Re: Test request Re: [Pkg-clamav-devel] LTS update of clamav and call for advice

2019-04-15 Thread Scott Kitterman 
Dropped the security team from the cc.

install clamav-daemon and clamav-testfiles and then use clamdscan to scan 
them:

$ clamdscan /usr/share/clamav-testfiles/clam*

The unrar test files will come up as not infected unless you also install 
libclamunrar7 from non-free.  That's normal.

Scott K

On Monday, April 15, 2019 11:25:39 PM Ola Lundqvist wrote:
> Hi
> 
> Great
> 
> Updated packages are now available on
> https://apt.inguza.net/jessie-security/clamav
> 
> Testing is much appreciated since I have limited experience of clamav
> myself.
> 
> I can test that the package installs properly but I'm not sure I can
> regression test it properly myself.
> 
> Anyone who knows how to regression test it properly?
> 
> Best regards
> 
> // Ola
> 
> On Mon, 15 Apr 2019 at 23:16, Scott Kitterman  wrote:
> > That sounds like the right approach.
> > 
> > Scott K
> > 
> > On Monday, April 15, 2019 10:36:31 PM Ola Lundqvist wrote:
> > > Hi again
> > > 
> > > I have now compared the 0.100.2 version in stretch to the version
> > > 0.100.3
> > > in stretch updates.
> > > I can then see that most of the changes that I'm worried about is not
> > > included.
> > > 
> > > This means that I will take the .orig file and include a sub-set of the
> > > updates.
> > > The remaining updates will be:
> > > - Symbol updates (unavoidable I think).
> > > - Copyright update (not sure if it is necessary but I'll include it
> > 
> > anyway)
> > 
> > > The rest will not be updated.
> > > 
> > > Best regards
> > > 
> > > // Ola
> > > 
> > > On Mon, 15 Apr 2019 at 20:00, Ola Lundqvist  wrote:
> > > > Hi Scott
> > > > 
> > > > I have now walked through the difference in the debian directories
> > 
> > between
> > 
> > > > the version in jessie and stretch updates.
> > > > I think there is more work than just a simple changelog update.
> > > > 
> > > > 1) The changelog file contain a lot of changes. I wonder how we
> > 
> > generally
> > 
> > > > should it. If I backport a package from current stable should I keep
> > 
> > that
> > 
> > > > changelog and just add one entry or should I pretent that the jessie
> > > > version still apply and add one entry from that one... Not sure
> > > > myself.
> > > > 2) /lib/systemd/system/clamav-daemon.socket is no longer installed and
> > 
> > a
> > 
> > > > patch introduced to not depend on it
> > > > 3) Config file moved
> > > > from /etc/systemd/system/clamav-daemon.socket.d/extend.conf
> > > > to /etc/systemd/system/clamav-daemon.service.d/extend.conf
> > > > 4) Changes in postinst. Not sure if it is backwards compatible or not
> > 
> > yet.
> > 
> > > > Preliminary not.
> > > > 5) Debhelper compat updated. Should be ok.
> > > > 6) Build dependency changes.
> > > > 7) clamav-dbg package no longer provided
> > > > 8) so files moved from /usr/lib/libclamav.so to
> > 
> > /usr/lib/xxx/libclamav.so
> > 
> > > > and pkgconfig moved accordingly.
> > > > 9) Support for llvm introduced. Should probably be ok.
> > > > 10) A LOT of symbols changed. They are delared private so it should be
> > 
> > ok.
> > 
> > > > But you never know.
> > > > 
> > > > It would be helpful if you can help me judge if any of the above means
> > > > backwards incompatibility.
> > > > 
> > > > I'm most worried about the following:
> > > > - Socket change
> > > > - Config file change
> > > > - Postinst change
> > > > - clamav-dbg
> > > > - Symbol changes
> > > > 
> > > > Thank you in advance
> > > > 
> > > > // Ola
> > > > 
> > > > On Mon, 1 Apr 2019 at 15:13, Scott Kitterman 
> > 
> > wrote:
> > > >> I believe you've misunderstood.
> > > >> 
> > > >> The version in stable is 0.100.3 and does not have a soname bump (nor
> > > >> does it
> > > >> need one).  You should be able to update the LTS with that package
> > 
> > with
> > 
> > > >> little
> > > >> more (maybe no more) than an updated changelog.
> > > >> 
> > > >> Scott K
> > > >> 
> > >

Re: [Pkg-clamav-devel] LTS update of clamav and call for advice

2019-04-15 Thread Scott Kitterman 
That sounds like the right approach.

Scott K

On Monday, April 15, 2019 10:36:31 PM Ola Lundqvist wrote:
> Hi again
> 
> I have now compared the 0.100.2 version in stretch to the version 0.100.3
> in stretch updates.
> I can then see that most of the changes that I'm worried about is not
> included.
> 
> This means that I will take the .orig file and include a sub-set of the
> updates.
> The remaining updates will be:
> - Symbol updates (unavoidable I think).
> - Copyright update (not sure if it is necessary but I'll include it anyway)
> 
> The rest will not be updated.
> 
> Best regards
> 
> // Ola
> 
> On Mon, 15 Apr 2019 at 20:00, Ola Lundqvist  wrote:
> > Hi Scott
> > 
> > I have now walked through the difference in the debian directories between
> > the version in jessie and stretch updates.
> > I think there is more work than just a simple changelog update.
> > 
> > 1) The changelog file contain a lot of changes. I wonder how we generally
> > should it. If I backport a package from current stable should I keep that
> > changelog and just add one entry or should I pretent that the jessie
> > version still apply and add one entry from that one... Not sure myself.
> > 2) /lib/systemd/system/clamav-daemon.socket is no longer installed and a
> > patch introduced to not depend on it
> > 3) Config file moved
> > from /etc/systemd/system/clamav-daemon.socket.d/extend.conf
> > to /etc/systemd/system/clamav-daemon.service.d/extend.conf
> > 4) Changes in postinst. Not sure if it is backwards compatible or not yet.
> > Preliminary not.
> > 5) Debhelper compat updated. Should be ok.
> > 6) Build dependency changes.
> > 7) clamav-dbg package no longer provided
> > 8) so files moved from /usr/lib/libclamav.so to /usr/lib/xxx/libclamav.so
> > and pkgconfig moved accordingly.
> > 9) Support for llvm introduced. Should probably be ok.
> > 10) A LOT of symbols changed. They are delared private so it should be ok.
> > But you never know.
> > 
> > It would be helpful if you can help me judge if any of the above means
> > backwards incompatibility.
> > 
> > I'm most worried about the following:
> > - Socket change
> > - Config file change
> > - Postinst change
> > - clamav-dbg
> > - Symbol changes
> > 
> > Thank you in advance
> > 
> > // Ola
> > 
> > On Mon, 1 Apr 2019 at 15:13, Scott Kitterman  wrote:
> >> I believe you've misunderstood.
> >> 
> >> The version in stable is 0.100.3 and does not have a soname bump (nor
> >> does it
> >> need one).  You should be able to update the LTS with that package with
> >> little
> >> more (maybe no more) than an updated changelog.
> >> 
> >> Scott K
> >> 
> >> On Monday, April 01, 2019 02:46:34 PM Ola Lundqvist wrote:
> >> > Hi Scott and LTS team
> >> > 
> >> > Thank you. I'll see if I can backport the required fixes. That may
> >> > solve
> >> > the library issue.
> >> > 
> >> > Alternatively we state that clamav is not supported. Maybe someone in
> >> 
> >> the
> >> 
> >> > LTS team can advice on that.
> >> > 
> >> > Best regards
> >> > 
> >> > // Ola
> >> > 
> >> > On Sun, 31 Mar 2019 at 22:35, Scott Kitterman 
> >> 
> >> wrote:
> >> > > Comments inline.
> >> > > 
> >> > > On Sunday, March 31, 2019 09:37:46 PM Ola Lundqvist wrote:
> >> > > > Hi
> >> > > > 
> >> > > > I missed to include the clamav maintainers. Sorry about that.
> >> > > > 
> >> > > > // Ola
> >> > > > 
> >> > > > On Sun, 31 Mar 2019 at 21:21, Ola Lundqvist  wrote:
> >> > > > > Dear maintainers, LTS team and Debian Secutiry team
> >> > > > > 
> >> > > > > I have started to look at the clamav package update due to
> >> > > > > CVE-2019-1787
> >> > > > > CVE-2019-1788
> >> > > > > CVE-2019-1789
> >> > > > > (the other three vulnerabilities are not affecting jessie or
> >> 
> >> stretch
> >> 
> >> > > as I
> >> > > 
> >> > > > > understand it)
> >> > > 
> >> > > That's correct.
> >> > > 
> >> > > > > I have understood that the clamav package is typically

Re: [Pkg-clamav-devel] LTS update of clamav and call for advice

2019-04-01 Thread Scott Kitterman 
I believe you've misunderstood.

The version in stable is 0.100.3 and does not have a soname bump (nor does it 
need one).  You should be able to update the LTS with that package with little 
more (maybe no more) than an updated changelog.

Scott K

On Monday, April 01, 2019 02:46:34 PM Ola Lundqvist wrote:
> Hi Scott and LTS team
> 
> Thank you. I'll see if I can backport the required fixes. That may solve
> the library issue.
> 
> Alternatively we state that clamav is not supported. Maybe someone in the
> LTS team can advice on that.
> 
> Best regards
> 
> // Ola
> 
> On Sun, 31 Mar 2019 at 22:35, Scott Kitterman  wrote:
> > Comments inline.
> > 
> > On Sunday, March 31, 2019 09:37:46 PM Ola Lundqvist wrote:
> > > Hi
> > > 
> > > I missed to include the clamav maintainers. Sorry about that.
> > > 
> > > // Ola
> > > 
> > > On Sun, 31 Mar 2019 at 21:21, Ola Lundqvist  wrote:
> > > > Dear maintainers, LTS team and Debian Secutiry team
> > > > 
> > > > I have started to look at the clamav package update due to
> > > > CVE-2019-1787
> > > > CVE-2019-1788
> > > > CVE-2019-1789
> > > > (the other three vulnerabilities are not affecting jessie or stretch
> > 
> > as I
> > 
> > > > understand it)
> > 
> > That's correct.
> > 
> > > > I have understood that the clamav package is typically updated to the
> > > > latest version also in stable and oldstable. However when doing so I
> > > > encountered quite a few things that I would like to ask your advice
> > > > on.
> > > > 
> > > > First of all to the maintainers. Do you want to handle also LTS
> > > > (oldstable) and regular security (stable) upload of clamav?
> > 
> > Stable is already done through stable proposed updates (which is the
> > normal
> > path for clamav).  We leave the LTS releases to the LTS team.  Base your
> > work
> > on what's in stable.
> > 
> > > > Question to maintainers and Security team. Should we synchronize the
> > > > efforts here and have you already started on the stable update?
> > > > 
> > > > If not I have a few questions:
> > > > 1) Do you know the binary compatibility between libclamav7 and
> > 
> > libclamav9?
> > 
> > > >  I have noticed that the package in sid produces libclamav9 while the
> > 
> > one
> > 
> > > > in jessie provides libclamav7. Do you think this can be an issue?
> > 
> > Yes.  It's guaranteed to be an issue.  We have a stable transition
> > prepared
> > and will do it (once the srm blesses) after the next point release in
> > April.
> > Note that the security team doesn't support clamav.
> > 
> > > > 2) Do you think backporting the package in sid is better than simply
> > > > updating to the latest upstream while keeping most scripts in
> > 
> > oldstable? I
> > 
> > > > had to copy over the split-archive.sh to be able to generate a proper
> > 
> > orig
> > 
> > > > tarball.
> > 
> > No.  Use what's in stable proposed updates.
> > 
> > > > - I personally think the package in sid have a little too much updates
> > 
> > to
> > 
> > > > make that safe, especially since it produces new library packages.
> > 
> > Agreed.  That would definitely be a bad idea.
> > 
> > > > - On the other hand, I had to do some modifications already to make
> > 
> > allow
> > 
> > > > the package to be generated and I have not even started building yet.
> > > > There
> > > > may be many fixes needed to make this package work in oldstable...
> > 
> > I suspect that what's in stable will work in oldstable, but I haven't
> > tried
> > it.  It'll certainly take less work than what's in sid.
> > 
> > > > I guess we cannot generate new library package version, or?
> > 
> > Generally one does not, but for clamav you kind of have to at some point.
> > Note that for libclamav7 -> libclamav9 there are also API changes, so
> > libclamav-dev reverse builld-depends need patching in addition to
> > rebuilding.
> > Once we've done that in stable, it should be easy enough to adapt for
> > oldstable when the time comes.  Don't worry about it now.
> > 
> > Scott K

Re: [Pkg-clamav-devel] LTS update of clamav and call for advice

2019-03-31 Thread Scott Kitterman 
Comments inline.

On Sunday, March 31, 2019 09:37:46 PM Ola Lundqvist wrote:
> Hi
> 
> I missed to include the clamav maintainers. Sorry about that.
> 
> // Ola
> 
> On Sun, 31 Mar 2019 at 21:21, Ola Lundqvist  wrote:
> > Dear maintainers, LTS team and Debian Secutiry team
> > 
> > I have started to look at the clamav package update due to
> > CVE-2019-1787
> > CVE-2019-1788
> > CVE-2019-1789
> > (the other three vulnerabilities are not affecting jessie or stretch as I
> > understand it)

That's correct.

> > I have understood that the clamav package is typically updated to the
> > latest version also in stable and oldstable. However when doing so I
> > encountered quite a few things that I would like to ask your advice on.
> > 
> > First of all to the maintainers. Do you want to handle also LTS
> > (oldstable) and regular security (stable) upload of clamav?

Stable is already done through stable proposed updates (which is the normal 
path for clamav).  We leave the LTS releases to the LTS team.  Base your work 
on what's in stable.

> > Question to maintainers and Security team. Should we synchronize the
> > efforts here and have you already started on the stable update?
> > 
> > If not I have a few questions:
> > 1) Do you know the binary compatibility between libclamav7 and libclamav9?
> >  I have noticed that the package in sid produces libclamav9 while the one
> > in jessie provides libclamav7. Do you think this can be an issue?

Yes.  It's guaranteed to be an issue.  We have a stable transition prepared 
and will do it (once the srm blesses) after the next point release in April.  
Note that the security team doesn't support clamav.

> > 2) Do you think backporting the package in sid is better than simply
> > updating to the latest upstream while keeping most scripts in oldstable? I
> > had to copy over the split-archive.sh to be able to generate a proper orig
> > tarball.

No.  Use what's in stable proposed updates.

> > - I personally think the package in sid have a little too much updates to
> > make that safe, especially since it produces new library packages.

Agreed.  That would definitely be a bad idea.

> > - On the other hand, I had to do some modifications already to make allow
> > the package to be generated and I have not even started building yet.
> > There
> > may be many fixes needed to make this package work in oldstable...

I suspect that what's in stable will work in oldstable, but I haven't tried 
it.  It'll certainly take less work than what's in sid.

> > I guess we cannot generate new library package version, or?

Generally one does not, but for clamav you kind of have to at some point.  
Note that for libclamav7 -> libclamav9 there are also API changes, so 
libclamav-dev reverse builld-depends need patching in addition to rebuilding.  
Once we've done that in stable, it should be easy enough to adapt for 
oldstable when the time comes.  Don't worry about it now.

Scott K

Re: [Pkg-clamav-devel] ClamAV Package on Wheezy

2018-07-21 Thread Scott Kitterman 
No.  I'm not involved in the LTS project any more.  The stretch update has just 
today been uploaded.  I expect someone from the LTS team will handle it shortly.

Scott K

On July 21, 2018 6:48:24 AM UTC, Klaipedaville on Google 
 wrote:
>Hello Scott,
>
>Will you be able to take care of it again, please (as per my previous
>[old] message down-below)? Is Clamav not available in packages any more
>at all? Many thanks!
>
>Regards,
>Dennis
>
>P.S. It looks like this "issue" is 'an every July come back occurrence'
>isn't it? :) 
>
>
>From: Scott Kitterman 
>Sent: Sunday, July 3, 2016 19:29
>To: Sebastian Andrzej Siewior ; Klaipedaville on Google 
>Cc: cla...@packages.debian.org ; debian-lts@lists.debian.org 
>Subject: Re: [Pkg-clamav-devel] ClamAV Package on Wheezy
>
>I'm going to take care of it.
>
>Scott K
>
>On July 3, 2016 9:04:48 AM EDT, Sebastian Andrzej Siewior
> wrote:
>>On 2016-06-30 09:36:18 [+0300], Klaipedaville on Google wrote:
>>> Hello there,
>>Hi,
>>
>>> It’s been almost half a year since I’ve been getting this "Clamav is
>>outdated, don't panic" message in my logs and patiently waiting for
>>updates. I was wondering is it not available / coming any more in
>>packages and we are on our own now to compile it from sources? Could
>>anybody advise, please? Many thanks!
>>
>>Wheezy is now in the hands of the Debian-LTS team. I won't do an
>upload
>>but according to my IRC backlog someone from LTS team is looking into
>>this. I CCed the LTS team to ACK/NACK my statement :)
>>
>>> Regards,
>>> Dennis.
>>
>>Sebastian
>>
>>___
>>Pkg-clamav-devel mailing list
>>pkg-clamav-de...@lists.alioth.debian.org
>>http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

Re: [Pkg-clamav-devel] Wheezy update of clamav?

2018-03-01 Thread Scott Kitterman 
Conveniently, upstream just released 0.99.4 that addresses this and some other 
issues.  I'd suggest you let us get that into stable/oldstable first.

Scott K

On March 1, 2018 10:07:53 PM UTC, Sebastian Andrzej Siewior 
 wrote:
>On 2018-02-28 16:47:47 [-0500], Antoine Beaupre wrote:
>> Dear maintainer(s),
>Hi,
>
>> The Debian LTS team would like to fix the security issues which are
>> currently open in the Wheezy version of clamav:
>> 
>> https://security-tracker.debian.org/tracker/CVE-2018-185
>
>interresting. So that one is fixed in the beta but not in the stable
>release including Stretch/Jessie.
>
>> Would you like to take care of this yourself?
>No but thank your for letting us know that this one is still missing. I
>will try to take care of this Stretch/Jessie. Is this the only one
>missing?
>
>Sebastian
>
>___
>Pkg-clamav-devel mailing list
>pkg-clamav-de...@lists.alioth.debian.org
>http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[SECURITY] [DLA 546-2] clamav version update

2016-07-13 Thread Scott Kitterman 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: clamav
Version: 0.99.2+dfsg-0+deb7u2

DLA 546-1 was incorrectly released before updated clamav packages were 
available and there were subsequent issues with the acceptance of the package 
(which have since been corrected).  Updates are now available for all 
supported LTS architectures.

We recommend that you upgrade your clamav packages.

Upstream published version 0.99.2.  This update updates wheezy-lts to the 
latest upstream release in line with the approach used for other Debian 
releases.

The changes are not strictly required for operation, but users of the previous 
version in Wheezy may not be able to make use of all current virus signatures 
and might get warnings.

For Debian 7 "Wheezy", this has been addressed in version 
0.99.2+dfsg-0+deb7u2.

Further information about Debian LTS security advisories, how to apply these 
updates to your system and frequently asked questions can be found at: 
https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCAAGBQJXhuHuAAoJEHjX3vua1ZrxF5IQALUqPYJyRZ4S4Jpir3evh9bt
ymQNEijokXkM2L04L3yYwpGwqBYVa/8PZENImvqDv9ZnBj8Rtzs0ko37ax9VS7pv
4f2d6CDNtS7Qnazc0Fab3bVWpNrCnu+MB5Uh8mxmcq8jgOxgfSrocQQpy+y4Zvel
U6ILoDOiszwdQmNn0j9HK73UiHDDdxRODLHDqmNyCjR1O2x4cdus6nwipsnwtJwv
gn0ToWhYh5QZot1w2OA4gDRItpCoFAxqqm/XzAIAz/9lhndQwfh4EXIW0p2dM3rl
90H9kprAMdu/6HNmUDxwS/OaGwN2fn/hoSv3voYZytyaK/7S6Wj9h9WoCjJ+WL9p
K1C4neOu4ZYn/jox83ukvaPOeWTuYnXQnijjgfveWGG2MNuAbwHEC6oG4oz9Yim4
MqPNNvWMq8d47D46NCkf7MYdnulNpDtOXZAtt1U3aQk3ws0/DeaP6qqVx7VAAlhT
9/2dCtzOJBR5JvJcQyewSGlZCytAzKHiUUGVm6CCKRPc7+HAIJo/mr34hwBE72zj
2A6fPLp9X1iTBI2rTgXJiGd8InpP0rVWBK8pAwbM/zqv+mfR+XdfNrdcmPCYo8gq
TBy1I7K47NTljPP0zSBxgGJclQGMMi2f/zuiDMscAzMOjkBtiqfWNw5mbf6dY/+Y
pkrI/DvdSNJSKNWVZRmK
=CuXF
-END PGP SIGNATURE-

Re: [SECURITY] [DLA 546-1] clamav version update

2016-07-10 Thread Scott Kitterman 
On Sunday, July 10, 2016 06:46:52 PM Markus Koschany wrote:
> On 10.07.2016 08:29, Bjoern Nyjorden wrote:
> > Hi there,
> > 
> > Are you able to advise as to when this update will be available?
> > 
> > Looking forward to your feedback.
> 
> Hello Bjoern,
> 
> please ignore the DLA announcement for clamav for now. It was sent too
> early. We are working on uploading the security update as soon possible
> but we will need to ask for a little more of your patience.

I've just now reuploaded clamav.  Let's hope this time works better.

Scott K

signature.asc
Description: This is a digitally signed message part.

Re: [Pkg-clamav-devel] ClamAV Package on Wheezy

2016-07-03 Thread Scott Kitterman 
I'm going to take care of it.

Scott K

On July 3, 2016 9:04:48 AM EDT, Sebastian Andrzej Siewior 
 wrote:
>On 2016-06-30 09:36:18 [+0300], Klaipedaville on Google wrote:
>> Hello there,
>Hi,
>
>> It’s been almost half a year since I’ve been getting this "Clamav is
>outdated, don't panic" message in my logs and patiently waiting for
>updates. I was wondering is it not available / coming any more in
>packages and we are on our own now to compile it from sources? Could
>anybody advise, please? Many thanks!
>
>Wheezy is now in the hands of the Debian-LTS team. I won't do an upload
>but according to my IRC backlog someone from LTS team is looking into
>this. I CCed the LTS team to ACK/NACK my statement :)
>
>> Regards,
>> Dennis.
>
>Sebastian
>
>___
>Pkg-clamav-devel mailing list
>pkg-clamav-de...@lists.alioth.debian.org
>http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

Re: Supporting armel/armhf in wheezy-lts

2016-04-24 Thread Scott Kitterman 
On Monday, April 25, 2016 02:07:01 AM Luca Filipozzi wrote:
> On Sun, Apr 24, 2016 at 09:55:10AM +0200, Raphael Hertzog wrote:
> > Do you have some concrete suggestions?
> 
> Decrease the separation by moving the funds management into Debian proper
> (via a TO like SPI) and move to a bounty model for working on LTS.  Make
> sure we're transparent with our language regarding Debian being produced by
> volunteers (eg: "The Debian Project consists of volunteers, and our
> products are developed entirely by volunteers." on [1]) by commenting on
> how bounties are available (or something).  Consider making LTS management
> a delegated team.
> 
> OR
> 
> Increase the separation by removing the fundraising statements / links from
> the LTS pages previously mentioned, making Freexian just another
> consultancy listed on the consultancy pages.
> 
> None of this is meant to diminish or tarnish the very significant
> contribution that you or Freexian are making, which are both extensive and
> impressive.  I'm seeking greater definition of the role and the language
> used.
> 
> [1]: https://www.debian.org/devel/join/

Any suggestions on how to get that done in the next two days before wheezy-lts 
starts?  It might be a bit more practical to defer the idea of completely 
changing the LTS program to a moment when there's a bit more time (maybe 
Debconf).

So far, I don't think anyone has specifically objected to the addition of 
armel/armhf.

Scott K


signature.asc
Description: This is a digitally signed message part.

Re: Non-security uploads for wheezy-lts

2016-03-02 Thread Scott Kitterman 
On Wednesday, March 02, 2016 02:09:28 PM Markus Koschany wrote:
> Am 01.03.2016 um 15:45 schrieb Scott Kitterman:
> > I understand that the plan is not to create a separate package suite for
> > Wheezy as was done for Squeeze and to upload to wheezy-security instead.
> > How
> > are uploads that aren't strictly security uploads going to be handled?
> > 
> > Specifically, I'm wondering what to do about clamav since we've been
> > uploading
> > new version as stable updates, not via -security.
> 
> I think we should use wheezy-security for everything LTS related be it
> security or non-security updates. Otherwise we would need to create a
> special suite for such updates and this would be rather confusing for
> LTS users.

I think that makes sense, but we need to make it clear to users then that what 
wheezy-security is for will change slightly when it transitions to LTS.  
Whatever we do, I'd like it decided before we start.

Scott K

signature.asc
Description: This is a digitally signed message part.

[SECURITY] [DLA 440-1] dansguardian package update

2016-02-28 Thread Scott Kitterman 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: dansguardian
Version: 2.10.1.1-3+deb6u1
Debian Bug : 813894

As described in DLA-437-1, clamav has been updated to the most recent upstream
version, 0.99.  Due to a soname change in libclamav, packages depending on
libclamav needed to be recompiled to work with the new libclamav7.  At the 
time DLA-437-1 was sent, updated dansguardian packages were not available.
 
An update to dansguardian has now been uploaded and packages should be
available shortly.  The recommendation in DLA-437-1 not to upgrade clamav if
using it with dansguardian in no longer applicable.
 
Upgrading clamav and dansguardian is recommended for the reasons described in
DLA-437-1.
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCAAGBQJW02jJAAoJEHjX3vua1ZrxP5oQAKOU2p+auYaEEuV/62yHn9BR
t7P8S/EaCH406P2qVxuRl06wLRnoHH6ySVUBeXQdSVLUrwQDatvaTis9UeSi/0IV
GlAO96yJIVDW74XnBMZIxjXDeLik9kPf9l4c64UCv8LMQWcCBUENhB3fx3RUM24Q
gU9pJC5gt5I7mRRp7pSvFUX2Jbjut4hpD1iqKhWeC0xKv9erZTg9MGYpdiyShXT0
YgyZBrte3vP8LtTTqMQss1J2xnQl/ksIT3IsW+Bw+UmKJW56vZ9hOPLAdKo0ktL1
52AQ2F6EIl16AWinBWa1LKF6nGjBP3cqDgnjh9vhfdqcZcgXBeuCIrJ6ExB/aG33
FrSfZGD4ttbpJh+tabeg0fBkn6rfmWJTVPzFiYhH86WkziFUsQgYCK4YW4fPv/rh
e/YLue/PBX4igxbNhgGPQrDcgu+cXZGrn4p9kXHU248TscOLDLs8rCLj4najUb5D
R74vcKlwEneeVEcUZ0mp/MJahwsDYE5Z8ws9oMjH9AeF7J+Zw7L64pjYR2uCxlZH
++qgn3ebKPW3eIvZqQpnLymXmKvvqa+Ku3LhNJ+4f7yzzg6Sp137A1/M/xAxcGB5
E5UKU9WuWeMnEh2uVIbtY3DFK8uu/EVG/emVGZPmmBwUUGTOcbqwlLFLjz8YSC/4
gbrfoUw/+1ZvsGjCQqeD
=gF3f
-END PGP SIGNATURE-

Re: Further Review Of MySQL 5.5 Packages [1]

2015-12-10 Thread Scott Kitterman 


On December 10, 2015 3:27:14 AM EST, "Santiago Ruano Rincón" 
<santiag...@riseup.net> wrote:
>El 09/12/15 a las 19:18, Scott Kitterman escribió:
>> On December 9, 2015 2:51:47 PM EST, Raphael Hertzog
><hert...@debian.org> wrote:
>...
>> >What's wrong with "apt-get install mysql-server-5.5" ?
>> >
>> >Those intermediary packages will be manually installed and might
>cause
>> >troubles in future upgrades... even if the description invites users
>to
>> >uninstall them. I would prefer if the instructions we gave invited
>> >users
>> >to install just the packages that they need.
>> >
>> >We really mostly care about vulnerabilities in the server and as
>such
>> >we must recommend users to upgrade the server, if they keep using
>the
>> >old client it's not a big deal IMO.
>> 
>> Running a local server and client and they are different versions
>doesn't cause
>> a problem? If not, then I agree about not including the upgrade
>package and
>> giving instructions in the DLA.
>> 
>> Scott K
>
>I'm not sure understanding the question.  If you mean running both
>client and server on the same machine, the answer is you cannot use
>packages from different versions.

That is what meant.

>My comment was about users that have mysql-client and -server running
>on
>different machines.
>
>Anyway, if these transition packages might give more trouble, I'd
>prefer
>to remove them too. The simpler, the better.

I'm not sure the best thing, but at least make clear in the DLA that if one 
upgrades client/server then the other must be upgraded too for that machine.

Scott K

Re: Further Review Of MySQL 5.5 Packages [1]

2015-12-09 Thread Scott Kitterman 


On December 9, 2015 3:09:23 AM EST, Raphael Hertzog <hert...@debian.org> wrote:
>On Tue, 08 Dec 2015, Scott Kitterman wrote:
>> On December 8, 2015 5:25:05 PM EST, "Santiago Ruano Rincón"
><santiag...@riseup.net> wrote:
>> >Is anyone against uploading the current mysql-5.5 packages (version
>> >5.5.46-0+deb6u1~5)?
>
>I don't have any objection. I would just like to review the draft of
>the
>DLA that you want to send to make sure it has a good wording...
>
>> Where do we stand on rdepends updates?
>
>We dealt with all the issues identified with dbconfig packages failing
>to
>install due to various SQL errors.
>
>See https://titanpad.com/cRc6eiCH5t
>
>Was your question about something else?

That's most of it.  Did we decide to leave the libmysqlclient rdepends alone?

Scott K

Re: Further Review Of MySQL 5.5 Packages [1]

2015-12-09 Thread Scott Kitterman 
On December 9, 2015 2:51:47 PM EST, Raphael Hertzog  wrote:
>On Wed, 09 Dec 2015, Santiago Ruano Rincón wrote:
>> https://titanpad.com/zPncgYnP05
>
>I made a few changes.
>
>> This DLA includes information about the already uploaded packages to
>> solve incompatibility issues.
>> 
>> I've realised that the -upgrade package would install the
>mysql-server,
>> even if the user only needs the client. I have created an additional
>> package, currently being built.
>
>I saw the suggestion of Scott but I'm really not convinced it's a good
>idea
>to introduce those upgrade helper packages...
>
>What's wrong with "apt-get install mysql-server-5.5" ?
>
>Those intermediary packages will be manually installed and might cause
>troubles in future upgrades... even if the description invites users to
>uninstall them. I would prefer if the instructions we gave invited
>users
>to install just the packages that they need.
>
>We really mostly care about vulnerabilities in the server and as such
>we must recommend users to upgrade the server, if they keep using the
>old client it's not a big deal IMO.

Running a local server and client and they are different versions doesn't cause 
a problem?  If not, then I agree about not including the upgrade package and 
giving instructions in the DLA.

Scott K

Re: Re: squeeze update of srtp?

2015-12-01 Thread Scott Kitterman 


On December 1, 2015 9:18:52 AM EST, Ben Hutchings <b...@decadent.org.uk> wrote:
>On Tue, 2015-12-01 at 08:39 -0500, Scott Kitterman wrote:
>> I checked this yesterday and the offending code isn't present in the
>1.4 
>> versions of srtp.
>
>Only because the range checks that have just been fixed in the upstream
>patches aren't present at all in 1.4!
>
>These sites do need to be fixed:
>https://sources.debian.net/src/srtp/1.4.4~dfsg-6%2Bdeb6u1/srtp/srtp.c/#L673
>https://sources.debian.net/src/srtp/1.4.4~dfsg-6%2Bdeb6u1/srtp/srtp.c/#L939

Okay. I'll have another look at it later in the week.  Feel free to grab it if 
you have time first.  If that's the case, then wheezy/jessie need fixing too.

Scott K

Re: Re: squeeze update of srtp?

2015-12-01 Thread Scott Kitterman 
I checked this yesterday and the offending code isn't present in the 1.4 
versions of srtp.

Scott K

Accepted libphp-snoopy 2.0.0-1~deb6u1 (source all) into squeeze-lts

2015-11-30 Thread Scott Kitterman 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Mon, 30 Nov 2015 13:08:05 -0500
Source: libphp-snoopy
Binary: libphp-snoopy
Architecture: source all
Version: 2.0.0-1~deb6u1
Distribution: squeeze-lts
Urgency: high
Maintainer: Marcelo Jorge Vieira <me...@debian.org>
Changed-By: Scott Kitterman <sc...@kitterman.com>
Description: 
 libphp-snoopy - Snoopy is a PHP class that simulates a web browser
Closes: 778634
Changes: 
 libphp-snoopy (2.0.0-1~deb6u1) squeeze-lts; urgency=high
 .
   * Upload to squeeze-lts
 .
 libphp-snoopy (2.0.0-1) unstable; urgency=high
 .
   * New upstream release:
 + Fixes: CVE-2008-7313 and CVE-2014-5008 (Closes: #778634)
 + Remove curl dependency
   * Control:
 + Remove trailing spaces
 + Use canonical Vcs-fields
 + Updated Standards-Version to 3.9.6 (no changes)
   * Switch to dpkg-source 3.0 (quilt) format
Checksums-Sha1: 
 5fd5042be968cac657fe9fe814733f119d85ad10 1850 libphp-snoopy_2.0.0-1~deb6u1.dsc
 d5120fed4112248e2af9f387f1119b22b2dbd42f 2464 
libphp-snoopy_2.0.0-1~deb6u1.debian.tar.gz
 259b34707e14f63b8da6c4d63f3a12bfd31e8a9b 17510 
libphp-snoopy_2.0.0-1~deb6u1_all.deb
Checksums-Sha256: 
 97789bee3098c29851afd42ec4a607e75f7b93c2b0f2b2498c42aea5a7a231fe 1850 
libphp-snoopy_2.0.0-1~deb6u1.dsc
 567068287dfed49f30c007c92a7d03607af89e4b79963feb3673b3abb3f7a649 2464 
libphp-snoopy_2.0.0-1~deb6u1.debian.tar.gz
 c8bba4772663becf5166e9a6890323676ca6a805c42a3aaf1327aa7ebaecda5a 17510 
libphp-snoopy_2.0.0-1~deb6u1_all.deb
Files: 
 582838e55f05e19cf30a246adae27471 1850 php optional 
libphp-snoopy_2.0.0-1~deb6u1.dsc
 d4e07791612b465ab23b71e8de6ca1e1 2464 php optional 
libphp-snoopy_2.0.0-1~deb6u1.debian.tar.gz
 a8e3cb71076cccfc7820923f94e34900 17510 php optional 
libphp-snoopy_2.0.0-1~deb6u1_all.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJWXL1BAAoJEHjX3vua1Zrxu4IQAMKHmRnkV98+TaFY3YXbuubc
3Tg6yvqqlTHN2wLZxgJni2ct0XFr6aNL1k0HYOsYRawYStdYWW5WC4ENWqYqVFBR
BOB28JKqPv7kPMM03sIicL8tYtL/P2fONJoPTowczVhoOPH2O1BCYH5Sdd5z3syS
vacp/4vg9HIYzQJLF71AxwbJbr7b+9a7V/x9PgIHyUbK3aa0Cp3JeiBhRB59sDRx
uvJIaowKba01gdMZfQ9YxbEM9yKbtFMEUe1VaB5TJDn6o2x77Hb4BYRHsGtcHvNF
OuTEYIePAyJKw+SIxGg985Y1wyomlGRrgHKWDTBcie+ULePUz3WdEQ3wTIHchfGL
9clTD1uh8m5D05hOxHcIgNI/kB/5mzUyb7jT8Y6t22ccB36UrakDgPVFsyBKa969
L1++Bh3LXUenU/YYuje9WK46gn1Jrt61gImkBmCWJbW8cRXRm0mVBVpdYvwaBHB/
E6k0ljIdEchBfLukqxzLthbRJAiuS2qUpz6E6rxNkYdmAnKr5REzEU9yLINz2j+l
nLFdOZkDQZ4mV6Po6P6e9PEowovMdTWqn/BnPA7xuGA7FbZSnfuSsGWFSrJxNvCL
m15xvNVdRTV0ndzhdFuHi1VKRB5uAf1pRQLFtULjhT2m0GDiL/cgc+WzH0edSiRd
TaofHE3VhBIPBVBTTvJZ
=wg5w
-END PGP SIGNATURE-

[SECURITY] [DLA 357-1] libphp-snoopy security update

2015-11-30 Thread Scott Kitterman 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: libphp-snoopy
Version: 2.0.0-1~deb6u1
CVE ID : CVE-2008-7313 CVE-2014-5008
Debian Bug : 778634

It was discovered that missing input sanitizing in Snoopy, a PHP class that
simulates a web browser may result in the execution of arbitrary
commands.

For the oldoldstable distribution (squeeze-lts), this problem has been fixed
in version 2.0.0-1~deb6u1.

We recommend that you upgrade your libphp-snoopy packages.
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCAAGBQJWXNElAAoJEHjX3vua1Zrx73QP/0fH7gd2IaswruxK8Wu4EUS+
WryCf4EAnuMLa72GLlJRxBxdRsFODe8dXM74kO/BUKOcRPHVmow4ALUlyStZVGc3
iPZ3ow7klMiSt9CDBrbIXdORqnIC6NZT1MjV9WLUASENlJUWVW1MfZL1gqVq+FCn
XeZXh1+zDlUw55iBTp/QOiZ8vEgylzpb92JFdCuzAdS9zrvaPs0Cm2Va1jSRzSLx
2yYdd655rnCxOf5mDyrVMj4ncgaK5u1bpsV2benQokSxmrwjnoDrLD01GHXZIQL5
FPG8HpS09UeAGoMQ1SCiRweLNtir6MRYEixaEZCqzHPfcSl5bQ7fpNe3wHgZjV88
ACjAn4sM5qmmK3Cej7NWCcwaSKy4gyRjPkUsFZ7UBZXURzMmRRqhoFXHO1l9k4Yj
/o/DGiYEyclJQ6sGau/pR7DTTZfwEOZfUmLMU/q63DWV9ND88M7QVqjg8wofgoCP
trtiLWTmcKMsksOKfBuTxoQQ7rlWkoR3gWpiszgY/wZObh4aEGjfVW6Lm495bwU+
jwvfDkngFGKLgpU2JgugNhYiUEDJlHAXFgKQL0kyT1lsM2tHZfMpx3l+YPyLNdO8
ulg4eHpGcL77/J70aLcIn4lZT4ECjJ5+5SU6qsaR+7nYbXomjqURLRHzEpDNjcFH
gXdGWD7S008D9KGr3+ML
=Iavp
-END PGP SIGNATURE-

Accepted screen 4.0.3-14+deb6u1 (source amd64) into squeeze-lts

2015-09-05 Thread Scott Kitterman 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Sat, 05 Sep 2015 16:48:47 -0400
Source: screen
Binary: screen
Architecture: source amd64
Version: 4.0.3-14+deb6u1
Distribution: squeeze-lts
Urgency: high
Maintainer: Jan Christoph Nordholz <he...@pool.math.tu-berlin.de>
Changed-By: Scott Kitterman <sc...@kitterman.com>
Description: 
 screen - terminal multiplexor with VT100/ANSI terminal emulation
Closes: 797624
Changes: 
 screen (4.0.3-14+deb6u1) squeeze-lts; urgency=high
 .
   * Fix stack overflow due to too deep recursion (CVE-2015-6806). (Closes:
 #797624)
 - Add debian/patches/61denial-of-service-stack-overflow-fix.dpatch to
   apply upstream fix
Checksums-Sha1: 
 e2ef5848e64ff592fa4daadd75485b10feced7e7 1753 screen_4.0.3-14+deb6u1.dsc
 62d975a57ce10b8a4d52bdc9319662fd23d2272f 157158 screen_4.0.3-14+deb6u1.diff.gz
 3ce89802fa2d9debe8039ac3bbce04da21f9b03d 631524 
screen_4.0.3-14+deb6u1_amd64.deb
Checksums-Sha256: 
 fd199e8cc149252c3e8a418af51af7f1d8850482109b01686e62f7e6e919f500 1753 
screen_4.0.3-14+deb6u1.dsc
 742bf8cfdd5bb7aad4ed76072caf8f0c071b8766e41e721a63bd6327c38171ae 157158 
screen_4.0.3-14+deb6u1.diff.gz
 a14c77e3ba3a80a9db55f1e3e1d12f2eb12b7b856bb374daf86e783a472be14a 631524 
screen_4.0.3-14+deb6u1_amd64.deb
Files: 
 4302d2dfe64540689f012b1c044ea20b 1753 misc optional screen_4.0.3-14+deb6u1.dsc
 d6cde2c2ea4a695ac085ecdde4e77c13 157158 misc optional 
screen_4.0.3-14+deb6u1.diff.gz
 78a154f1ef06fd396e97d56a08c7aba0 631524 misc optional 
screen_4.0.3-14+deb6u1_amd64.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJV617+AAoJEHjX3vua1Zrxhz8P/356R+j6t5k2Au0z0pdaw5fx
iqGAUw0cEpIQOpQ9QqqSd557aaBprthXljEoWmootnpGqx+ym1hNlO1Gplagv9XH
G5wqXUxgyDNlgkM+CAYWnF+IMiKPS/vA9Itak3Q9NejqO4qDxkMaQmSi3EwGFw0A
NdlG8bEYUCs8xMqt2j4W5bBxxE29ohC3VB0CMrdHKAQfMBoiTi19GUWCqOg1yIHT
t5+ANy70PiZpCpgw9yFblmc32SDnzB9KKJaoEQsSIq/V2e4w0KJb6R0dMqcZfbzs
GJZdKyZN8YT7og+I5f8qU9D09v4XlGUtJ9uyCkQ23/SqEAsIybkExhwVVsHCwSd3
Pua2lOHGz4/ZQwFnrNCqatlUW/TJ7ZmgMHuW+6weoIW+ZXY+ctTzTAznRJiwaEWg
HGewn2EynN2pP8CsYHIsY21B53KcP9OTOpm5sUUIZuB0vXsh+YX54bdQQ+BKqLcP
STy5kBE8xMw/WqSi8AORRp8GRGUGyKkRw5udpaX/6N+7uj5txBjuIvbHWmRH+wyw
IaUvjkS7H8wvMxKdoK8I0R8GGbMfj9ziPwxvN9zvH3BEeMlD6COM3ZCTNV/eveJM
cAG/WC1xm0IXrc9h0gt7vJuxOdTop2R81mKus9Hd3fQHdQtELKeiemzak3Yohcn7
XK33pjOJPnD28rxKIOkG
=ftJt
-END PGP SIGNATURE-

[SECURITY] [DLA 233-1] clamav security and upstream version update

2015-05-28 Thread Scott Kitterman 
Package: clamav
Version: 0.98.7+dfsg-0+deb6u1
CVE ID : CVE-2014-9328 CVE-2015-1461 CVE-2015-1462 CVE-2015-1463
 CVE-2015-2170 CVE-2015-2221 CVE-2015- CVE-2015-2668

Upstream published version 0.98.7.  This update updates sqeeze-lts to the
latest upstream release in line with the approach used for other Debian
releases.

The changes are not strictly required for operation, but users of the previous
version in Squeeze may not be able to make use of all current virus signatures
and might get warnings.

The bug fixes that are part of this release include security fixes related
to packed or crypted files (CVE-2014-9328, CVE-2015-1461, CVE-2015-1462,
CVE-2015-1463, CVE-2015-2170, CVE-2015-2221, CVE-2015-, and CVE-2015-2668)
and several fixes to the embedded libmspack library, including a potential
infinite loop in the Quantum decoder (CVE-2014-9556).

If you use clamav, we strongly recommend that you upgrade to this version.


signature.asc
Description: This is a digitally signed message part.

Accepted jruby 1.5.1-1+deb6u1 (source all) into squeeze-lts

2015-04-28 Thread Scott Kitterman 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Mon, 27 Apr 2015 16:41:00 -0400
Source: jruby
Binary: jruby
Architecture: source all
Version: 1.5.1-1+deb6u1
Distribution: squeeze-lts
Urgency: medium
Maintainer: Debian Java Maintainers 
pkg-java-maintain...@lists.alioth.debian.org
Changed-By: Scott Kitterman freex...@kitterman.com
Description: 
 jruby  - 100% pure-Java implementation of Ruby
Changes: 
 jruby (1.5.1-1+deb6u1) squeeze-lts; urgency=medium
 .
   * Add debian/patches 0008-CVE-2011-4838.patch and 0009-CVE-2012-5370.patch
 to resolve the respective CVEs
 - Patches from jessie and adjusted for the squeeze-lts jruby version
   * Add missing build-depends on default-jre-headless so the package
 will build in a clean environment
Checksums-Sha1: 
 4e1bcbeab08787b014cb37422055e61053d5c2cb 2114 jruby_1.5.1-1+deb6u1.dsc
 ddc6b48e200f1eb64bffa5e092e75b527d76f3a0 25159 
jruby_1.5.1-1+deb6u1.debian.tar.gz
 8330ec0cbd2eab0efaec786833f09759ce435f3b 11285368 jruby_1.5.1-1+deb6u1_all.deb
Checksums-Sha256: 
 4bc70be1d9dbe3fbfe5e86e0893133136348a77e44ac278cb4c5f6f615921974 2114 
jruby_1.5.1-1+deb6u1.dsc
 2aa5092ad25fb227a010d6308438bb5f36f8c3dbb33eee8358317bcec488f6dc 25159 
jruby_1.5.1-1+deb6u1.debian.tar.gz
 bcefee5da734fa8964d52243053012ff61107c56928b0aae91159ba1ba7662d7 11285368 
jruby_1.5.1-1+deb6u1_all.deb
Files: 
 5644465f0b9f520d471aef0f7cc94b97 2114 non-free/ruby optional 
jruby_1.5.1-1+deb6u1.dsc
 a4ff42e7409c20d1b7a13d630b1f 25159 non-free/ruby optional 
jruby_1.5.1-1+deb6u1.debian.tar.gz
 2d11f255881aed086d189e2d04f65f49 11285368 non-free/ruby optional 
jruby_1.5.1-1+deb6u1_all.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJVQCuxAAoJEHjX3vua1ZrxE48P/jTPPPYyIiGmURNQYtmAUJY4
TTVZZavHRkv8J3Wm6d6N+ODrOwfLFPoqS6TOc5Kgsncmr/ZeZWS17jpHSPdKB/Qb
GHEKVqWiesHHsEuC5j3uGHkLZAOMUHC7RuWhz+hYgHBAh112ZJ+544OX6b33dRRr
q5M+mBTY2HjsypKRURBPqLUYe8QWJUhYIauCHgjN77xOTQIxW0dWSbCbTLbDcYC+
58eihWxE6fn1SRp+7DJV+yXyhO1gemELVjGehwLqHYGCRZshVDTd6FuutVxdJmfp
SOlr+qXX4LCGInHIIFjch3Qp4MWHpmJ3H/DCdpY9zklsZj7h5eknlRPUcPkYeYd8
mfHiS92/A1c8P/sg20LT1Jdwznvj7asrzotA53fFCWL28eahgE/XUiDC7KFHp1oS
cS44IbZkV5V566fBE+z8G6wn8CBp5sFyDGl8VOLT72GWsSMYOK4a8if4gF5l7hCT
dLuE4T911Qxe+yrSw/WGRHLn6bfj/1DyWd+O0dfzWdNtcrl/4Mhafn/aEAlFOuRc
YayqO/zRrCps3mz+aixuBLLPfltImE/uPmegW5z9YfuayXkq9uGgZZplb2bpC86N
sO9kkYY/yogTSuj80SRbHG0mBUHhCu27RI7ZCnIaUJoaG9VgcPKSMkd8Wmq/LMFZ
a28c4zknSZnu3wg0gYjd
=k7SB
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to debian-lts-changes-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/e1ynjyj-0008nj...@franck.debian.org