Re: Test request Re: [Pkg-clamav-devel] LTS update of clamav and call for advice
Dropped the security team from the cc. install clamav-daemon and clamav-testfiles and then use clamdscan to scan them: $ clamdscan /usr/share/clamav-testfiles/clam* The unrar test files will come up as not infected unless you also install libclamunrar7 from non-free. That's normal. Scott K On Monday, April 15, 2019 11:25:39 PM Ola Lundqvist wrote: > Hi > > Great > > Updated packages are now available on > https://apt.inguza.net/jessie-security/clamav > > Testing is much appreciated since I have limited experience of clamav > myself. > > I can test that the package installs properly but I'm not sure I can > regression test it properly myself. > > Anyone who knows how to regression test it properly? > > Best regards > > // Ola > > On Mon, 15 Apr 2019 at 23:16, Scott Kitterman wrote: > > That sounds like the right approach. > > > > Scott K > > > > On Monday, April 15, 2019 10:36:31 PM Ola Lundqvist wrote: > > > Hi again > > > > > > I have now compared the 0.100.2 version in stretch to the version > > > 0.100.3 > > > in stretch updates. > > > I can then see that most of the changes that I'm worried about is not > > > included. > > > > > > This means that I will take the .orig file and include a sub-set of the > > > updates. > > > The remaining updates will be: > > > - Symbol updates (unavoidable I think). > > > - Copyright update (not sure if it is necessary but I'll include it > > > > anyway) > > > > > The rest will not be updated. > > > > > > Best regards > > > > > > // Ola > > > > > > On Mon, 15 Apr 2019 at 20:00, Ola Lundqvist wrote: > > > > Hi Scott > > > > > > > > I have now walked through the difference in the debian directories > > > > between > > > > > > the version in jessie and stretch updates. > > > > I think there is more work than just a simple changelog update. > > > > > > > > 1) The changelog file contain a lot of changes. I wonder how we > > > > generally > > > > > > should it. If I backport a package from current stable should I keep > > > > that > > > > > > changelog and just add one entry or should I pretent that the jessie > > > > version still apply and add one entry from that one... Not sure > > > > myself. > > > > 2) /lib/systemd/system/clamav-daemon.socket is no longer installed and > > > > a > > > > > > patch introduced to not depend on it > > > > 3) Config file moved > > > > from /etc/systemd/system/clamav-daemon.socket.d/extend.conf > > > > to /etc/systemd/system/clamav-daemon.service.d/extend.conf > > > > 4) Changes in postinst. Not sure if it is backwards compatible or not > > > > yet. > > > > > > Preliminary not. > > > > 5) Debhelper compat updated. Should be ok. > > > > 6) Build dependency changes. > > > > 7) clamav-dbg package no longer provided > > > > 8) so files moved from /usr/lib/libclamav.so to > > > > /usr/lib/xxx/libclamav.so > > > > > > and pkgconfig moved accordingly. > > > > 9) Support for llvm introduced. Should probably be ok. > > > > 10) A LOT of symbols changed. They are delared private so it should be > > > > ok. > > > > > > But you never know. > > > > > > > > It would be helpful if you can help me judge if any of the above means > > > > backwards incompatibility. > > > > > > > > I'm most worried about the following: > > > > - Socket change > > > > - Config file change > > > > - Postinst change > > > > - clamav-dbg > > > > - Symbol changes > > > > > > > > Thank you in advance > > > > > > > > // Ola > > > > > > > > On Mon, 1 Apr 2019 at 15:13, Scott Kitterman > > > > wrote: > > > >> I believe you've misunderstood. > > > >> > > > >> The version in stable is 0.100.3 and does not have a soname bump (nor > > > >> does it > > > >> need one). You should be able to update the LTS with that package > > > > with > > > > > >> little > > > >> more (maybe no more) than an updated changelog. > > > >> > > > >> Scott K > > > >> > > >
Re: [Pkg-clamav-devel] LTS update of clamav and call for advice
That sounds like the right approach. Scott K On Monday, April 15, 2019 10:36:31 PM Ola Lundqvist wrote: > Hi again > > I have now compared the 0.100.2 version in stretch to the version 0.100.3 > in stretch updates. > I can then see that most of the changes that I'm worried about is not > included. > > This means that I will take the .orig file and include a sub-set of the > updates. > The remaining updates will be: > - Symbol updates (unavoidable I think). > - Copyright update (not sure if it is necessary but I'll include it anyway) > > The rest will not be updated. > > Best regards > > // Ola > > On Mon, 15 Apr 2019 at 20:00, Ola Lundqvist wrote: > > Hi Scott > > > > I have now walked through the difference in the debian directories between > > the version in jessie and stretch updates. > > I think there is more work than just a simple changelog update. > > > > 1) The changelog file contain a lot of changes. I wonder how we generally > > should it. If I backport a package from current stable should I keep that > > changelog and just add one entry or should I pretent that the jessie > > version still apply and add one entry from that one... Not sure myself. > > 2) /lib/systemd/system/clamav-daemon.socket is no longer installed and a > > patch introduced to not depend on it > > 3) Config file moved > > from /etc/systemd/system/clamav-daemon.socket.d/extend.conf > > to /etc/systemd/system/clamav-daemon.service.d/extend.conf > > 4) Changes in postinst. Not sure if it is backwards compatible or not yet. > > Preliminary not. > > 5) Debhelper compat updated. Should be ok. > > 6) Build dependency changes. > > 7) clamav-dbg package no longer provided > > 8) so files moved from /usr/lib/libclamav.so to /usr/lib/xxx/libclamav.so > > and pkgconfig moved accordingly. > > 9) Support for llvm introduced. Should probably be ok. > > 10) A LOT of symbols changed. They are delared private so it should be ok. > > But you never know. > > > > It would be helpful if you can help me judge if any of the above means > > backwards incompatibility. > > > > I'm most worried about the following: > > - Socket change > > - Config file change > > - Postinst change > > - clamav-dbg > > - Symbol changes > > > > Thank you in advance > > > > // Ola > > > > On Mon, 1 Apr 2019 at 15:13, Scott Kitterman wrote: > >> I believe you've misunderstood. > >> > >> The version in stable is 0.100.3 and does not have a soname bump (nor > >> does it > >> need one). You should be able to update the LTS with that package with > >> little > >> more (maybe no more) than an updated changelog. > >> > >> Scott K > >> > >> On Monday, April 01, 2019 02:46:34 PM Ola Lundqvist wrote: > >> > Hi Scott and LTS team > >> > > >> > Thank you. I'll see if I can backport the required fixes. That may > >> > solve > >> > the library issue. > >> > > >> > Alternatively we state that clamav is not supported. Maybe someone in > >> > >> the > >> > >> > LTS team can advice on that. > >> > > >> > Best regards > >> > > >> > // Ola > >> > > >> > On Sun, 31 Mar 2019 at 22:35, Scott Kitterman > >> > >> wrote: > >> > > Comments inline. > >> > > > >> > > On Sunday, March 31, 2019 09:37:46 PM Ola Lundqvist wrote: > >> > > > Hi > >> > > > > >> > > > I missed to include the clamav maintainers. Sorry about that. > >> > > > > >> > > > // Ola > >> > > > > >> > > > On Sun, 31 Mar 2019 at 21:21, Ola Lundqvist wrote: > >> > > > > Dear maintainers, LTS team and Debian Secutiry team > >> > > > > > >> > > > > I have started to look at the clamav package update due to > >> > > > > CVE-2019-1787 > >> > > > > CVE-2019-1788 > >> > > > > CVE-2019-1789 > >> > > > > (the other three vulnerabilities are not affecting jessie or > >> > >> stretch > >> > >> > > as I > >> > > > >> > > > > understand it) > >> > > > >> > > That's correct. > >> > > > >> > > > > I have understood that the clamav package is typically
Re: [Pkg-clamav-devel] LTS update of clamav and call for advice
I believe you've misunderstood. The version in stable is 0.100.3 and does not have a soname bump (nor does it need one). You should be able to update the LTS with that package with little more (maybe no more) than an updated changelog. Scott K On Monday, April 01, 2019 02:46:34 PM Ola Lundqvist wrote: > Hi Scott and LTS team > > Thank you. I'll see if I can backport the required fixes. That may solve > the library issue. > > Alternatively we state that clamav is not supported. Maybe someone in the > LTS team can advice on that. > > Best regards > > // Ola > > On Sun, 31 Mar 2019 at 22:35, Scott Kitterman wrote: > > Comments inline. > > > > On Sunday, March 31, 2019 09:37:46 PM Ola Lundqvist wrote: > > > Hi > > > > > > I missed to include the clamav maintainers. Sorry about that. > > > > > > // Ola > > > > > > On Sun, 31 Mar 2019 at 21:21, Ola Lundqvist wrote: > > > > Dear maintainers, LTS team and Debian Secutiry team > > > > > > > > I have started to look at the clamav package update due to > > > > CVE-2019-1787 > > > > CVE-2019-1788 > > > > CVE-2019-1789 > > > > (the other three vulnerabilities are not affecting jessie or stretch > > > > as I > > > > > > understand it) > > > > That's correct. > > > > > > I have understood that the clamav package is typically updated to the > > > > latest version also in stable and oldstable. However when doing so I > > > > encountered quite a few things that I would like to ask your advice > > > > on. > > > > > > > > First of all to the maintainers. Do you want to handle also LTS > > > > (oldstable) and regular security (stable) upload of clamav? > > > > Stable is already done through stable proposed updates (which is the > > normal > > path for clamav). We leave the LTS releases to the LTS team. Base your > > work > > on what's in stable. > > > > > > Question to maintainers and Security team. Should we synchronize the > > > > efforts here and have you already started on the stable update? > > > > > > > > If not I have a few questions: > > > > 1) Do you know the binary compatibility between libclamav7 and > > > > libclamav9? > > > > > > I have noticed that the package in sid produces libclamav9 while the > > > > one > > > > > > in jessie provides libclamav7. Do you think this can be an issue? > > > > Yes. It's guaranteed to be an issue. We have a stable transition > > prepared > > and will do it (once the srm blesses) after the next point release in > > April. > > Note that the security team doesn't support clamav. > > > > > > 2) Do you think backporting the package in sid is better than simply > > > > updating to the latest upstream while keeping most scripts in > > > > oldstable? I > > > > > > had to copy over the split-archive.sh to be able to generate a proper > > > > orig > > > > > > tarball. > > > > No. Use what's in stable proposed updates. > > > > > > - I personally think the package in sid have a little too much updates > > > > to > > > > > > make that safe, especially since it produces new library packages. > > > > Agreed. That would definitely be a bad idea. > > > > > > - On the other hand, I had to do some modifications already to make > > > > allow > > > > > > the package to be generated and I have not even started building yet. > > > > There > > > > may be many fixes needed to make this package work in oldstable... > > > > I suspect that what's in stable will work in oldstable, but I haven't > > tried > > it. It'll certainly take less work than what's in sid. > > > > > > I guess we cannot generate new library package version, or? > > > > Generally one does not, but for clamav you kind of have to at some point. > > Note that for libclamav7 -> libclamav9 there are also API changes, so > > libclamav-dev reverse builld-depends need patching in addition to > > rebuilding. > > Once we've done that in stable, it should be easy enough to adapt for > > oldstable when the time comes. Don't worry about it now. > > > > Scott K
Re: [Pkg-clamav-devel] LTS update of clamav and call for advice
Comments inline. On Sunday, March 31, 2019 09:37:46 PM Ola Lundqvist wrote: > Hi > > I missed to include the clamav maintainers. Sorry about that. > > // Ola > > On Sun, 31 Mar 2019 at 21:21, Ola Lundqvist wrote: > > Dear maintainers, LTS team and Debian Secutiry team > > > > I have started to look at the clamav package update due to > > CVE-2019-1787 > > CVE-2019-1788 > > CVE-2019-1789 > > (the other three vulnerabilities are not affecting jessie or stretch as I > > understand it) That's correct. > > I have understood that the clamav package is typically updated to the > > latest version also in stable and oldstable. However when doing so I > > encountered quite a few things that I would like to ask your advice on. > > > > First of all to the maintainers. Do you want to handle also LTS > > (oldstable) and regular security (stable) upload of clamav? Stable is already done through stable proposed updates (which is the normal path for clamav). We leave the LTS releases to the LTS team. Base your work on what's in stable. > > Question to maintainers and Security team. Should we synchronize the > > efforts here and have you already started on the stable update? > > > > If not I have a few questions: > > 1) Do you know the binary compatibility between libclamav7 and libclamav9? > > I have noticed that the package in sid produces libclamav9 while the one > > in jessie provides libclamav7. Do you think this can be an issue? Yes. It's guaranteed to be an issue. We have a stable transition prepared and will do it (once the srm blesses) after the next point release in April. Note that the security team doesn't support clamav. > > 2) Do you think backporting the package in sid is better than simply > > updating to the latest upstream while keeping most scripts in oldstable? I > > had to copy over the split-archive.sh to be able to generate a proper orig > > tarball. No. Use what's in stable proposed updates. > > - I personally think the package in sid have a little too much updates to > > make that safe, especially since it produces new library packages. Agreed. That would definitely be a bad idea. > > - On the other hand, I had to do some modifications already to make allow > > the package to be generated and I have not even started building yet. > > There > > may be many fixes needed to make this package work in oldstable... I suspect that what's in stable will work in oldstable, but I haven't tried it. It'll certainly take less work than what's in sid. > > I guess we cannot generate new library package version, or? Generally one does not, but for clamav you kind of have to at some point. Note that for libclamav7 -> libclamav9 there are also API changes, so libclamav-dev reverse builld-depends need patching in addition to rebuilding. Once we've done that in stable, it should be easy enough to adapt for oldstable when the time comes. Don't worry about it now. Scott K
Re: [Pkg-clamav-devel] ClamAV Package on Wheezy
No. I'm not involved in the LTS project any more. The stretch update has just today been uploaded. I expect someone from the LTS team will handle it shortly. Scott K On July 21, 2018 6:48:24 AM UTC, Klaipedaville on Google wrote: >Hello Scott, > >Will you be able to take care of it again, please (as per my previous >[old] message down-below)? Is Clamav not available in packages any more >at all? Many thanks! > >Regards, >Dennis > >P.S. It looks like this "issue" is 'an every July come back occurrence' >isn't it? :) > > >From: Scott Kitterman >Sent: Sunday, July 3, 2016 19:29 >To: Sebastian Andrzej Siewior ; Klaipedaville on Google >Cc: cla...@packages.debian.org ; debian-lts@lists.debian.org >Subject: Re: [Pkg-clamav-devel] ClamAV Package on Wheezy > >I'm going to take care of it. > >Scott K > >On July 3, 2016 9:04:48 AM EDT, Sebastian Andrzej Siewior > wrote: >>On 2016-06-30 09:36:18 [+0300], Klaipedaville on Google wrote: >>> Hello there, >>Hi, >> >>> It’s been almost half a year since I’ve been getting this "Clamav is >>outdated, don't panic" message in my logs and patiently waiting for >>updates. I was wondering is it not available / coming any more in >>packages and we are on our own now to compile it from sources? Could >>anybody advise, please? Many thanks! >> >>Wheezy is now in the hands of the Debian-LTS team. I won't do an >upload >>but according to my IRC backlog someone from LTS team is looking into >>this. I CCed the LTS team to ACK/NACK my statement :) >> >>> Regards, >>> Dennis. >> >>Sebastian >> >>___ >>Pkg-clamav-devel mailing list >>pkg-clamav-de...@lists.alioth.debian.org >>http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel
Re: [Pkg-clamav-devel] Wheezy update of clamav?
Conveniently, upstream just released 0.99.4 that addresses this and some other issues. I'd suggest you let us get that into stable/oldstable first. Scott K On March 1, 2018 10:07:53 PM UTC, Sebastian Andrzej Siewiorwrote: >On 2018-02-28 16:47:47 [-0500], Antoine Beaupre wrote: >> Dear maintainer(s), >Hi, > >> The Debian LTS team would like to fix the security issues which are >> currently open in the Wheezy version of clamav: >> >> https://security-tracker.debian.org/tracker/CVE-2018-185 > >interresting. So that one is fixed in the beta but not in the stable >release including Stretch/Jessie. > >> Would you like to take care of this yourself? >No but thank your for letting us know that this one is still missing. I >will try to take care of this Stretch/Jessie. Is this the only one >missing? > >Sebastian > >___ >Pkg-clamav-devel mailing list >pkg-clamav-de...@lists.alioth.debian.org >http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel
[SECURITY] [DLA 546-2] clamav version update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: clamav Version: 0.99.2+dfsg-0+deb7u2 DLA 546-1 was incorrectly released before updated clamav packages were available and there were subsequent issues with the acceptance of the package (which have since been corrected). Updates are now available for all supported LTS architectures. We recommend that you upgrade your clamav packages. Upstream published version 0.99.2. This update updates wheezy-lts to the latest upstream release in line with the approach used for other Debian releases. The changes are not strictly required for operation, but users of the previous version in Wheezy may not be able to make use of all current virus signatures and might get warnings. For Debian 7 "Wheezy", this has been addressed in version 0.99.2+dfsg-0+deb7u2. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCAAGBQJXhuHuAAoJEHjX3vua1ZrxF5IQALUqPYJyRZ4S4Jpir3evh9bt ymQNEijokXkM2L04L3yYwpGwqBYVa/8PZENImvqDv9ZnBj8Rtzs0ko37ax9VS7pv 4f2d6CDNtS7Qnazc0Fab3bVWpNrCnu+MB5Uh8mxmcq8jgOxgfSrocQQpy+y4Zvel U6ILoDOiszwdQmNn0j9HK73UiHDDdxRODLHDqmNyCjR1O2x4cdus6nwipsnwtJwv gn0ToWhYh5QZot1w2OA4gDRItpCoFAxqqm/XzAIAz/9lhndQwfh4EXIW0p2dM3rl 90H9kprAMdu/6HNmUDxwS/OaGwN2fn/hoSv3voYZytyaK/7S6Wj9h9WoCjJ+WL9p K1C4neOu4ZYn/jox83ukvaPOeWTuYnXQnijjgfveWGG2MNuAbwHEC6oG4oz9Yim4 MqPNNvWMq8d47D46NCkf7MYdnulNpDtOXZAtt1U3aQk3ws0/DeaP6qqVx7VAAlhT 9/2dCtzOJBR5JvJcQyewSGlZCytAzKHiUUGVm6CCKRPc7+HAIJo/mr34hwBE72zj 2A6fPLp9X1iTBI2rTgXJiGd8InpP0rVWBK8pAwbM/zqv+mfR+XdfNrdcmPCYo8gq TBy1I7K47NTljPP0zSBxgGJclQGMMi2f/zuiDMscAzMOjkBtiqfWNw5mbf6dY/+Y pkrI/DvdSNJSKNWVZRmK =CuXF -END PGP SIGNATURE-
Re: [SECURITY] [DLA 546-1] clamav version update
On Sunday, July 10, 2016 06:46:52 PM Markus Koschany wrote: > On 10.07.2016 08:29, Bjoern Nyjorden wrote: > > Hi there, > > > > Are you able to advise as to when this update will be available? > > > > Looking forward to your feedback. > > Hello Bjoern, > > please ignore the DLA announcement for clamav for now. It was sent too > early. We are working on uploading the security update as soon possible > but we will need to ask for a little more of your patience. I've just now reuploaded clamav. Let's hope this time works better. Scott K signature.asc Description: This is a digitally signed message part.
Re: [Pkg-clamav-devel] ClamAV Package on Wheezy
I'm going to take care of it. Scott K On July 3, 2016 9:04:48 AM EDT, Sebastian Andrzej Siewiorwrote: >On 2016-06-30 09:36:18 [+0300], Klaipedaville on Google wrote: >> Hello there, >Hi, > >> It’s been almost half a year since I’ve been getting this "Clamav is >outdated, don't panic" message in my logs and patiently waiting for >updates. I was wondering is it not available / coming any more in >packages and we are on our own now to compile it from sources? Could >anybody advise, please? Many thanks! > >Wheezy is now in the hands of the Debian-LTS team. I won't do an upload >but according to my IRC backlog someone from LTS team is looking into >this. I CCed the LTS team to ACK/NACK my statement :) > >> Regards, >> Dennis. > >Sebastian > >___ >Pkg-clamav-devel mailing list >pkg-clamav-de...@lists.alioth.debian.org >http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel
Re: Supporting armel/armhf in wheezy-lts
On Monday, April 25, 2016 02:07:01 AM Luca Filipozzi wrote: > On Sun, Apr 24, 2016 at 09:55:10AM +0200, Raphael Hertzog wrote: > > Do you have some concrete suggestions? > > Decrease the separation by moving the funds management into Debian proper > (via a TO like SPI) and move to a bounty model for working on LTS. Make > sure we're transparent with our language regarding Debian being produced by > volunteers (eg: "The Debian Project consists of volunteers, and our > products are developed entirely by volunteers." on [1]) by commenting on > how bounties are available (or something). Consider making LTS management > a delegated team. > > OR > > Increase the separation by removing the fundraising statements / links from > the LTS pages previously mentioned, making Freexian just another > consultancy listed on the consultancy pages. > > None of this is meant to diminish or tarnish the very significant > contribution that you or Freexian are making, which are both extensive and > impressive. I'm seeking greater definition of the role and the language > used. > > [1]: https://www.debian.org/devel/join/ Any suggestions on how to get that done in the next two days before wheezy-lts starts? It might be a bit more practical to defer the idea of completely changing the LTS program to a moment when there's a bit more time (maybe Debconf). So far, I don't think anyone has specifically objected to the addition of armel/armhf. Scott K signature.asc Description: This is a digitally signed message part.
Re: Non-security uploads for wheezy-lts
On Wednesday, March 02, 2016 02:09:28 PM Markus Koschany wrote: > Am 01.03.2016 um 15:45 schrieb Scott Kitterman: > > I understand that the plan is not to create a separate package suite for > > Wheezy as was done for Squeeze and to upload to wheezy-security instead. > > How > > are uploads that aren't strictly security uploads going to be handled? > > > > Specifically, I'm wondering what to do about clamav since we've been > > uploading > > new version as stable updates, not via -security. > > I think we should use wheezy-security for everything LTS related be it > security or non-security updates. Otherwise we would need to create a > special suite for such updates and this would be rather confusing for > LTS users. I think that makes sense, but we need to make it clear to users then that what wheezy-security is for will change slightly when it transitions to LTS. Whatever we do, I'd like it decided before we start. Scott K signature.asc Description: This is a digitally signed message part.
[SECURITY] [DLA 440-1] dansguardian package update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: dansguardian Version: 2.10.1.1-3+deb6u1 Debian Bug : 813894 As described in DLA-437-1, clamav has been updated to the most recent upstream version, 0.99. Due to a soname change in libclamav, packages depending on libclamav needed to be recompiled to work with the new libclamav7. At the time DLA-437-1 was sent, updated dansguardian packages were not available. An update to dansguardian has now been uploaded and packages should be available shortly. The recommendation in DLA-437-1 not to upgrade clamav if using it with dansguardian in no longer applicable. Upgrading clamav and dansguardian is recommended for the reasons described in DLA-437-1. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCAAGBQJW02jJAAoJEHjX3vua1ZrxP5oQAKOU2p+auYaEEuV/62yHn9BR t7P8S/EaCH406P2qVxuRl06wLRnoHH6ySVUBeXQdSVLUrwQDatvaTis9UeSi/0IV GlAO96yJIVDW74XnBMZIxjXDeLik9kPf9l4c64UCv8LMQWcCBUENhB3fx3RUM24Q gU9pJC5gt5I7mRRp7pSvFUX2Jbjut4hpD1iqKhWeC0xKv9erZTg9MGYpdiyShXT0 YgyZBrte3vP8LtTTqMQss1J2xnQl/ksIT3IsW+Bw+UmKJW56vZ9hOPLAdKo0ktL1 52AQ2F6EIl16AWinBWa1LKF6nGjBP3cqDgnjh9vhfdqcZcgXBeuCIrJ6ExB/aG33 FrSfZGD4ttbpJh+tabeg0fBkn6rfmWJTVPzFiYhH86WkziFUsQgYCK4YW4fPv/rh e/YLue/PBX4igxbNhgGPQrDcgu+cXZGrn4p9kXHU248TscOLDLs8rCLj4najUb5D R74vcKlwEneeVEcUZ0mp/MJahwsDYE5Z8ws9oMjH9AeF7J+Zw7L64pjYR2uCxlZH ++qgn3ebKPW3eIvZqQpnLymXmKvvqa+Ku3LhNJ+4f7yzzg6Sp137A1/M/xAxcGB5 E5UKU9WuWeMnEh2uVIbtY3DFK8uu/EVG/emVGZPmmBwUUGTOcbqwlLFLjz8YSC/4 gbrfoUw/+1ZvsGjCQqeD =gF3f -END PGP SIGNATURE-
Re: Further Review Of MySQL 5.5 Packages [1]
On December 10, 2015 3:27:14 AM EST, "Santiago Ruano Rincón" <santiag...@riseup.net> wrote: >El 09/12/15 a las 19:18, Scott Kitterman escribió: >> On December 9, 2015 2:51:47 PM EST, Raphael Hertzog ><hert...@debian.org> wrote: >... >> >What's wrong with "apt-get install mysql-server-5.5" ? >> > >> >Those intermediary packages will be manually installed and might >cause >> >troubles in future upgrades... even if the description invites users >to >> >uninstall them. I would prefer if the instructions we gave invited >> >users >> >to install just the packages that they need. >> > >> >We really mostly care about vulnerabilities in the server and as >such >> >we must recommend users to upgrade the server, if they keep using >the >> >old client it's not a big deal IMO. >> >> Running a local server and client and they are different versions >doesn't cause >> a problem? If not, then I agree about not including the upgrade >package and >> giving instructions in the DLA. >> >> Scott K > >I'm not sure understanding the question. If you mean running both >client and server on the same machine, the answer is you cannot use >packages from different versions. That is what meant. >My comment was about users that have mysql-client and -server running >on >different machines. > >Anyway, if these transition packages might give more trouble, I'd >prefer >to remove them too. The simpler, the better. I'm not sure the best thing, but at least make clear in the DLA that if one upgrades client/server then the other must be upgraded too for that machine. Scott K
Re: Further Review Of MySQL 5.5 Packages [1]
On December 9, 2015 3:09:23 AM EST, Raphael Hertzog <hert...@debian.org> wrote: >On Tue, 08 Dec 2015, Scott Kitterman wrote: >> On December 8, 2015 5:25:05 PM EST, "Santiago Ruano Rincón" ><santiag...@riseup.net> wrote: >> >Is anyone against uploading the current mysql-5.5 packages (version >> >5.5.46-0+deb6u1~5)? > >I don't have any objection. I would just like to review the draft of >the >DLA that you want to send to make sure it has a good wording... > >> Where do we stand on rdepends updates? > >We dealt with all the issues identified with dbconfig packages failing >to >install due to various SQL errors. > >See https://titanpad.com/cRc6eiCH5t > >Was your question about something else? That's most of it. Did we decide to leave the libmysqlclient rdepends alone? Scott K
Re: Further Review Of MySQL 5.5 Packages [1]
On December 9, 2015 2:51:47 PM EST, Raphael Hertzogwrote: >On Wed, 09 Dec 2015, Santiago Ruano Rincón wrote: >> https://titanpad.com/zPncgYnP05 > >I made a few changes. > >> This DLA includes information about the already uploaded packages to >> solve incompatibility issues. >> >> I've realised that the -upgrade package would install the >mysql-server, >> even if the user only needs the client. I have created an additional >> package, currently being built. > >I saw the suggestion of Scott but I'm really not convinced it's a good >idea >to introduce those upgrade helper packages... > >What's wrong with "apt-get install mysql-server-5.5" ? > >Those intermediary packages will be manually installed and might cause >troubles in future upgrades... even if the description invites users to >uninstall them. I would prefer if the instructions we gave invited >users >to install just the packages that they need. > >We really mostly care about vulnerabilities in the server and as such >we must recommend users to upgrade the server, if they keep using the >old client it's not a big deal IMO. Running a local server and client and they are different versions doesn't cause a problem? If not, then I agree about not including the upgrade package and giving instructions in the DLA. Scott K
Re: Re: squeeze update of srtp?
On December 1, 2015 9:18:52 AM EST, Ben Hutchings <b...@decadent.org.uk> wrote: >On Tue, 2015-12-01 at 08:39 -0500, Scott Kitterman wrote: >> I checked this yesterday and the offending code isn't present in the >1.4 >> versions of srtp. > >Only because the range checks that have just been fixed in the upstream >patches aren't present at all in 1.4! > >These sites do need to be fixed: >https://sources.debian.net/src/srtp/1.4.4~dfsg-6%2Bdeb6u1/srtp/srtp.c/#L673 >https://sources.debian.net/src/srtp/1.4.4~dfsg-6%2Bdeb6u1/srtp/srtp.c/#L939 Okay. I'll have another look at it later in the week. Feel free to grab it if you have time first. If that's the case, then wheezy/jessie need fixing too. Scott K
Re: Re: squeeze update of srtp?
I checked this yesterday and the offending code isn't present in the 1.4 versions of srtp. Scott K
Accepted libphp-snoopy 2.0.0-1~deb6u1 (source all) into squeeze-lts
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 30 Nov 2015 13:08:05 -0500 Source: libphp-snoopy Binary: libphp-snoopy Architecture: source all Version: 2.0.0-1~deb6u1 Distribution: squeeze-lts Urgency: high Maintainer: Marcelo Jorge Vieira <me...@debian.org> Changed-By: Scott Kitterman <sc...@kitterman.com> Description: libphp-snoopy - Snoopy is a PHP class that simulates a web browser Closes: 778634 Changes: libphp-snoopy (2.0.0-1~deb6u1) squeeze-lts; urgency=high . * Upload to squeeze-lts . libphp-snoopy (2.0.0-1) unstable; urgency=high . * New upstream release: + Fixes: CVE-2008-7313 and CVE-2014-5008 (Closes: #778634) + Remove curl dependency * Control: + Remove trailing spaces + Use canonical Vcs-fields + Updated Standards-Version to 3.9.6 (no changes) * Switch to dpkg-source 3.0 (quilt) format Checksums-Sha1: 5fd5042be968cac657fe9fe814733f119d85ad10 1850 libphp-snoopy_2.0.0-1~deb6u1.dsc d5120fed4112248e2af9f387f1119b22b2dbd42f 2464 libphp-snoopy_2.0.0-1~deb6u1.debian.tar.gz 259b34707e14f63b8da6c4d63f3a12bfd31e8a9b 17510 libphp-snoopy_2.0.0-1~deb6u1_all.deb Checksums-Sha256: 97789bee3098c29851afd42ec4a607e75f7b93c2b0f2b2498c42aea5a7a231fe 1850 libphp-snoopy_2.0.0-1~deb6u1.dsc 567068287dfed49f30c007c92a7d03607af89e4b79963feb3673b3abb3f7a649 2464 libphp-snoopy_2.0.0-1~deb6u1.debian.tar.gz c8bba4772663becf5166e9a6890323676ca6a805c42a3aaf1327aa7ebaecda5a 17510 libphp-snoopy_2.0.0-1~deb6u1_all.deb Files: 582838e55f05e19cf30a246adae27471 1850 php optional libphp-snoopy_2.0.0-1~deb6u1.dsc d4e07791612b465ab23b71e8de6ca1e1 2464 php optional libphp-snoopy_2.0.0-1~deb6u1.debian.tar.gz a8e3cb71076cccfc7820923f94e34900 17510 php optional libphp-snoopy_2.0.0-1~deb6u1_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJWXL1BAAoJEHjX3vua1Zrxu4IQAMKHmRnkV98+TaFY3YXbuubc 3Tg6yvqqlTHN2wLZxgJni2ct0XFr6aNL1k0HYOsYRawYStdYWW5WC4ENWqYqVFBR BOB28JKqPv7kPMM03sIicL8tYtL/P2fONJoPTowczVhoOPH2O1BCYH5Sdd5z3syS vacp/4vg9HIYzQJLF71AxwbJbr7b+9a7V/x9PgIHyUbK3aa0Cp3JeiBhRB59sDRx uvJIaowKba01gdMZfQ9YxbEM9yKbtFMEUe1VaB5TJDn6o2x77Hb4BYRHsGtcHvNF OuTEYIePAyJKw+SIxGg985Y1wyomlGRrgHKWDTBcie+ULePUz3WdEQ3wTIHchfGL 9clTD1uh8m5D05hOxHcIgNI/kB/5mzUyb7jT8Y6t22ccB36UrakDgPVFsyBKa969 L1++Bh3LXUenU/YYuje9WK46gn1Jrt61gImkBmCWJbW8cRXRm0mVBVpdYvwaBHB/ E6k0ljIdEchBfLukqxzLthbRJAiuS2qUpz6E6rxNkYdmAnKr5REzEU9yLINz2j+l nLFdOZkDQZ4mV6Po6P6e9PEowovMdTWqn/BnPA7xuGA7FbZSnfuSsGWFSrJxNvCL m15xvNVdRTV0ndzhdFuHi1VKRB5uAf1pRQLFtULjhT2m0GDiL/cgc+WzH0edSiRd TaofHE3VhBIPBVBTTvJZ =wg5w -END PGP SIGNATURE-
[SECURITY] [DLA 357-1] libphp-snoopy security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: libphp-snoopy Version: 2.0.0-1~deb6u1 CVE ID : CVE-2008-7313 CVE-2014-5008 Debian Bug : 778634 It was discovered that missing input sanitizing in Snoopy, a PHP class that simulates a web browser may result in the execution of arbitrary commands. For the oldoldstable distribution (squeeze-lts), this problem has been fixed in version 2.0.0-1~deb6u1. We recommend that you upgrade your libphp-snoopy packages. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCAAGBQJWXNElAAoJEHjX3vua1Zrx73QP/0fH7gd2IaswruxK8Wu4EUS+ WryCf4EAnuMLa72GLlJRxBxdRsFODe8dXM74kO/BUKOcRPHVmow4ALUlyStZVGc3 iPZ3ow7klMiSt9CDBrbIXdORqnIC6NZT1MjV9WLUASENlJUWVW1MfZL1gqVq+FCn XeZXh1+zDlUw55iBTp/QOiZ8vEgylzpb92JFdCuzAdS9zrvaPs0Cm2Va1jSRzSLx 2yYdd655rnCxOf5mDyrVMj4ncgaK5u1bpsV2benQokSxmrwjnoDrLD01GHXZIQL5 FPG8HpS09UeAGoMQ1SCiRweLNtir6MRYEixaEZCqzHPfcSl5bQ7fpNe3wHgZjV88 ACjAn4sM5qmmK3Cej7NWCcwaSKy4gyRjPkUsFZ7UBZXURzMmRRqhoFXHO1l9k4Yj /o/DGiYEyclJQ6sGau/pR7DTTZfwEOZfUmLMU/q63DWV9ND88M7QVqjg8wofgoCP trtiLWTmcKMsksOKfBuTxoQQ7rlWkoR3gWpiszgY/wZObh4aEGjfVW6Lm495bwU+ jwvfDkngFGKLgpU2JgugNhYiUEDJlHAXFgKQL0kyT1lsM2tHZfMpx3l+YPyLNdO8 ulg4eHpGcL77/J70aLcIn4lZT4ECjJ5+5SU6qsaR+7nYbXomjqURLRHzEpDNjcFH gXdGWD7S008D9KGr3+ML =Iavp -END PGP SIGNATURE-
Accepted screen 4.0.3-14+deb6u1 (source amd64) into squeeze-lts
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sat, 05 Sep 2015 16:48:47 -0400 Source: screen Binary: screen Architecture: source amd64 Version: 4.0.3-14+deb6u1 Distribution: squeeze-lts Urgency: high Maintainer: Jan Christoph Nordholz <he...@pool.math.tu-berlin.de> Changed-By: Scott Kitterman <sc...@kitterman.com> Description: screen - terminal multiplexor with VT100/ANSI terminal emulation Closes: 797624 Changes: screen (4.0.3-14+deb6u1) squeeze-lts; urgency=high . * Fix stack overflow due to too deep recursion (CVE-2015-6806). (Closes: #797624) - Add debian/patches/61denial-of-service-stack-overflow-fix.dpatch to apply upstream fix Checksums-Sha1: e2ef5848e64ff592fa4daadd75485b10feced7e7 1753 screen_4.0.3-14+deb6u1.dsc 62d975a57ce10b8a4d52bdc9319662fd23d2272f 157158 screen_4.0.3-14+deb6u1.diff.gz 3ce89802fa2d9debe8039ac3bbce04da21f9b03d 631524 screen_4.0.3-14+deb6u1_amd64.deb Checksums-Sha256: fd199e8cc149252c3e8a418af51af7f1d8850482109b01686e62f7e6e919f500 1753 screen_4.0.3-14+deb6u1.dsc 742bf8cfdd5bb7aad4ed76072caf8f0c071b8766e41e721a63bd6327c38171ae 157158 screen_4.0.3-14+deb6u1.diff.gz a14c77e3ba3a80a9db55f1e3e1d12f2eb12b7b856bb374daf86e783a472be14a 631524 screen_4.0.3-14+deb6u1_amd64.deb Files: 4302d2dfe64540689f012b1c044ea20b 1753 misc optional screen_4.0.3-14+deb6u1.dsc d6cde2c2ea4a695ac085ecdde4e77c13 157158 misc optional screen_4.0.3-14+deb6u1.diff.gz 78a154f1ef06fd396e97d56a08c7aba0 631524 misc optional screen_4.0.3-14+deb6u1_amd64.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJV617+AAoJEHjX3vua1Zrxhz8P/356R+j6t5k2Au0z0pdaw5fx iqGAUw0cEpIQOpQ9QqqSd557aaBprthXljEoWmootnpGqx+ym1hNlO1Gplagv9XH G5wqXUxgyDNlgkM+CAYWnF+IMiKPS/vA9Itak3Q9NejqO4qDxkMaQmSi3EwGFw0A NdlG8bEYUCs8xMqt2j4W5bBxxE29ohC3VB0CMrdHKAQfMBoiTi19GUWCqOg1yIHT t5+ANy70PiZpCpgw9yFblmc32SDnzB9KKJaoEQsSIq/V2e4w0KJb6R0dMqcZfbzs GJZdKyZN8YT7og+I5f8qU9D09v4XlGUtJ9uyCkQ23/SqEAsIybkExhwVVsHCwSd3 Pua2lOHGz4/ZQwFnrNCqatlUW/TJ7ZmgMHuW+6weoIW+ZXY+ctTzTAznRJiwaEWg HGewn2EynN2pP8CsYHIsY21B53KcP9OTOpm5sUUIZuB0vXsh+YX54bdQQ+BKqLcP STy5kBE8xMw/WqSi8AORRp8GRGUGyKkRw5udpaX/6N+7uj5txBjuIvbHWmRH+wyw IaUvjkS7H8wvMxKdoK8I0R8GGbMfj9ziPwxvN9zvH3BEeMlD6COM3ZCTNV/eveJM cAG/WC1xm0IXrc9h0gt7vJuxOdTop2R81mKus9Hd3fQHdQtELKeiemzak3Yohcn7 XK33pjOJPnD28rxKIOkG =ftJt -END PGP SIGNATURE-
[SECURITY] [DLA 233-1] clamav security and upstream version update
Package: clamav Version: 0.98.7+dfsg-0+deb6u1 CVE ID : CVE-2014-9328 CVE-2015-1461 CVE-2015-1462 CVE-2015-1463 CVE-2015-2170 CVE-2015-2221 CVE-2015- CVE-2015-2668 Upstream published version 0.98.7. This update updates sqeeze-lts to the latest upstream release in line with the approach used for other Debian releases. The changes are not strictly required for operation, but users of the previous version in Squeeze may not be able to make use of all current virus signatures and might get warnings. The bug fixes that are part of this release include security fixes related to packed or crypted files (CVE-2014-9328, CVE-2015-1461, CVE-2015-1462, CVE-2015-1463, CVE-2015-2170, CVE-2015-2221, CVE-2015-, and CVE-2015-2668) and several fixes to the embedded libmspack library, including a potential infinite loop in the Quantum decoder (CVE-2014-9556). If you use clamav, we strongly recommend that you upgrade to this version. signature.asc Description: This is a digitally signed message part.
Accepted jruby 1.5.1-1+deb6u1 (source all) into squeeze-lts
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 27 Apr 2015 16:41:00 -0400 Source: jruby Binary: jruby Architecture: source all Version: 1.5.1-1+deb6u1 Distribution: squeeze-lts Urgency: medium Maintainer: Debian Java Maintainers pkg-java-maintain...@lists.alioth.debian.org Changed-By: Scott Kitterman freex...@kitterman.com Description: jruby - 100% pure-Java implementation of Ruby Changes: jruby (1.5.1-1+deb6u1) squeeze-lts; urgency=medium . * Add debian/patches 0008-CVE-2011-4838.patch and 0009-CVE-2012-5370.patch to resolve the respective CVEs - Patches from jessie and adjusted for the squeeze-lts jruby version * Add missing build-depends on default-jre-headless so the package will build in a clean environment Checksums-Sha1: 4e1bcbeab08787b014cb37422055e61053d5c2cb 2114 jruby_1.5.1-1+deb6u1.dsc ddc6b48e200f1eb64bffa5e092e75b527d76f3a0 25159 jruby_1.5.1-1+deb6u1.debian.tar.gz 8330ec0cbd2eab0efaec786833f09759ce435f3b 11285368 jruby_1.5.1-1+deb6u1_all.deb Checksums-Sha256: 4bc70be1d9dbe3fbfe5e86e0893133136348a77e44ac278cb4c5f6f615921974 2114 jruby_1.5.1-1+deb6u1.dsc 2aa5092ad25fb227a010d6308438bb5f36f8c3dbb33eee8358317bcec488f6dc 25159 jruby_1.5.1-1+deb6u1.debian.tar.gz bcefee5da734fa8964d52243053012ff61107c56928b0aae91159ba1ba7662d7 11285368 jruby_1.5.1-1+deb6u1_all.deb Files: 5644465f0b9f520d471aef0f7cc94b97 2114 non-free/ruby optional jruby_1.5.1-1+deb6u1.dsc a4ff42e7409c20d1b7a13d630b1f 25159 non-free/ruby optional jruby_1.5.1-1+deb6u1.debian.tar.gz 2d11f255881aed086d189e2d04f65f49 11285368 non-free/ruby optional jruby_1.5.1-1+deb6u1_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJVQCuxAAoJEHjX3vua1ZrxE48P/jTPPPYyIiGmURNQYtmAUJY4 TTVZZavHRkv8J3Wm6d6N+ODrOwfLFPoqS6TOc5Kgsncmr/ZeZWS17jpHSPdKB/Qb GHEKVqWiesHHsEuC5j3uGHkLZAOMUHC7RuWhz+hYgHBAh112ZJ+544OX6b33dRRr q5M+mBTY2HjsypKRURBPqLUYe8QWJUhYIauCHgjN77xOTQIxW0dWSbCbTLbDcYC+ 58eihWxE6fn1SRp+7DJV+yXyhO1gemELVjGehwLqHYGCRZshVDTd6FuutVxdJmfp SOlr+qXX4LCGInHIIFjch3Qp4MWHpmJ3H/DCdpY9zklsZj7h5eknlRPUcPkYeYd8 mfHiS92/A1c8P/sg20LT1Jdwznvj7asrzotA53fFCWL28eahgE/XUiDC7KFHp1oS cS44IbZkV5V566fBE+z8G6wn8CBp5sFyDGl8VOLT72GWsSMYOK4a8if4gF5l7hCT dLuE4T911Qxe+yrSw/WGRHLn6bfj/1DyWd+O0dfzWdNtcrl/4Mhafn/aEAlFOuRc YayqO/zRrCps3mz+aixuBLLPfltImE/uPmegW5z9YfuayXkq9uGgZZplb2bpC86N sO9kkYY/yogTSuj80SRbHG0mBUHhCu27RI7ZCnIaUJoaG9VgcPKSMkd8Wmq/LMFZ a28c4zknSZnu3wg0gYjd =k7SB -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-lts-changes-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/e1ynjyj-0008nj...@franck.debian.org