUl1BpIFL1iHU3yXC+KOtYf0zwAaXfjGt7WjOXnkvDIZ0XuDXkc8yZp7W
hTWYtfEDaPyDzPG2IiZpKg03mmhVkSTLKyw004jQ5Hy++nAc4iWHZbLIeoVjnmPH
H/2xX6sfuPamchZ4zNKISkjL9ToXI1dfwXGNfP6mV5HB5I/uwvImDDuaq3/lkvTp
iTRW6Lx+cDP3ixbm6+b/sqoHVw5hy8cxhzY7NL5sFzG22nsJ/DZMI9UVOu66ksrK
1ccxnpdjiTCJOksENmKnfL2OvSZVXVASuWlQcPYxWe9MtFZc2d9Gt/ukJ9QuqgJt
oDiMNKa4QCa4+8EnmPh47GocTA/D4/UrjbqDqRlyDQXr7uiK1tq60r4JoL9IUEkj
JIHEwHwPLEr16v9vlF/9wEM8PEYxpxmZaErlD/MCeEtxrKoJVLCY28hPGF5iYtNn
LEsy+HHG9Y0/zzLShEe+dWNS3aWUSYdcEl+gu1Uf2RonfKf1CzMQDO4SLbldMnId
RTOjC0ULPICxwMRPrw5Wj+FgSD3yswGwwKMsz0xyuBuRRlfE5K/uaO2hYjG1LwId
iaNsa8leNrTk7JSeygZ0F24HpsPgsFL/tQXHeLAao0pbWdEqs4c=
=VgF4
-END PGP SIGNATURE-

[SECURITY] [DLA 3569-1] thunderbird security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3569-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
September 17, 2023https://wiki.debian.org/LTS
- -

Package: thunderbird
Version: 1:102.15.1-1~deb10u1
CVE ID : CVE-2023-4863

A buffer overflow in parsing WebP images may result in the execution of
arbitrary code.

For Debian 10 buster, this problem has been fixed in version
1:102.15.1-1~deb10u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmUGygcACgkQnUbEiOQ2
gwJ6MRAAnS4CiEFlH47xufUkyKqZfUNJmyuEEVvWm23U5/Lr+hu4aPgJT7SzgvLu
UxVgANpbBYrM50kpPGJbweaOHaebkr/pWt0RLPrT3Y9m5W9GmmDcSNunQ/KsIvZm
wuWK262F3tqxJMqrgGms8LsjK+3hkwAjvVoiqQ+tHLWP65rs15i9d385ofkxGS0H
sIYZNNBKya9cLVDTBG/B45rFJP35o2uXoEe58sY5rK3suiD9DmLbg93JmwtW9VxH
64n7CL572L3ObuiTJKKrnASsLm6c1sTRsSBgZayjUzEBdaoJgzZG1pZ3dEuT+ypY
NpRU6xK/sjeqtJxHN8ACV1WEfSvgbJJ/880rK6fYXAT3zog5SMVQ/c/IDOFPyF/K
dIaIDfbMV5kzK83ob4NAe+InWPlUpG9MF1EvoCxrQ9SdMuMCF/y2vNQPTQdeXiiO
SIydM6JFr2zyBRPSKM3ZcCeEaxqqcTBEo38S7VJ+5beyRB2H9c8BZ+dj20rbwYEk
QGmWNIn0MZUTzcS2YWJx2Be27WOgWD54meVbbTlTst8lJL58eRyxDQ+ucQZGpz+U
mivSyO5b5E+Ywk0Zl4Cfh/ZaWz06ZzMMek5rkutc2moxGck3QJlb0bBZR2MntZGA
0devhDuIlgXd0b8RJTvmwttH31l3WtBg+hZVJvNmFIdtG/9NJUg=
=hbRD
-END PGP SIGNATURE-

[SECURITY] [DLA 3568-1] firefox-esr security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3568-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
September 16, 2023https://wiki.debian.org/LTS
- -

Package: firefox-esr
Version: 102.15.1esr-1~deb10u1
CVE ID : CVE-2023-4863

A buffer overflow in parsing WebP images may result in the execution of
arbitrary code.

For Debian 10 buster, this problem has been fixed in version
102.15.1esr-1~deb10u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmUFb68ACgkQnUbEiOQ2
gwJVCw/6AzX8rWFw7uOoh23yRF3CaRv42ws/0EFOabl/Inj44Iohh2QcBiuaRO+i
KNjHEEw3X79tZEYFYU0mdG1Geg4jkAUiaJZbRMRYtPRTJxT9Wu4rseVaRvAaWN2V
jRR1b+0EPGxuf/tUWKlC9N7zt9NDwbijazNyzl3NcvW2fJ6eJisQWJnXN1nS94sq
GFXsYj5shE/6QbmwJ0H+IkrwA5x/g6dOVQiLSbHGtYnvvFG9TmWbvLJtfr8dM2LJ
jB72wUZWHKba7dA0X/3F+WjThaRQm2SEoSnW4ErtHtMKNMFdypdGVlnxPA2Wq+M5
enlTjfFMopIYlZzm+4n9P4AqQ0YkU/4xLvEMBBOGA4nC3G7Y1wTUYk+ituuI62fV
S1NogC9XLVPkJZxFIvhcqTPa9x783yJMulKN6u0qwuh1fXMfNu75DaSiBeXuhsEO
clWXHGHkSRtiA9uHYfBIBss0Efn80xq973Lz3P30PbLeKGE63omRfcis1Ep9WZZk
GjqhEWrguogkP2GF1GSB63hNI746cUQ2a40zmK5AzGJlqrmHQeXGyzjbLXPjh7Su
RDq/lr5Bqq0Y0VP7wLJyKOys4utaKgJN/Wv4iW47z2IQOdn1etrw1c3hXKSv9BL2
Wwj4306+U4yU5ZWKHb0+ZKSQ6L6HQGkPoYppi2zRRbaccA3zd90=
=t9jN
-END PGP SIGNATURE-

[SECURITY] [DLA 3554-1] thunderbird security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3554-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
September 05, 2023https://wiki.debian.org/LTS
- -

Package: thunderbird
Version: 1:102.15.0-1~deb10u1
CVE ID : CVE-2023-4573 CVE-2023-4574 CVE-2023-4575 CVE-2023-4581
 CVE-2023-4584

Multiple security issues were discovered in Thunderbird, which could
result in denial of service or the execution of arbitrary code.

For Debian 10 buster, these problems have been fixed in version
1:102.15.0-1~deb10u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmT27xoACgkQnUbEiOQ2
gwL9mg//cp+vB2CRMDE3QDEVkRV7lBA7kawVol7FACGMH2qoLBhNSp7KK2n4ZsyM
4CKewtIQWanZepuhwAcnXfKivkgVUGOZ3h4w4muDxCu9f4/Toaeuok7R6XiPO/fJ
EyFnFvOz94lzCUB50NHKpO4uP2JAia/hZI627F5DmpI502vq77p2R0d/WweG8U24
/y0UwL5GMcDOMcMpsXKV2DRx4c8K76WOIm6PJn5vta3eGYvNDNn3XGQ8/9eKjlZo
uIyaUSPzWQ7ZoDrUxdpCXb2Hwa6T5KTXw5dO6G6MhvOyP7XZuyjNp4ghb30Grn3V
hfC8X3iBvPDlhuKkT59PemaeeL6swQzhjBFyVgfBEy+Rzh2Uc50IFupyo7UrdCic
g6cxMt57MGy+aVUVO1ShZ9w1FfLEciVDqMLRfh6uE8kcZ/BwwhFfQPmhfFalYw1A
6/ctocPg+nzaBgJMWtqU2fp/cxwQGAfbLlZmW6gGNkKv3wYBYUPm8EuFn/SlVrcS
epwkBxaXw/XR0BtbSSqbcHnMOvzXTzLOObVpXIgkgQcL53fxMvkHanml0SXOlll5
VgurIsaHtVvKqzoukkiYP5zhZdr0+wYYAetB7/b0V8WL+OCmfJhvabpJdlbadbBh
BaLSDhRJ4rnJoKZn55hIkC/kjdrIXqOJI9bXgG8zz7QRm77lHsM=
=hhf5
-END PGP SIGNATURE-

[SECURITY] [DLA 3553-1] firefox-esr security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3553-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
September 01, 2023https://wiki.debian.org/LTS
- -

Package: firefox-esr
Version: 102.15.0esr-1~deb10u1
CVE ID : CVE-2023-4573 CVE-2023-4574 CVE-2023-4575 CVE-2023-4581
 CVE-2023-4584

Multiple security issues have been found in the Mozilla Firefox
web browser, which could potentially result in the execution
of arbitrary code.

For Debian 10 buster, these problems have been fixed in version
102.15.0esr-1~deb10u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmTx54oACgkQnUbEiOQ2
gwJKbw//eKLUsodG6M47NXqkdGPsefhTqPO2VxbnbE6iRw2mGe/rABTCEYREDg/U
FwUDWl8MaHGspFc1iJWHSiVRVB4+aNwP8Dk81P+Id2yiTFhn2es3/zBRFA9sBqQy
42H1Pj/wnBnKdt8D/sm3lrUxYS4RonpnUlNoD6SwQst5Uark3kJGrk/NzHgdRLn/
2mbGizmKy0KELEkoGJrhMmcatB0/QgJYiHDyUrnc62HCN0Lr0Oz6rrSVpEUe8PPF
24r3JHDrZg2S4j7NGDRpS43qJROgw+QcyfbL974kb0rn8XxrZqMBtiCaQhpE8dNj
gFeijeOdy799KQuBkP5tKgsWBVodYy9M6ywZ3ytKd1mQac3393UgEODKoIiPErre
shIRFx18218wpnPg3nfAVbLKV+5Fmte8n9GRk+7TGKQ6Fffdk2mMZNYVa4TujxVA
BZ+KnqlB+39Si7lqsi0ZYA3SvCAL8YDvCHKZ83TxYxJPIHTgnfKh/qQTWMEfMVwY
OYSmh96rkNrD9m2p0H6HAPK7lZoAqNpextGnz4fxm3fskHPnEFLVN8wXw1LrRNda
rXf+9Z2cpTErCfx9sDBCNkSRbCO8GKNssX5NkAeTpXBUL6hiouQGXDuod/fPPc5G
MsHo+LkOMwWcyCVZ0gOw9klh2TnAt+1uzcBChG6OQRQQQJodtok=
=FEnf
-END PGP SIGNATURE-

[SECURITY] [DLA 3523-1] firefox-esr security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3523-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
August 09, 2023   https://wiki.debian.org/LTS
- -

Package: firefox-esr
Version: 102.14.0esr-1~deb10u1
CVE ID : CVE-2023-4045 CVE-2023-4046 CVE-2023-4047 CVE-2023-4048
 CVE-2023-4049 CVE-2023-4050 CVE-2023-4055 CVE-2023-4056

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code, bypass of the same-origin policy, spoofing or sandbox bypass.

For Debian 10 buster, these problems have been fixed in version
102.14.0esr-1~deb10u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmTT41QACgkQnUbEiOQ2
gwJ+OBAApwtVb9MUYLpiBt86LIcVazNBe9uaKgu63kIH5/Z19L5HAPMrvkvImqBo
CDaY0UsLxwbmydtdLCM4scQGKvC9LeB98xMy7u2Fawnm1EqcWDZwZYsscmZveHxi
Q7LRMS3x+28PXyVBeijEpy9kFSeAZLwN4JZF2AL5H5w6COK38plv2wYM8Pnuye9E
Z9l4bCW9zFOjbreYOBHQqZN7hMbSRv11QlAwDknvjwNtcj9L63mBi+2llO7u0o9A
RgMEfffbtif0N3kz/YBYljLkrXBqHIvalza9zzhBdnDRer1OgRCWFXGEWjHrua7v
qPTTAraz/v8vHoKspcNMXOY3y5p5Z8fzRFvctnS5MfokaH9CEyDbyFc5X333C4R/
au/88B1MzOkaDuv1ayBrFfbwCR8Cgvo/vHewg0I/WF+yqWKCEH0wOUhOiWVcqt+9
PO/PAsD0Rf+lDp0QJiMmIPHDBjRPp/wY6DHfr5kWqYB1GTvjRWAM3o0jwY+LRL20
V9pvwdCY3UEblb2bhpYcqTf2zoe2hBT+KQAA26ohcjeoS3lJhRi6AjAg5uGins7p
CNm/oes22p91+uy/O6xjwqvDcPbAGuaR0oxbSW8BZ7WG+XTN9EoilQmoU3zfhboF
wB98AB+Uxg7SD3hRB9SU9rX9jHXTzGMAAo4g93Wx74pOZH4TFyY=
=71+z
-END PGP SIGNATURE-

Re: Accepted thunderbird 1:102.14.0-1~deb10u1 (source) into oldoldstable

[Emilio Pozuelo Monfort]

On 08/08/2023 12:00, Emilio Pozuelo Monfort wrote:

Hi Sylvain,

On 07/08/2023 11:46, Sylvain Beucler wrote:

Hello Carsten,

Thanks for updating Thunderbird for buster :)

Do you want the LTS Team to take care of the DLA registration and 
announcement, or do you plan to do that yourself?


Please send it out, or I can do it if you want.


Coordinated over irc, and announcement is out.

Cheers,
Emilio

Re: firefox on buster

[Emilio Pozuelo Monfort]

Hi Chris,

On 07/08/2023 23:57, Chris Frey wrote:

I noticed firefox security updates for 102.14.x have been released for
bullseye and bookworm, but not for buster (still on 102.13.x)

Anything that an outsider can do to help with that?


Given that the package is no longer in sid, I had a little trouble preparing the 
backport from the git repository. That's sorted now, and the update should go 
out today or tomorrow, once testing on my part has been done.


Cheers,
Emilio

[SECURITY] [DLA 3521-1] thunderbird security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3521-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
August 08, 2023   https://wiki.debian.org/LTS
- -

Package: thunderbird
Version: 1:102.14.0-1~deb10u1
CVE ID : CVE-2023-4045 CVE-2023-4046 CVE-2023-4047 CVE-2023-4048
 CVE-2023-4049 CVE-2023-4050 CVE-2023-4055 CVE-2023-4056

Multiple security issues were discovered in Thunderbird, which could
result in denial of service or the execution of arbitrary code.

For Debian 10 buster, these problems have been fixed in version
1:102.14.0-1~deb10u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmTSFUUACgkQnUbEiOQ2
gwIoKxAAv0+1cMbWEsz1anfpAeUT1yyKJEEuuezxFRcsQ+R7/+p8jkcivvbFX+q7
l0I1NFwPqvQKmCaFY29q6X6xSgOP5fgMVwR5lO4JAkOblxmtennA98TjxSxC4Fd1
HMIP8HVZQBkN65OfvCPr7HTyN1ey8NXivwWECewA84Jrr7QPo/JN2k5zuTuH/WUY
WYaiSEEt5eNuG906uTo0tohsTTbtN4OikVhT7B5oiYXmPaT4F0AYP2qfsCbTh1vW
HfVbI2qeO7oxJqvQZVGG+dbw4T3uw6T4/vZU/xB/a3cSq+/pKunqFNTX/Mcen4oK
DXSjnN2gz4SkpoJzLKPT/uOwwoykJ32qhq13qVgVwzMO/dVgN2spaeH8SG78smbr
zsoBYnLVI/hrg8GRwDTXsf3YF0ZHlQt/Jxxw9z87ILCCA+8mAdE/NF3qPvLgESrN
hG8uYduYYIV1sW0lQoERgxsjA5goGCWPfxuXJNdR5S43dpCoEgh8KwuSg2DOc6pO
hPxR3KUVxrqy4lfdY57PBCPYLRqLZITmYn1qvr300FDg53D0IZwPE4B6nV/9MOiX
JRc8EiF2k26j3KIwZ0jmJToJwoV72rW7cd8LNWWKlsmBcqQVz7U1/0Y+ZCikCZBP
ezKGqOFBUZH4LSWTHevNF0i6/LJsXc6k5qeDPuoD7hpmnFtEGkQ=
=mg8A
-END PGP SIGNATURE-

Re: Accepted thunderbird 1:102.14.0-1~deb10u1 (source) into oldoldstable

[Emilio Pozuelo Monfort]

Hi Sylvain,

On 07/08/2023 11:46, Sylvain Beucler wrote:

Hello Carsten,

Thanks for updating Thunderbird for buster :)

Do you want the LTS Team to take care of the DLA registration and announcement, 
or do you plan to do that yourself?


Please send it out, or I can do it if you want.


(I assume this matches https://www.debian.org/security/2023/dsa-5469)


Yes, same one.

Thanks,
Emilio

[SECURITY] [DLA 3510-1] thunderbird security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3510-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
July 31, 2023 https://wiki.debian.org/LTS
- -

Package: thunderbird
Version: 1:102.13.1-1~deb10u1
CVE ID : CVE-2023-3417

A security issue was discovered in Thunderbird, which could result in
spoofing of filenames of email attachments.

For Debian 10 buster, this problem has been fixed in version
1:102.13.1-1~deb10u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmTHZKUACgkQnUbEiOQ2
gwLMDBAAviOOfb2MzHyw8b0q0veSXJbTo9PF9dgyfFiRxlo9LnQAvCeubgoCMx+9
MNSGczjUDzlHD/Rys8wbDH+IHl2R8krwnXh4Gb0DHtcj6EvyPYuwBsdm1C7wu21d
R3WvTJbj+DEQHB9iztf5nsxQnqJasNbyia8DHoMW/Yg3H16Pl4Qg1qgClZsityVB
PEi8xz4t7rsYz9yP5WN+nRz+7KeYkw3IEStbEMgvaTgKo2TfRv7RnI3YDJ6ePFTc
e5o/SwRZ4Uvr89YBYmwh+UZBO/i1LI6BORXCB/GtT3HNkVSCDZWW+QNhq48ooYQO
p3atiiEDZp1+UIlCRpoU241SxYVOakx/SGmJkOkfvVJsDZ0HVyKX7vV++R9QRWbZ
NIionBWOdDMhjp2fHJB3fyNmdrxmWpQF2BBnsp8D48MVwNRD26EafREsqudJWX85
WofuW2pVIZNbt3236s0cqXeDeVsS8yJa20mJ1TrdkL1WEx/h4rQBSx7EaEIWkmIs
wYMQeIlW2Jt9qpJFxjfdMi84xpjnRjCPu9neel56E1oRzJjm2fGSw4RoIub4pc0q
8kbPrI8vag3NcZfi79jOMifV0GmU9s38DHZZEG2BYApEyQkpckZ0axv8lxFdyS6l
Pq+ByP53oS6GhYYJMhra7z4dz8m/KxcxZRcElD8WN0Qxgi3QTso=
=8R8B
-END PGP SIGNATURE-

[SECURITY] [DLA 3490-1] thunderbird security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3490-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
July 11, 2023 https://wiki.debian.org/LTS
- -

Package: thunderbird
Version: 1:102.13.0-1~deb10u1
CVE ID : CVE-2023-37201 CVE-2023-37202 CVE-2023-37207 CVE-2023-37208
 CVE-2023-37211

Multiple security issues were discovered in Thunderbird, which could
result in denial of service or the execution of arbitrary code.

For Debian 10 buster, these problems have been fixed in version
1:102.13.0-1~deb10u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmStBFkACgkQnUbEiOQ2
gwIHIg//XA1EZbcftc8XtcMnbziXtT6HvoqFc9w2BN0zl5hYj6RTAgVd25Wfkw9Y
cECmh4TVIkrWeyd7C3vmf/j29qH4/VHgeajBQVpvSqGylfKCvRnvCRS3yjuVrJ+x
8zCroOesS8rOy8GWrTUPK/W18sQBGvHPKXrOUJeb1Wv4brldl7jJsQtI2dQcOxpp
4mxnwUg/D0JSfaTja2zXQIh1If6aMjISU5U2RQnjzCosBY58WYKSF+mFM/mAm/EP
946pFb/vwcixUr1GR9Z7Yhq4c732zzhjhLUUfXbPOp0CU/Vb2W5Jyc0N/oIiRmWr
MXqWhMRR85aQ0uYJZk7QIZO1dHcaKcqVsvtN2c4Y2DEeZ74w0SohnDhXCUBQWPFI
BNoUaTEJeBIt4J1Bup8at0Yzrc1LwHzYxqp2pNsu70z3BfFC68LOUmfCvSwd0N9b
WFwvRgdghVsyZGdeugliaCCmDtePeovhmJ5bJnBk7uw5WMFVZbB8ysaTzVu4AmU/
WJj6XuYIK5JP+au6oGfAoNw9Dqd7ztylpwZWxgNcpiNPffjf8g0eJyRJIiJ0xGyk
Ui3xdyCr4N0N74UQ6LfI1xHIpzGfeRvRZHPcfCZHR8daXcmWAQAM4k6Pa/B/F8jJ
SVjk9qHKEfeYe2AkFfQMm0TeLItUPBLlcVj9jBtXQ/9f3Q6M2W8=
=+c7f
-END PGP SIGNATURE-

[SECURITY] [DLA 3484-1] firefox-esr security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3484-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
July 08, 2023 https://wiki.debian.org/LTS
- -

Package: firefox-esr
Version: 102.13.0esr-1~deb10u1
CVE ID : CVE-2023-37201 CVE-2023-37202 CVE-2023-37207 CVE-2023-37208
 CVE-2023-37211

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code or spoofing.

For Debian 10 buster, these problems have been fixed in version
102.13.0esr-1~deb10u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmSojCEACgkQnUbEiOQ2
gwLhcg/9F5itksRSkkG3DBcgdAnxS/CQWKxGxVtEvUL0T1OcLXw1NciIujzqQtpy
TE14geUO7dYYj+W1PpcXvtZfg41tkEmqCRwcf2I78iA1LK6vZFifyGQzHmtZ296z
K7pAaP0CY2hZ5A7Vtdm+Rq/q0sH3b4PKfFV9u3LZj6ale2O/sQla/iLG2CoykKhz
DGArfdBgC05Aa7bjTeb6WjKTUJc5fPTgtnqp7R9zOwhylpDAbA6fRxQFTv1gxBGC
+U6QJ8xjc3qUijj/Demv3Qj9O5MTnhswOwOoDQi7teOlYrLXiy2U6fI9igQJ081p
se6jPYjarNpfcOT3+t9NKB66ZMR9DHRfabJDV0I8bSpTxfWNwnc8DUPpQ0Z7Rjra
b/vAqn+ZkbZh6tu47GnWZortQACtw+iibPY/thD9KJ1XeW5lU05AP9S10nsM5Yw+
0Qg0xh3sCBsCiw55EPejQ6aMZh7FWg08xy82/M/hKKS15JVwf3+8W87lpqfHO3mp
OZv/FoLPSm8RQzmFEgk/jsGsE13SwI147NaVdHHGH4FBel+us8cYbNbZC4ewNzYK
kqn0RBxwNY9nSqd0B+hXQC4mGOG2Zes+bDq9Z1e4ZD8nuRaSmwpz39TsEY6RiOlq
EBSP8wMC9QdQLPhkVMiY2tgM20lQpH/gJJ86dzAcmhC7qWNWOy0=
=inoz
-END PGP SIGNATURE-

Re: WebKit 2.40 update for buster

[Emilio Pozuelo Monfort]

On 27/06/2023 16:18, Alberto Garcia wrote:

On Tue, Jun 27, 2023 at 10:53:40AM +0200, Emilio Pozuelo Monfort wrote:

I have been testing it a bit using a buster VM but I don't think this
is very stable.

After removing ~/.cache/epiphany, ~/.local/share/epiphany and
~/.local/share/webkitgtk I am having problems to open web pages using
Epiphany. The problems go away if I revert WebKitGTK to the previous
version (2.38.6).


Thanks for testing it. That's obviously bad, and makes me ponder
stopping security updates for webkit on buster and EOL'ing
it. Although your experience is different than what Carlos
reported. I wonder if you managed to investigate it a bit and see
where the crashes came from (I can upload dbg packages if wanted).


I haven't investigated much further, I can do it if you want, but in
general I think we're stretching this too much and this is the time to
stop providing WebKitGTK security updates for buster. The switch to
2.40.x was bumpy for bullseye already (rememer the Evolution issues,
and see also #1036154).


Ack, given the changes (particularly switching to libc++) and the reported 
regressions, I think we just EOL at this point. I don't know if WebKit upstream 
would consider a longer support period on the stable branches or avoid breaking 
changes for a little longer than 3 years, but otherwise we'll have to eventually 
make this decision.


Cheers,
Emilio

Re: WebKit 2.40 update for buster

[Emilio Pozuelo Monfort]

Hi Berto,

On 19/06/2023 12:59, Alberto Garcia wrote:

On Fri, Jun 02, 2023 at 02:17:37PM +0200, Emilio Pozuelo Monfort wrote:


I have prepared a repository at

   deb [allow-insecure=yes] https://people.debian.org/~pochu/lts/webkit/ ./

I'd appreciate some testing of any webkit applications (epiphany-browser,
evolution...) that you can.


I have been testing it a bit using a buster VM but I don't think this
is very stable.

After removing ~/.cache/epiphany, ~/.local/share/epiphany and
~/.local/share/webkitgtk I am having problems to open web pages using
Epiphany. The problems go away if I revert WebKitGTK to the previous
version (2.38.6).


Thanks for testing it. That's obviously bad, and makes me ponder stopping 
security updates for webkit on buster and EOL'ing it. Although your experience 
is different than what Carlos reported. I wonder if you managed to investigate 
it a bit and see where the crashes came from (I can upload dbg packages if wanted).


But in general I think it may be the time to discontinue these updates and ask 
users to only use this with trusted content.


Cheers,
Emilio

Re: [SECURITY] [DLA 3452-1] thunderbird security update

[Emilio Pozuelo Monfort]

On 12/06/2023 17:10, sko...@uns.ac.rs wrote:

Hi,


Hi,

On 12/06/2023 13:35, Miroslav Skoric wrote:

Although unrelated with the security issues above, may I ask something
that I
noticed for the first time in Thunderbird 102.11.0 (32-bit) that annoys
me and
what differs from some older versions in the past, as I can remember:
In fact,
a right click on a message body (in the message pane, F8) opens the
'Save As
...' option. Then in the new opened window a file name shall be entered.
However, it is per default offered to save the message under a rather
complex
name composed by all of these: Subject-Sender  Day
Time.eml

And for some reason I get the response: 'Unable to save the message.
Please
check your file name."

So, after testing different variant of file names, I discovered that the
best
option is when the name includes only the Subject (and not the rest). It
makes
me wonder if it would be possible for a user to set it per default, so
it would
not be needed to shorten the file name each time. (I mean, to configure
saving
the message under a name that includes only the Subject and nothing
else.)

Furthermore, I noticed that message saving under a name that includes
some
non-alphabet characters, such as colon or like, also tends to fail. And
it fails
under some Linux versions, but not in Windows ones. What may be a reason
for
that? Thank you.


It works for me on my ext4 filesystem. However I tested saving to a NTFS
filesystem and I got that error message. That's probably a limitation of
what
characters filenames in NTFS filesystems (or whatever filesystem you're
trying
to save to) can contain. I suggest filing this issue upstream in order to
make
the default filename simpler.

Cheers,
Emilio




Thank you for suggestion. May I ask for a weblink to do it. Tnx!


Probably on 
https://bugzilla.mozilla.org/describecomponents.cgi?product=Thunderbird

Emilio

Re: [SECURITY] [DLA 3452-1] thunderbird security update

[Emilio Pozuelo Monfort]

Hi,

On 12/06/2023 13:35, Miroslav Skoric wrote:
Although unrelated with the security issues above, may I ask something that I 
noticed for the first time in Thunderbird 102.11.0 (32-bit) that annoys me and 
what differs from some older versions in the past, as I can remember:  In fact, 
a right click on a message body (in the message pane, F8) opens the 'Save As 
...' option. Then in the new opened window a file name shall be entered. 
However, it is per default offered to save the message under a rather complex 
name composed by all of these: Subject-Sender  Day Time.eml


And for some reason I get the response: 'Unable to save the message. Please 
check your file name."


So, after testing different variant of file names, I discovered that the best 
option is when the name includes only the Subject (and not the rest). It makes 
me wonder if it would be possible for a user to set it per default, so it would 
not be needed to shorten the file name each time. (I mean, to configure saving 
the message under a name that includes only the Subject and nothing else.)


Furthermore, I noticed that message saving under a name that includes some 
non-alphabet characters, such as colon or like, also tends to fail. And it fails 
under some Linux versions, but not in Windows ones. What may be a reason for 
that? Thank you.


It works for me on my ext4 filesystem. However I tested saving to a NTFS 
filesystem and I got that error message. That's probably a limitation of what 
characters filenames in NTFS filesystems (or whatever filesystem you're trying 
to save to) can contain. I suggest filing this issue upstream in order to make 
the default filename simpler.


Cheers,
Emilio

[SECURITY] [DLA 3452-1] thunderbird security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3452-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
June 12, 2023 https://wiki.debian.org/LTS
- -

Package: thunderbird
Version: 1:102.12.0-1~deb10u1
CVE ID : CVE-2023-34414 CVE-2023-34416

Multiple security issues were discovered in Thunderbird, which could
result in denial of service or the execution of arbitrary code.

For Debian 10 buster, these problems have been fixed in version
1:102.12.0-1~deb10u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmSG55kACgkQnUbEiOQ2
gwIScA//cskqwKb4zrGLsfpKdShx760AQndnSp+sTRpSmLao6/xODl67s2D2q76W
OwnmLyyQpcd4TwUMc6wr1pQvz8xgK2g81/+A/HUew9arFrnGJ1AR4uydLGNB0jTv
IdYzmVTSLRaqm+wOMH0OvOwEKkgzHECl4wckJBjiKKDQMrhnWw8HD2pDx9O3Vcfq
g8cClvMKUOyZZodfpbqa+NpoaMUpPz3k5dAqWcTa19ALSd2M1aPxMmrV66gPGlK9
owDDhcixud6AMKXpSN3O5n5b2r7HpaIzCabnoTILmDpVYfTgXOyUxtDqOO+8KA7F
1o3yOJIRqkrfttk0M1ziaX1CcWO4xFHNuH0BSfzCoqXRzESEzLmq/CPef4+S2d9n
CHCrrrvTl6V+ehXt4/Fz3I+I8UfVlYoS+LkU2PWIjSLKRbFd5ZS0oa5pZlAddGQu
0DhrBVLyzv+w8PVA9KmSEBrqpfhU1Td2q1LOsqqjdAFX+1F/dNELgPnZb5dmFlo/
6IJN2RGCkcCqPjJFsIQze4gqqwLtpeABtFYdDDmL5MyK4z/8WnvT9kTDvHyL7Sqr
TOnzyCZ4HRGNv4mQhHUCZybGU0MAHSQNsdlT875OigdvNWvgdhUiciT6WZmhjAwT
oQpEq1SzxbiOupDO9I7xdk5VTu4TONtUeUUjjJxE10OzB8bLMQo=
=7EE7
-END PGP SIGNATURE-

[SECURITY] [DLA 3448-1] firefox-esr security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3448-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
June 08, 2023 https://wiki.debian.org/LTS
- -

Package: firefox-esr
Version: 102.12.0esr-1~deb10u1
CVE ID : CVE-2023-34414 CVE-2023-34416

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code.

For Debian 10 buster, these problems have been fixed in version
102.12.0esr-1~deb10u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmSBgBYACgkQnUbEiOQ2
gwIVWQ/9HWVFpHz20SF+LMULcGnnAJwmLBfJmp+3psWLhPM0Qw8JW9z44uuDpsl3
tWUgfRZqzs5e3FU0eoC911CXAJn63/tnX2rgNEwWQZqfonITm/Uckp+KLEre8j8L
ZoeabArYnMafFEOCpRR6sKvZCLaKw1bMx4GJzprHQnsMfjlXxOvLXl72z9f3klaz
i7JQK2dwLi2P0crPLlPkxQkNhEKgkPOemZ7cUKTMOoLiAAfvkarK5eptLyx/PDkt
5qgTAcJj0+RNFQBA3xIA8XDyyr5wOEr5Yt3noSFoLUPl6xqjHI2Q0cN0YxMsEK3G
WwF8ZGaJpBsbbC1Q5u+Mu1VIjqBW7PtaC930Q+DuOFf1TpUgrVBLEkRS46WnPdpm
GgiCo4D3eoqkEnXI4yPcB8SerXzxvliRbW7II3OP++7QBMfqy+giHeM5b0B6QoZz
LlZCPzxKoDnyBPfdyxs2pil0gj846iefGm7ajGZ/92XHhM4yPUtEjjrUtTFQlVot
FcYgC1kZrKoGKzQtLQPOr6T5I+wKjEenGR4GGoLs2OXpA6b6iVa5ImtBFcu6lihw
rYQoXd93HwMZ/fv/tRCdjpRyFMnSn1E07zkxUh0OFPBWpNaUcLGtjvU6ndvu5CdZ
1NnpcvockC7d3VkTQM7nLsQ0//s2+RZLbMmn6x2qOqBC6s3HbmI=
=SO2i
-END PGP SIGNATURE-

WebKit 2.40 update for buster

[Emilio Pozuelo Monfort]

Hi,

With the release of WebKitGTK+ 2.40, the series currently in buster, 2.38, has 
become EOL. Unfortunately 2.40 bumped the compiler and other library 
requirements quite a bit, so a backport wasn't easy, but I've managed to do it. 
It requires clang++-13 to build (which is presently in buster) as well as 
libc++, which is a new runtime dependency. A couple of other libraries are now 
required in order to keep support for Wayland.


I have prepared a repository at

  deb [allow-insecure=yes] https://people.debian.org/~pochu/lts/webkit/ ./

(the allow-insecure could be dropped if make apt trust my GPG key 
(709CA6C7EBE6259C5DF7643E9D46C488E4368302).


Just like in bullseye, the new webkit breaks evolution, so I prepared an update 
for it to work with the newer webkit.


I'd appreciate some testing of any webkit applications (epiphany-browser, 
evolution...) that you can.


If all goes well, I'll address the last known issue (building with cmake from 
buster, which is partly done but not completed) and upload everything. Otherwise 
if there's breakage, the alternative would be to mark webkit as limited support 
(only for trusted content), which basically EOLs it.


Cheers,
Emilio

[SECURITY] [DLA 3422-1] postgresql-11 security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3422-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
May 15, 2023  https://wiki.debian.org/LTS
- -

Package: postgresql-11
Version: 11.20-0+deb10u1
CVE ID : CVE-2023-2454 CVE-2023-2455

Two security issues were found in PostgreSQL, which may result in
privilege escalation or incorrect policy enforcement.

For Debian 10 buster, these problems have been fixed in version
11.20-0+deb10u1.

We recommend that you upgrade your postgresql-11 packages.

For the detailed security status of postgresql-11 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/postgresql-11

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmRh9gQACgkQnUbEiOQ2
gwIYRA/+LaKv2NiE6wZC9RUaKfcI+W49Tddxc8O3kde3Vw/txatyGiTvBYOiueil
iWfPzpNbVp3h/kKstnov2B8kswSv6jzz2Iin6hkZYqakY/QNIXBBQ/GYaI9aLRpm
8sI2z15DDCZN4eM6rSogwTuRjtpWuPd4mYc3Nnp5iHDmopK9jbVYuPvq5Be7SFok
+evWBPia+MKLZoz9EsIRmTg9Ox9w/eBhkVuHHR3PIvy/PZiSXc1rTwdxDH/lPlQv
y5pQLWG3+IfHyDZ1c04jD1c7ZrnG5Adz49v7MUt6ekyz0frJA03l8Du8zEr/1gtH
OCewA/FL30TjDanoMrLRGAoK3dG5pxaB18jdpHWRwdiGTWpTufnPAH3HgrWRjX61
Z1DXAxMJH/tf4xwf5mcwQyRxMHHtUtT+bSyJUEzfKtccWrRgt06ldDvwCDmslLkQ
spez1fKVZ/sYV+TgUIxzPr/MEY5CMJP7YSdSYpmFYO+uHT0vNRGTP9ffeej0UjKR
CEDouaI7kUv3ZyJTRd6Y3vvevvAqOuCbNpfXdBvIUL45TLT+Kyrqu3iKCfMpkaJb
Y3c4qVIEx+GlfDCgGvPcMDT/zerZ7UXaiWJgryedso6uzOOYuf8e/aCPi2s3Hrft
qOuU8lvIkvZapoWhkxxCFenuYaKFY/URE2HctaSxBdd9Xu0wmA8=
=8MMi
-END PGP SIGNATURE-

[SECURITY] [DLA 3421-1] thunderbird security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3421-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
May 15, 2023  https://wiki.debian.org/LTS
- -

Package: thunderbird
Version: 1:102.11.0-1~deb10u1
CVE ID : CVE-2023-32205 CVE-2023-32206 CVE-2023-32207 CVE-2023-32211
 CVE-2023-32212 CVE-2023-32213 CVE-2023-32215

Multiple security issues were discovered in Thunderbird, which could
result in denial of service or the execution of arbitrary code.

For Debian 10 buster, these problems have been fixed in version
1:102.11.0-1~deb10u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmRh9XgACgkQnUbEiOQ2
gwKtiQ//ZarwlhHSRB41jEreUUn25nX8D3JQhGuJgrEQAk0yzK36blAV0ij125s7
sIoUWxgLv+GFvxd+fgiB7gfitwGyvptqTNJVmYEen1aVK+TORpS1wdIvRzIY8rQw
w0PBd0R752hsVRaPn73IdM1WpMwpGQ9ZZWc58G79Fhf6tN+IR0JXwIhbGoJf1IPQ
1Yv/F888VqyOHkc/ieYQenc0CVrRExoLqm4osnxNpY2eU8AwSTaV8BmaCPUzSy4a
1liztILeM3iQay1/N7sv980i3WOfnHnn9ODpehmBP/ix8i8+SXIWxRu38/JIYv6T
NPQaYKQub6UWUaUKkoSD7S3/eBVeThzSI/3R+okbtekm9pwJz6YtkIVX6dZqLm7w
URMho+tgTF+frYCvMjYIf5QBiBCXZzTUdeEEQp/Ehrk44bB5yhRQoCGDLiI6g+Rr
oqhC/7pMW9MpZgv2phqysc2PFHMFveclXTqP9y8+hkp1Ma6AhVGR0GmfNxJaeIfq
p+nwM9OROz6BXtLDXaVE6eATZBqliHS9RStJNHzY8BeVsa1LRdtIRIe5Gycr2wS4
bRKhVe2BwanL/vtdKTi7ToFLgvJoEx1S5lb9V+qE9tZ+UAT4OkFh2J3UNSCFaxsN
PCr0mJBFwqsMUPPm+qmp/qNTCpZkPWZQ8OW/4MMMx5QGKOQMRQk=
=Jv/x
-END PGP SIGNATURE-

[SECURITY] [DLA 3419-1] webkit2gtk security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3419-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
May 12, 2023  https://wiki.debian.org/LTS
- -

Package: webkit2gtk
Version: 2.38.6-0+deb10u1
CVE ID : CVE-2022-0108 CVE-2022-32885 CVE-2023-27932 CVE-2023-27954
 CVE-2023-28205

The following vulnerabilities have been discovered in the WebKitGTK
web engine:

CVE-2022-0108

Luan Herrera discovered that an HTML document may be able to
render iframes with sensitive user information.

CVE-2022-32885

P1umer and Q1IQ discovered that processing maliciously crafted web
content may lead to arbitrary code execution.

CVE-2023-27932

An anonymous researcher discovered that processing maliciously
crafted web content may bypass Same Origin Policy.

CVE-2023-27954

An anonymous researcher discovered that a website may be able to
track sensitive user information.

CVE-2023-28205

Clement Lecigne and Donncha O Cearbhaill discovered that
processing maliciously crafted web content may lead to arbitrary
code execution. Apple is aware of a report that this issue may
have been actively exploited.

For Debian 10 buster, these problems have been fixed in version
2.38.6-0+deb10u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmReBuEACgkQnUbEiOQ2
gwKhxA//by9UrPpuDevBxrQBIiILMXHcTp0P/g7rvZIpnXI2U4AAZ3fcx8buPjvQ
WI97LiXzpm0cDnDljLv1Hj9Pu8Qt2QM0PFxWCD/Eior0NqJkqtGF0AXXLa1fi+/V
K3NC5p5X+fB6BYGufWfnvt+0BsageXIIsukIV1NQrzX1mQkukR9fZ7jU+R56ddu6
l7Noqam/wu42h9yIJS6PTxN7U24sM5u2o4EG1lvbljtbhd4w0BtGyWi3seJNGDYJ
VtogMwQKzsEJVYvaeNF0rAoPeiN6uxHobsMEeGG6/EA2Oxoqfn0StwsrpzfoBxiD
kFWnPfqNFxyApiaaQbD/U2oJpyb43SOr+H5+3aV9raZaxgE4GyWGiJ+3VWFoVV9E
+fi2R9n5eTtQp2Smrz9pBrNqj2TWDr2T9PMBmoihGoKR11bLMQJg55ld3SciPBP6
c+/n/3VtvHekt9ei3lDzNV7SGQYE3XLe5lEqMuuwCNcVLtTY+QuiER6i+5EPZwZv
vafj7yin7he1xpauEYW4I2OPU9ua7m4NueLGr1FmhmnUp853TlXaIXu/QPQbqYZa
C3oCK+GvIAskWYgIi4PsGJDzxXTytUOthi2u191kUJbgkIW0VysDC3ifPN74L2Tw
RyaYG2jn4aaV1tWaqS5baZrWhZWE0KHkGnM7eeemM9EZGYJxSpQ=
=WuRe
-END PGP SIGNATURE-

[SECURITY] [DLA 3417-1] firefox-esr security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3417-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
May 11, 2023  https://wiki.debian.org/LTS
- -

Package: firefox-esr
Version: 102.11.0esr-1~deb10u1
CVE ID : CVE-2023-32205 CVE-2023-32206 CVE-2023-32207 CVE-2023-32211
 CVE-2023-32212 CVE-2023-32213 CVE-2023-32215

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code, spoofing or permission request bypass.

For Debian 10 buster, these problems have been fixed in version
102.11.0esr-1~deb10u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmRcpRAACgkQnUbEiOQ2
gwJ4ghAAw+WEe0o5mqQMrk+cqFNofKYIVP9my3RkmM3AJzZ4pa0qiV2KzpZqbIBc
N7/LMaV9heJlS3xgVkIHS/CXgaj/U/YslSygfzcveLaMOdP1OS0XIvFe+MC10nWj
ncqCZZlZ6TGjn68/9vz7lzIlYXW1anrzVUs2ZrBSEL+EngTpLmfRU41EVPFy8Sp6
eqjoO/FglV6CvqudDYGgq9F+5vt4T66uj89OVHbESDx5Mx0M1jQgRQrXPXhyMmZA
Yga066DHWHddJ2Ea0iKCt8+nmPmj6mA4xKRYo/jmMhl9bT98z5YthYnNfDI7aWt9
5/swgpL9s5nwHqR3HVjZCf50IieJoxFPd3XiPF2xaEN6smmqe/t+baYL3Z7V9vuu
HOW+ik8XKO21HsQX/tO6CAjWXDS3eRkZP7EmLJmw+cFQInKFElFwOz6hoUn9TdAE
WLMDsAYtq0hVCCUvBkTB7U7y+gVZbcRl3OteXEpqaCDgGKb8NL8BmkvAfwANJVUZ
JmZCyCEZLeVnoaBLmNQLADsAZ9TQ2X3qfMPOhCEnmB5I7ABs6HG5faQWUKSDZ5p/
N9K01NO+w2Pjwb+jAIosMFronIX54jwrAvo4OZnpsrkngBE+sSnDwlLPVF5c/ley
WABQ6kqNThdWoj+Yr6uR0Oi4yUFM0q/QtKI2DAeibiKc1vL7f1c=
=RQkX
-END PGP SIGNATURE-

Re: nvidia-graphics-drivers in DLA needed?

[Emilio Pozuelo Monfort]

On 10/05/2023 11:42, Tobias Frost wrote:

On Wed, May 10, 2023 at 10:00:11AM +0200, Emilio Pozuelo Monfort wrote:

On 07/05/2023 10:20, Tobias Frost wrote:

Hi,

(this thread is linked in dla-needed.txt and such) I'm not sure
about the status of the nvidia drivers in LTS, so I thought it
is better to ask if or not we support nvidia-drivers

Said that I've juse claimed them from dla-needed.txt and will work
on them, unless someone tells me not to do so ;-)


I'd say it falls in the same category as firmware-nonfree. If we can support
it with a reasonable effort then we shall do it, since there's no other
pocket for such updates (e.g. proposed-updates). But once the various
branches go EOL then we should just declare them EOL as well.


I agree!

After anaylzing nvidia-graphics-drivers yesterday, I'd suggest to EOL it: The
driver version (418) in buster has been EOLed by nvidia in 02/2022.  I've
checked if it would make sense to update to 470 (EOL date
07/2024) but the 470 drivers introduces new libraries and also remove some
others, I think this is not worth the effort.

For nvidia-graphics-drivers-legacy-390xx, buster has actually not the latest
390 version, so I think it makes sense to do an (final) update here.
(Though, I did not check yet if the new version has also some surprises ready)
After that, the package should be also EOLed (nvidia support ended 12/2022))


Sounds good.

Cheers,
Emilio

Re: nvidia-graphics-drivers in DLA needed?

[Emilio Pozuelo Monfort]

On 07/05/2023 10:20, Tobias Frost wrote:

Hi,

(this thread is linked in dla-needed.txt and such) I'm not sure
about the status of the nvidia drivers in LTS, so I thought it
is better to ask if or not we support nvidia-drivers

Said that I've juse claimed them from dla-needed.txt and will work
on them, unless someone tells me not to do so ;-)


I'd say it falls in the same category as firmware-nonfree. If we can support it 
with a reasonable effort then we shall do it, since there's no other pocket for 
such updates (e.g. proposed-updates). But once the various branches go EOL then 
we should just declare them EOL as well.


Cheers,
Emilio

[SECURITY] [DLA 3413-1] libdatetime-timezone-perl new timezone database

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3413-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
May 02, 2023  https://wiki.debian.org/LTS
- -

Package: libdatetime-timezone-perl
Version: 1:2.23-1+2023c

This update includes the changes in tzdata 2023c for the
Perl bindings. For the list of changes, see DLA-3412-1.

For Debian 10 buster, this problem has been fixed in version
1:2.23-1+2023c.

We recommend that you upgrade your libdatetime-timezone-perl packages.

For the detailed security status of libdatetime-timezone-perl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libdatetime-timezone-perl

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmRRCPoACgkQnUbEiOQ2
gwLZSw//S9G8Qfq93IFYzpuIJZNaTHzo0z+skOvlRkZHvcFG0dOkEL1/0JCJE0xi
3H/kDoeyyNgdf+0wM86BllsnfxjkzOqu8FlbTubheOZ9XJUW70SYlWh5nj82PImo
yemadRsvnma/kfOCv3fqomaorVMT3QGN5gW/+4ZKTQv77FEczs/GFBomFYDvcHys
QDVSNKvAC4aHHrqvlKizalKfqbcj+Ew6g6tAnepYQnqnkDiB3y9cBjyF3J1mle+u
X3K5OQPTnKZcaJjt5/JjSvnx80ApOiL/XBLW4MGEhPopUZyGQr2IAWCAq+lw0IDt
Zys7g51jr4UHUcDtRTZeRUIBNDq5BmUQcg5VSzKP6H8VWG3PgpEZZw1W5X8WiBcy
ilyITVwLLvsR2lpjdkMyYg8hOy042fFmImU1Yt7PQLVy3yz3PeTbPDEc32ZyX2av
vMaj7d529zcZGlErcBtk0eZCcH6kl7nVySCUSV2F3ZWO08aXUE309GkR6to6glFv
QwfIRfrSShulbsXjaE59LTKlPMgmAvZCK9Zzd8HFc2lxv/Lg5561IiIzEQTg8a0H
h+w0pjY7a+vjT+M4I7xYpaAcDyVJ3Ljcsv2dovtB3aB78KBGhxjYzDuArtmo86Jw
yPnlrQeQjCrcxyBO1ioepVDbPjyF1bvoYpFEUPBvupKsuGuD2rs=
=j4c9
-END PGP SIGNATURE-

[SECURITY] [DLA 3412-1] tzdata new timezone database

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3412-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
May 02, 2023  https://wiki.debian.org/LTS
- -

Package: tzdata
Version: 2021a-0+deb10u11

This update includes the changes in tzdata 2023c. Notable
changes are:

- - Revert Lebanon DST changes.
- - Updated leap second list.

For Debian 10 buster, this problem has been fixed in version
2021a-0+deb10u11.

We recommend that you upgrade your tzdata packages.

For the detailed security status of tzdata please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tzdata

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmRRCGsACgkQnUbEiOQ2
gwJXSA/+ItvmuBz7nsU7MHrRoVjZ8FSaVjPIk0EGA3qTgQlVNGv/6w0+Zk8FibMO
Zu4iqvQTFWH3YxiaZWydnO6eSroRvUsvejw8Z7wE8U9+yDsiNQytkgSR+KNx0jfe
HCydF/NIF7BOHehWzpuiLGLVcYZk0qJPQeM7nKzmxq9b6O5eMFuWExlysXdfv8dQ
xjPh4Pfxp7kF/Z22XvbwpxUeAt9vZ1qyx18Y1XlRF+E0qUZbTTUF9QNXayIMfrS1
YyqQHckeu7zacAYTcCMWPH7jn9kZdU1X+2sL0UfhuwgN3+PNJP+JPD0eqI/3DHfr
F+9ydMm3phfTl0ZCEUsn5U6lVuERl+pi+MA84gIsnEdS+LW6HSLhcnKdPpPDQJQV
xkudGmonzXgaJdZIEob9s1PyLRanadttr/6pI7iZMorD3r3m23yyDDB7lDiUyp0i
8A1MCoZ1j/CjMPPEC+ZJ5FUnhgMogSpO6rNWfIUqhfrOIBDQNGcQyeziFPyOaKlQ
XCdFrvz44Pl+Q4lKKfxieq9NlKaMhQn1eLq1IVKg6B/4mVIM2d8KoYCeakBVY/9a
Fsan1+RmLSLXkunvEzqVsbWyGIaZiNNpWhVwdeFBq4o/O7rAZry/j0OaYbsgFhQR
UG5xbrvOi4vvk2RaVd4ZtO0b6RwSzaWs8tyAG4Mb8RnTf6qk5w0=
=Vazt
-END PGP SIGNATURE-

[SECURITY] [DLA 3400-1] thunderbird security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3400-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
April 24, 2023https://wiki.debian.org/LTS
- -

Package: thunderbird
Version: 1:102.10.0-1~deb10u1
CVE ID : CVE-2023-0547 CVE-2023-1945 CVE-2023-28427 CVE-2023-29479
 CVE-2023-29533 CVE-2023-29535 CVE-2023-29536 CVE-2023-29539
 CVE-2023-29541 CVE-2023-29548 CVE-2023-29550

Multiple security issues were discovered in Thunderbird, which could
result in denial of service or the execution of arbitrary code.

For Debian 10 buster, these problems have been fixed in version
1:102.10.0-1~deb10u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmRGQ+sACgkQnUbEiOQ2
gwIpIA//XGLkMcgqt5zCiav0g64p7OAj13MPZHq2XSjcsYSHBsieetOR5tkUoDvo
HVT+i5ckbFkFXZzlnMaFTO05pnwoc5NGUlI066KOur5P73B/nehP+BmlqZRcfvNL
fQiHNVmqyraSk72rL7prnzerXivWtpqA3uRcbG9z0C2NXae1ArnuPjEM1KC4lJ63
1D8IUwUvw2fqDo+Dn/b+tpFbORrgtakn4Rh+3JEL/UNa2L1o2t9/oL2mZlvcBzbj
DFu4n4JYKDDXAAqt4XYI358JUAPh4Of4VVg4kl61fnNb2vtqQopQhuJy4Q3x5i4o
8z4pMJCWdQcRYY7JtEZgnG99vx2k76UVw1yq26G+8SRUA4NX9/2cEVq8v0MRhluf
GomdBZ+kmqbrOmtReFiKycAJwKi3wHq1/1Zdj/KXF/nfsCrq6QRFj0KqjqTz/2XB
hSXu4swRSk19mfcELWLkyDQ2XlsNNORJ3FxyZREzS+CVFt7eFDBf4QInaHoTGzAx
VZJqUfreuTz1FDuRY3422xy0OKpRo0ptT7jAl7jZPLSVBy32fRapHOLK7nCeldld
/aMdmdn3H2+cCmpOTEPHc4copjFurV6PTQBO4A4SDtogEYiVcVn65SwEfuzVCHBz
AlhLuIWRyRUpry6jIkosaq3vHUObNyMdoJKeSXKI5OOtuEjFs4U=
=gEus
-END PGP SIGNATURE-

Re: (E)LTS improved salsa pipeline support

[Emilio Pozuelo Monfort]

On 19/04/2023 18:16, Sylvain Beucler wrote:

Hi,

On 17/04/2023 21:36, Sylvain Beucler wrote:

On 20/03/2023 09:40, Emilio Pozuelo Monfort wrote:

On 17/03/2023 19:39, Raphael Hertzog wrote:

On Thu, 16 Mar 2023, Emilio Pozuelo Monfort wrote:

The result is an improved pipeline with better support for both LTS and
ELTS. [1]


Great work Emilio!

It would be nice to have all this properly documented in
https://lts-team.pages.debian.net


Ack, I can add something to the testing section of the development page.


I'm wondering if this new CI environment is meant for all new repositories?

Currently LTS contributors are supposed to follow the following documentation:
https://lts-team.pages.debian.net/git-workflow-lts.html

which IIUC is also what was automated in:
https://gitlab.com/freexian/services/deblts-team/debian-lts/-/blob/master/bin/package-operations#L985

i.e. with a local debian/.gitlab-ci.yml relying on:
https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
plus optionally disabling some tests.


Should we use that existing setup, or the new CI setup you presented, for new 
LTS packages?


Additional elements:

- In the meantime, Emilio changed package-operations to reference the new recipe 
for automated repository creation, thanks! :)

(The workflow doc still points to the old recipe).

- Emilio also answered this on IRC:
 > yes, the new CI is meant for all lts repos.
 > using the URL directly instead of a file works if the repo only contains *LTS 
branches. for other use cases, pointing to the appropriate yml file would be best


I confirm that using the URL directly is currently annoying since even in 
LTS-only repos, it triggers for 'upstream' and 'pristine-tar' branches (which 
are not testable) :/


Right. Not sure if that can be avoided, but I'll take a look.

- Incidentally when attempting the new recipe with 'golang-1.11' it complains 
about having 0 jobs to perform

https://salsa.debian.org/lts-team/packages/golang-1.11/-/pipelines/521038


That's because it's running on the git tag. lts.yml is using the branch name to 
guess if it should include buster.yml, stretch.yml or jessie.yml (which set 
RELEASE and other variables, e.g. jessie disables reprotest completely as 
there's no reprotest in jessie). However the tag doesn't contain the release in 
its name, unlike e.g. 'debian/buster'. Not sure why the pipeline got triggered 
for the tag though, that didn't happen e.g. on the git repo:


https://salsa.debian.org/lts-team/packages/git/-/pipelines

Cheers,
Emilio

[SECURITY] [DLA 3391-1] firefox-esr security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3391-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
April 12, 2023https://wiki.debian.org/LTS
- -

Package: firefox-esr
Version: 102.10.0esr-1~deb10u1
CVE ID : CVE-2023-1945 CVE-2023-29533 CVE-2023-29535 CVE-2023-29536
 CVE-2023-29539 CVE-2023-29541 CVE-2023-29548 CVE-2023-29550
Debian Bug : 982794

Multiple security issues have been found in the Mozilla Firefox
web browser, which could potentially result in the execution
of arbitrary code or spoofing.

For Debian 10 buster, these problems have been fixed in version
102.10.0esr-1~deb10u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmQ28owACgkQnUbEiOQ2
gwKRWhAAyBGObqVBE//fjF3BI7Pei0+qMfS3ls7/Ba7aLko31X7RouT8GGAMDpHO
JK4y/e2nC5eCVqk8eUPOPPy0aiF5SXCx9CyoVEKPDVWXl20yPk6G15nzCW+mTCPs
IxOhbyj9f3c1eXavc/LL/DKF9rLP76Zo0UTB6iDGtFPL9ed8Am0Upq7jg53CjRIv
GT7ZYWdatysLi5BY7l8uKxoPUpAP5JCYbjIXVfBh0eFPJtZueWhKRdmNjdRUWskY
Eumnfyq6OtpbbKd/OKtOZox0XyN3Ae1cNbMoSCAclMqBZcR3JOTcng40T9Mw548v
GgEXGspEvQnXe8f1iYLf0hNelxTeB8ncpg37P8vMsqISGh+Kd4yVcv1RxgXPg/u8
DxazRB9h04TvQSpjmqqEjnElATdNESfitLCBkl+O6HOHAVmaOAM0ZhD4Hqvkfjnj
nACFXlCn7tzTlP+Nl3PYeuk12gmvoNk9uiRpQnYAf8uCbm296Tl/B+chwV4LXGkU
sMD/XHEx191iomBE+r+CddH2FeGMajiHn5tX0Dd28pex99sGX1j4K7chbqD9YvU4
UEk+koG/7eOYFVxs0+8YiGTxVMaFQ43Jm3et90XPm7Aa7jFYlhhmqdfXgQBMIz2O
0P4r3If+EBAeRf65IZOaGg7e+kQMykUejhek+arJnchbkQkNDMg=
=7LkU
-END PGP SIGNATURE-

Re: [Git][security-tracker-team/security-tracker][master] Reserve DLA-3389-1 for lldpd

[Emilio Pozuelo Monfort]

Hi Chris,

On 12/04/2023 10:16, Chris Lamb (@lamby) wrote:



Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d3d0edc1 by Chris Lamb at 2023-04-12T09:14:31+01:00
Reserve DLA-3389-1 for lldpd

My previous reservation of DLA-3388-1 didnt successfully push to salsa, so 
I
now need to clean up my collisions with DLA-3388-1 (keepalived). :/

Will you send a follow-up DLA announcement with the correct number?

With respect to the process, I wonder how this happened and if there's something 
that can be improved in our scripts to avoid a similar issue in the future. Did 
you use `gen-DLA --save` and missed the git push failure messages? Would it have 
helped if gen-DLA would have cleaned up the DLA- file when git push failed? 
Do you have any other suggestions?


Cheers,
Emilio

Re: (E)LTS improved salsa pipeline support

[Emilio Pozuelo Monfort]

On 31/03/2023 06:19, Anton Gladky wrote:

Hello Emilio,

could you please provide an example, how the pipeline can be prepared?
I set the value here [1], but it looks like the pipeline did not start.

[1] https://salsa.debian.org/lts-team/packages/389-ds-base/-/pipelines


The CI/CD configuration file setting was set to " 
recipes/lts.yml@lts-team/pipeline" with an extra space in the beginning that was 
causing the file not found error. I have fixed it and the pipeline is working now.


Cheers,
Emilio

[SECURITY] [DLA 3367-1] libdatetime-timezone-perl security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3367-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
March 24, 2023https://wiki.debian.org/LTS
- -

Package: libdatetime-timezone-perl
Version: 1:2.23-1+2023b

This update includes the changes in tzdata 2023b for the
Perl bindings. For the list of changes, see DLA-3366-1.

For Debian 10 buster, this problem has been fixed in version
1:2.23-1+2023b.

We recommend that you upgrade your libdatetime-timezone-perl packages.

For the detailed security status of libdatetime-timezone-perl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libdatetime-timezone-perl

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmQdlicACgkQnUbEiOQ2
gwLIhRAArAJCvltUzpz4kPfQre7nHfSRdjTx9MpiYMFjZYg1hTPbFvEO3+mTvfZ6
5IbhwXfA7zeTKmzuJF86mPb1A2SEmYOvxKhuf87TVlyeVOpnsl9wRY5g0G9cCub3
j6bH65/nZfFBSi5ju174f8RrHy6Kw4DezQLbvZnl+L8RQEKWwUW3M2ppnqxuI0iX
QuAsRW9xlDk//K0S2kk0CiaJOTHMnUfSBiGn6oKPBAyvF5eGJs0jnGbEmFJlEUN3
vm2JOPiTyIDDdxIriys2F3F6WPMKjg1bZ1bi9/RFeGik/Wo4igSArSyDdsUEVaEb
kFuzzqfr3mOXtP10A3fPzGsAMEfLB45i5XYzMhOR4I7ml89IfRV7gb1b1080EWro
GL54+aOb1qHq93VCQ+xOvD2BfOrxmJ1Y8BqnnSAVvROofDc2ygCCgf7oB4px1u5M
uf67JXJEyqQvVZgXkwUIRIo56UOe199ceswl1L8iz2WuqbX/C34zUzJ/+51cgX3Y
M03QK6OeXoXJkep7NF6QduE5YuqW8Wy0t08QJMBMwSi0kFYNH142lCy/I7eEA07b
x8RscB0keSOmIdn5BFkB4rt+vCOf0M04zrZw5OuL/RiN+qQjYKY/qPix+sSXgWlP
pFV+nkwD3chg1TTqmYJ1bsQIp3ZrACmFmT3lAn7ytUb3yoXWUyo=
=6SgP
-END PGP SIGNATURE-

[SECURITY] [DLA 3366-1] tzdata new timezone database

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3366-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
March 24, 2023https://wiki.debian.org/LTS
- -

Package: tzdata
Version: 2021a-0+deb10u10

This update includes the changes in tzdata 2023b. Notable
changes are:

- - Egypt uses DST again, starting on April.
- - Palestine and Lebanon delay the start of DST this year.
- - Morocco DST will happen a week earlier on April 23.
- - Adjustments to Greenland's timezones and DST rules.

For Debian 10 buster, this problem has been fixed in version
2021a-0+deb10u10.

We recommend that you upgrade your tzdata packages.

For the detailed security status of tzdata please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tzdata

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmQdlYUACgkQnUbEiOQ2
gwIIYg/+JLgucROGhILVr6MBm1MwWvfqKFUhFUgQK153g1CUY0fJk0ouQvCj1Kdk
GhhvELPNXJxIj24pCQmt1h1TADpHWikdmrphkJmxrdBA4mQDbvAEFG4FJnDlikqo
tANbd/iRbu5iWYibhsIZd/bj1sZKuNSateQZpA2ht68txXqnHTb90j3cCsZ5AYLa
C1HwGIkgzSO73mOg111vbMYwMgnvrYmSdVlByLVRGsfDI43lFNbGlBon06Ij/rlW
fXBbXFDibtZ/buUVoC3GHqNiRAuZB7QbJ5G+J1Z5t7WpTAVXykQQ7IPz10AzMrnm
yqcNUxhHxFExkuWga0jkzsM6oUbJUf3Hjdnxq7h/Pu8ST5JmmrAgMaugy46/Dy8g
1D2JenDt9CWc7SReMC+Ke8lBOuIsshC/CqJSXWmebgCN8jXt1/+15qcyWEGRsjva
o9fKLC13xyXyRIuFrDvTEFDGYRJ9qVybFM5KTgvW8T/K3pLCeftm2FJjWmRqLyhr
eSqVr+BzalaycTqc/6kbbUxZERFrI6iPfJgjNrY6FusJEjEpsAKFTnsADVYXEFHD
zD7qps1JRvY6dflrrfNUdkSRBolXtcW/lXQB7szhO4o7NQKSGjcpIvMOtEcItI7o
0vGZx7LWAf7dL2PLOK9qqqxcaufR15/HI+3j7uS/fO46rDNtU04=
=qCrm
-END PGP SIGNATURE-

Re: (E)LTS improved salsa pipeline support

[Emilio Pozuelo Monfort]

On 17/03/2023 19:39, Raphael Hertzog wrote:

Hi,

On Thu, 16 Mar 2023, Emilio Pozuelo Monfort wrote:

The result is an improved pipeline with better support for both LTS and
ELTS. [1]


Great work Emilio!

It would be nice to have all this properly documented in
https://lts-team.pages.debian.net


Ack, I can add something to the testing section of the development page.


I'm also curious to know if you think that some of your changes are
upstreamable, and how hard you expect this to be to stay in sync with the
upstream pipeline project?


atm there are a bunch of changes/hacks I had to do in order to support jessie. 
However backporting minor fixes should be alright as most of our changes are not 
too intrusive. Major changes that change how things are built may need a bit 
more work, e.g. the changes in [1] come to mind.



Is it worth to document some of your design choices in case someone else
has to work on this?


Yes, I can add a README.LTS file to the repository. Also there are some changes 
I still want to make to simplify our diff and to get more stuff upstreamed.


Cheers,
Emilio

Re: (E)LTS improved salsa pipeline support

[Emilio Pozuelo Monfort]

On 19/03/2023 07:50, Bastien Roucariès wrote:

Le jeudi 16 mars 2023 09:34:17 UTC, vous avez écrit :
Hi,

Hi,

I have been working in improving our Salsa pipeline support for LTS and ELTS.
Right now builds were failing for jessie and while stretch builds were still
somewhat working, they were bound to break once the move to archive.debian.org
happens, plus they were only building on a vanilla stretch LTS image instead of
ELTS.

The result is an improved pipeline with better support for both LTS and ELTS. 
[1]


Great work

Nethertheless, imagemagick is ok here 
https://salsa.debian.org/debian/imagemagick/-/pipelines/512597
but FTBFS here 
http://buildd-i386.freexian.com/build-logs/imagemagick_8:6.9.7.4+dfsg-11+deb9u17-stretch-amd64-20230318-234830.6669.log
http://buildd-amd64.freexian.com/build-logs/imagemagick_8:6.9.7.4+dfsg-11+deb9u17-stretch-i386-20230318-234831.6670.log

Could you investigate ?


That CI job was building the stretch branch on the buster pipeline.

Cheers,
Emilio

Re: (E)LTS improved salsa pipeline support

[Emilio Pozuelo Monfort]

On 17/03/2023 06:39, Anton Gladky wrote:

Hello Emilio,

thanks for this update! I will test it on a couple of projects in the
lts-team namespace
and if everything is OK, we will switch all of them per batch-update.

So, does it mean that we can drop the gitlab-ci.yml almost in all repos and
let it be there only for those, where fine-tuning is needed?


Yes.


If some tests need to be disabled for one particular package, one need to
include
the new recipe and let the disabled stuff be in the old gitlab-ci.yml?


That's right. But then the CI/CD global setting needs to be changed to point to 
gitlab-ci.yml, and it needs to be added to all branches.



Can something from this work be proposed for the general salsa-ci
Debian-wide?


I have proposed a couple of minor changes, and I'll see if any of the others can 
be proposed too. Although many of the changes have been added to support jessie, 
and those are not upstreamable.


Cheers,
Emilio

Re: Using Salsa-CI as pre-upload QA for Bullseye and Buster uploads: Lintian and Piuparts

[Emilio Pozuelo Monfort]

Hi Otto,

I do run lintian from the target release before upload (actually on every 
build). I don't think running lintian from sid for (old*)stable makes sense as 
I'm not interested in newly introduced warnings or errors that affect sid. I'm 
interested in having the most stable lintian warnings, so that if there are any 
new errors, it's because of changes I made (and I need to look into it).


On 19/03/2023 23:04, Otto Kekäläinen wrote:

Following up on this topic, I noticed that I can't even manually
override the Lintian image version at the moment as the
Buster/Bullseye/Bookworm tags don't exist at
https://salsa.debian.org/groups/salsa-ci-team/-/container_registries/295

To fix this I filed now
https://salsa.debian.org/salsa-ci-team/pipeline/-/merge_requests/407


You can probably use the base:$(RELEASE) image and install lintian yourself.


I am a bit surprised I seem to be the only one running Salsa-CI when
preparing stable/LTS uploads, this issue must have been making the
pipeline red for everybody building RELEASE=bullseye/buster/stretch.


Not the only one! I have been looking at the Salsa CI very recently and have 
made improvements to use it for *oldstable, please see [1] and [2]. I'm not 
building images for bullseye atm, however if you find this useful, I'll be happy 
to add them.


Cheers,
Emilio

[1] https://lists.debian.org/debian-lts/2023/03/msg00021.html
[2] https://salsa.debian.org/lts-team/pipeline

Re: [SECURITY] [DLA 3357-2] imagemagick regression update

[Emilio Pozuelo Monfort]

Hi Bastien,

On 18/03/2023 18:56, Bastien Roucaries wrote:

From: imagemagick <>
To: debian-lts-annou...@lists.debian.org
Subject: [SECURITY] [DLA 3357-2] imagemagick regression update

-
Debian LTS Advisory DLA-3357-2debian-lts@lists.debian.org
https://www.debian.org/lts/security/Bastien Roucariès
March 18, 2023https://wiki.debian.org/LTS
-

Package: imagemagick
Version: 8:6.9.10.23+dfsg-2.1+deb10u4
CVE ID :


Can you remove these empty CVE or Bug lines in the future? The gen-DLA script 
includes them in case you need to add something, but if they are empty they 
should be removed before sending the announcement.


Thanks,
Emilio

[SECURITY] [DLA 3365-1] thunderbird security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3365-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
March 20, 2023https://wiki.debian.org/LTS
- -

Package: thunderbird
Version: 1:102.9.0-1~deb10u1
CVE ID : CVE-2023-25751 CVE-2023-25752 CVE-2023-28162 CVE-2023-28164
 CVE-2023-28176

Multiple security issues were discovered in Thunderbird, which could
result in denial of service, the execution of arbitrary code or
spoofing.

For Debian 10 buster, these problems have been fixed in version
1:102.9.0-1~deb10u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmQYDvUACgkQnUbEiOQ2
gwLWQQ//fh/z6T8vvT3s/oXaw7hu5n/veE5ephqDsBAXog3jBLu92ocALM3FBwoM
pUSS5kWlhE3j/DlXFFg+oTxoyF82g7I90ApRqFeRdpFnwDi47c3XYaumN4mKeAUj
ThX4NXityGV3zP2imVSk6EGkI3Vy8aCUhFa+ddx+Z41OQ7325H0a7e2Nnyy2CYxW
Fe2VW7ynNhbBAC0Rk31JXdtor4EZlJ5NuYf/4KrrscHcYlrIKpHZWa0nkg4hQeJv
kJReeEANzbNb03HHs2REDcZc5USRPGlSs/PXEwUTN3KMPqLZ4gKdI78TY9bU4kJO
YYTBph7PSKX4zTqGX2kOKqyPPfRB+B2l+34EtcK/EuAMcPrWILU23tECKsYqNODv
lJKF5WbCVxAmZu8QDd7BDVHwMAqb4lI1z0hgunV4uC0S4uom1S+QJ50yqOihwC/Z
YgEm5n2HmxQhNLGTnd66riIbOF3JzO2j/Odluszp3f/QYh3Rxo/C3Bw/QsyWCRAC
zaV3HvEub533Eb2jdMIQzd5FbLiIKYj3fP08AGpbUkPrlniJfsBr7H60YlE6p433
1Z1xlpuC8ByvNMD3kM5Gx4/e1LP8RGXvL5wEaV6tUvFgnnZrpIymK6Fn2i9asbMJ
iQQIN0OrTb9cYs0eZpagNOg6KiQw7qKCCxPkYNz2unSiqiKK9Ys=
=kMpx
-END PGP SIGNATURE-

[SECURITY] [DLA 3364-1] firefox-esr security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian LTS Advisory DLA-3364-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Emilio Pozuelo Monfort
March 17, 2023https://wiki.debian.org/LTS
- -

Package: firefox-esr
Version: 102.9.0esr-1~deb10u1
CVE ID : CVE-2023-25751 CVE-2023-25752 CVE-2023-28162 CVE-2023-28164
 CVE-2023-28176

Multiple security issues have been found in the Mozilla Firefox
web browser, which could potentially result in the execution
of arbitrary code or spoofing.

For Debian 10 buster, these problems have been fixed in version
102.9.0esr-1~deb10u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmQUagoACgkQnUbEiOQ2
gwLEBA/+LX1Rkqdt0LquCMy3dQq/A/eNx4wdSoEF22fMrrQ10SD9DNIk0EYh3qli
TVLxByrwjwSPFV0jjb9iUaKLxl/Yia+YasIiurk3XKMwie4wMRlvnnf52/1L+OxD
BbNVeBsYtSrU612UG5EVqr/AwdbIICUVwQBs0CBOjmXNVVpBKwQIA0zm4KKP085K
gmz7dYVq1Lh4RBID4GApyWr+f1wa6Kx44Wv+JEuc839diAWurxK7OgM62RiOy1/8
x+wfgZIwNlIKgpnFbgdbscKwc3WvQarYKxmPT0tZ/EFoB16UsfC12A44XqXsjATb
ecPGJcUXS6y316lZFE907feqLgV/zNVcqFv6xH3toKAxU9BQz79BHCCx6MZzq0UA
yB1Oa1Pf7G4RmwOZQ5mG2ewmluUVeu3YZ8L7UAGn6j3M6n5yZ/hSi988LlLQoLVZ
6x9DZXELLRBVZl91ULdipST9orWjk3qE8CXbw4OqkPwqb+9ereKx/zSynosiHk0k
ewk5NHDALgiSyMd5wlmVWXWysXdQkoT8HOx7rFxeL6yMB47IENrWo9q9sllQF6wF
I37NfUkBqMkgn3qsO1CI2HqLODvPzFQhAXNtgSQlEYRnf+oNINaFu0p2ernN+J7N
kzJsK0RXDg+POub2NS/0kyUDYpa9JbZEWvi1DdZF0cMdGqte5ko=
=nytu
-END PGP SIGNATURE-

(E)LTS improved salsa pipeline support

[Emilio Pozuelo Monfort]

Hi,

I have been working in improving our Salsa pipeline support for LTS and ELTS. 
Right now builds were failing for jessie and while stretch builds were still 
somewhat working, they were bound to break once the move to archive.debian.org 
happens, plus they were only building on a vanilla stretch LTS image instead of 
ELTS.


The result is an improved pipeline with better support for both LTS and ELTS. 
[1]

tl;dr:

Just set the CI/CD salsa configuration to:

recipes/lts.yml@lts-team/pipeline

That will automatically work for any *jessie*, *stretch* and *buster* branches, 
without needing to add per-branch .gitlab-ci.yml files. However if you branches 
aren't set up that way, or if you have other branches (e.g. you're sharing the 
repository with other non-LTS branches), or if you need to further configure the 
pipelines, you can configure your repository to use debian/gitlab-ci.yml and 
include one of the recipes such as buster.yml, or simply include debian.yml and 
set RELEASE and whatever other variables your project needs. Note that we're 
limiting the images that we build to the LTS/ELTS releases, so this won't work 
for bullseye atm. I'd be happy to add support for that if that helped anybody.


Also note that one of the differences wrt the main pipeline is that this runs 
lintian and blhc from the release instead of the sid version, which IMHO makes 
more sense.


Feedback welcome!

Cheers,
Emilio

[1] https://salsa.debian.org/lts-team/pipeline

Re: RFC: ruby-loofah 2.2.3-1+deb10u2

[Emilio Pozuelo Monfort]

Hi Daniel,

On 13/03/2023 23:18, Daniel Leidert wrote:

Hi there,

I prepared my first LTS update. You can find it here:

https://salsa.debian.org/lts-team/packages/ruby-loofah

When I ran some test cases to see if all the vulnerabilities are fixed,
I discovered that there is a slight behavioral change:

As part of the fix for CVE-2022-23516, loofah will no longer remove
nested  sections, but escape the tags instead. They also
adjusted their tests for that. To demonstrate:

This: