Re: embedding openssl source in sslcan
On Thu, Jan 05, 2017 at 09:39:16PM +0100, Sebastian Andrzej Siewior wrote: > On 2016-12-31 17:35:47 [+0100], Julien Cristau wrote: > > Is this really something we need to be shipping? If yes, I'd personally > > really like this to get an explicit exemption from normal policy by the > > security team, so please talk to them (debian-security@ldo is not it). > > I have been made aware of my mistake and I bounced the original email to > security@d.o with no response yet. I haven't got any response from them > yet so it looks like sslscan will link against libssl1.0. I did reply to you (as did Thijs), but as mentioned before there's no need for that code copy in _stretch_, since 1.0.2 should still provide ample legacy support. Cheers, Moritz
Re: embedding openssl source in sslcan
On 2016-12-31 17:35:47 [+0100], Julien Cristau wrote: > Is this really something we need to be shipping? If yes, I'd personally > really like this to get an explicit exemption from normal policy by the > security team, so please talk to them (debian-security@ldo is not it). I have been made aware of my mistake and I bounced the original email to security@d.o with no response yet. I haven't got any response from them yet so it looks like sslscan will link against libssl1.0. > Cheers, > Julien Sebastian
Bug#847273: jessie-pu: package mapserver/6.4.1-5
On 01/05/2017 09:04 PM, Adam D. Barratt wrote: > On Tue, 2016-12-06 at 22:00 +0100, Sebastiaan Couwenberg wrote: >> Sorry for the outdated debdiff, for p-u the distribution has been >> changed to stable. > > Please go ahead. Thanks! Kind Regards, Bas -- GPG Key ID: 4096R/6750F10AE88D4AF1 Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
Processed: retitle 850105 to RM: sogo -- RoST; multiple security issues, tagging 850105
Processing commands for cont...@bugs.debian.org: > retitle 850105 RM: sogo -- RoST; multiple security issues Bug #850105 [release.debian.org] RM: sogo/2.2.9+git20141017-1 Changed Bug title to 'RM: sogo -- RoST; multiple security issues' from 'RM: sogo/2.2.9+git20141017-1'. > tags 850105 + pending Bug #850105 [release.debian.org] RM: sogo -- RoST; multiple security issues Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 850105: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850105 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: retitle 844695 to RM: dotclear -- RoST; multiple security issues, tagging 844695
Processing commands for cont...@bugs.debian.org: > retitle 844695 RM: dotclear -- RoST; multiple security issues Bug #844695 [release.debian.org] RM: dotclear/2.6.4+dfsg-1 Changed Bug title to 'RM: dotclear -- RoST; multiple security issues' from 'RM: dotclear/2.6.4+dfsg-1'. > tags 844695 + pending Bug #844695 [release.debian.org] RM: dotclear -- RoST; multiple security issues Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 844695: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844695 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#841724: jessie-pu: package guile-2.0/2.0.11+1-9
Processing control commands: > tags -1 -moreinfo +confirmed Bug #841724 [release.debian.org] jessie-pu: package guile-2.0/2.0.11+1-9 Removed tag(s) moreinfo. Bug #841724 [release.debian.org] jessie-pu: package guile-2.0/2.0.11+1-9 Added tag(s) confirmed. -- 841724: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=841724 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#841724: jessie-pu: package guile-2.0/2.0.11+1-9
Control: tags -1 -moreinfo +confirmed On Sat, 2016-10-22 at 14:11 -0500, Rob Browning wrote: > "Adam D. Barratt"writes: > > > Control: tags -1 + moreinfo > > Control: severity -1 normal > > > > On Sat, 2016-10-22 at 13:10 -0500, Rob Browning wrote: > >> I'd like to propose an update for jessie as described by the attached > >> debdiff. Though the final upload/diff might be slightly different > >> (i.e. the dpm hashes). > >> > >> Both of the changes (patches) have been cherry-picked from upstream as > >> described in the patch headers. > > > > The security tracker indicates that both issues - CVE-2016-8605 and > > CVE-2016-8606 - still affect the guile-2.0 packages in unstable. Is that > > correct? If so then that would be a prerequisite to applying the fixes > > in stable. > > Hmm, well I'm also preparing 2.0.13+1-1 packages for unstable that include > (upstream) both fixes. Should I upload those first? That happened in the meantime, so please feel free to go ahead with the upload to stable. Regards, Adam
Bug#829136: jessie-pu: package harfbuzz/0.9.35-2+deb8u1
On Tue, 2016-09-06 at 22:21 +0200, Moritz Mühlenhoff wrote: > On Sat, Aug 13, 2016 at 10:33:32AM +0200, Julien Cristau wrote: > > Control: tag -1 moreinfo > > > > On Thu, Jun 30, 2016 at 22:19:11 +0200, Moritz Muehlenhoff wrote: > > > > > Package: release.debian.org > > > Severity: normal > > > Tags: jessie > > > User: release.debian@packages.debian.org > > > Usertags: pu > > > > > > Attached debdiff fixes a non-severe security issue in harfbuzz. > > > I've been using that for a few weeks on my jessie desktop. > > > > > > Cheers, > > > Moritz > > > > > > diff -Nru harfbuzz-0.9.35/debian/changelog > > > harfbuzz-0.9.35/debian/changelog > > > --- harfbuzz-0.9.35/debian/changelog 2014-10-30 13:58:05.0 > > > +0100 > > > +++ harfbuzz-0.9.35/debian/changelog 2016-05-30 23:50:45.0 > > > +0200 > > > @@ -1,3 +1,10 @@ > > > +harfbuzz (0.9.35-2+deb8u1) jessie; urgency=medium > > > + > > > + * Backport upstream commit 613e630617074eb9b62b794cc37c9b42a7fb079b to > > > address > > > +CVE-2016-2052 > > > + > > > + -- Moritz MühlenhoffMon, 30 May 2016 23:49:46 +0200 > > > + > > > harfbuzz (0.9.35-2) unstable; urgency=medium > > > > > >* debain/clean: Remove test/shaping/*.pyc during clean > > > > According to https://bugzilla.redhat.com/show_bug.cgi?id=1301553#c6 > > CVE-2016-2052 is linked to a different commit, can you clarify? > > Hmm, there seems to have been some reshuffling of CVE mappings, also another > minor issue came up. I'll revise. Any news on that? Regards, Adam
Bug#842929: jessie-pu: package modsecurity-crs/2.2.9-1
Control: tags -1 -moreinfo +confirmed On Mon, 2016-11-28 at 17:17 +0100, Alberto Gonzalez Iniesta wrote: > Thanks for the corrections. Please find attached the debdiff file in the > right direction. #838009 as marked as fixed in unstable/testing and > #826710 will be marked accordingly if this upload happens. Please go ahead. Regards, Adam
Processed: Re: Bug#842929: jessie-pu: package modsecurity-crs/2.2.9-1
Processing control commands: > tags -1 -moreinfo +confirmed Bug #842929 [release.debian.org] jessie-pu: package modsecurity-crs/2.2.9-1 Removed tag(s) moreinfo. Bug #842929 [release.debian.org] jessie-pu: package modsecurity-crs/2.2.9-1 Added tag(s) confirmed. -- 842929: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842929 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#837458: jessie-pu: package mactelnet/0.4.0-1
Control: tags -1 + confirmed On Sun, 2016-09-11 at 19:55 +0200, haakon.nessj...@gmail.com wrote: > Request for uploading to stable, as there is posted a CVE for a bug in > mactelnet-client. > This update is a backport of the fix that is done upstream, that fixes only > the mentioned bug. > > Mor information here: > https://security-tracker.debian.org/tracker/CVE-2016-7115 > and here: https://bugs.debian.org/836320 +mactelnet (0.4.0-2) stable; urgency=low The version should be 0.4.0-1+deb8u1. With that change, please go ahead. Regards, Adam
Processed: Re: Bug#837458: jessie-pu: package mactelnet/0.4.0-1
Processing control commands: > tags -1 + confirmed Bug #837458 [release.debian.org] jessie-pu: package mactelnet/0.4.0-1 Added tag(s) confirmed. -- 837458: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837458 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#847273: jessie-pu: package mapserver/6.4.1-5
Control: tags -1 + confirmed On Tue, 2016-12-06 at 22:00 +0100, Sebastiaan Couwenberg wrote: > Sorry for the outdated debdiff, for p-u the distribution has been > changed to stable. Please go ahead. Regards, Adam
Processed: Re: Bug#847273: jessie-pu: package mapserver/6.4.1-5
Processing control commands: > tags -1 + confirmed Bug #847273 [release.debian.org] jessie-pu: package mapserver/6.4.1-5 Added tag(s) confirmed. -- 847273: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847273 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#849698: jessie-pu: package python-crypto/2.6.1-5+deb8u1
Control: tags -1 + confirmed On Tue, 2017-01-03 at 14:05 +0100, Sebastian Ramacher wrote: > Hi > > On 2017-01-03 11:05:40, Sebastian Ramacher wrote: > > On 2017-01-01 20:55:40, Sebastian Ramacher wrote: [..] > > > > > > > > On Thu, 2016-12-29 at 23:15 +0100, Sebastian Ramacher wrote: > > > > > I'd like to fix CVE-2013-7459 (#849495) in jessie via the next point > > > > > release. > > > > > The issue was marked as no-dsa. > > > > > > > > > > The proposed debdiff is attached. The same patch was applied to the > > > > > package in > > > > > unstable. > > > > > > > > + * Throw exception when IV is used with ECB or CTR (CVE-2013-7459) [...] > > Seems like python-paramiko broke in wheezy-lts (#850025). I will come back > > to > > you once I've checked if stable is affected as well. > > New debdiff is attached. Instead of throwing an exception the IV is simply > ignored and a warning is displayed. The patch itself still refers to exceptions in its metadata, fwiw. Please go ahead. Regards, Adam
Processed: Re: Bug#849698: jessie-pu: package python-crypto/2.6.1-5+deb8u1
Processing control commands: > tags -1 + confirmed Bug #849698 [release.debian.org] jessie-pu: package python-crypto/2.6.1-5+deb8u1 Added tag(s) confirmed. -- 849698: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849698 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#850154: jessie-pu: package nvidia-graphics-modules/340.101+3.16.0+1
Control: tags -1 + confirmed On Wed, 2017-01-04 at 14:19 +0100, Andreas Beckmann wrote: > As a followup to updating nvidia-graphics-drivers to a new upstream > release, we also need to update the prebuilt kernel modules. Please go ahead. Regards, Adam
Processed: Re: Bug#850154: jessie-pu: package nvidia-graphics-modules/340.101+3.16.0+1
Processing control commands: > tags -1 + confirmed Bug #850154 [release.debian.org] jessie-pu: package nvidia-graphics-modules/340.101+3.16.0+1 Added tag(s) confirmed. -- 850154: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850154 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#849865: jessie-pu: package postgresql-common/165+deb8u2
Processing control commands: > tags -1 + confirmed Bug #849865 [release.debian.org] jessie-pu: package postgresql-common/165+deb8u2 Added tag(s) confirmed. -- 849865: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849865 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#849865: jessie-pu: package postgresql-common/165+deb8u2
Control: tags -1 + confirmed On Sun, 2017-01-01 at 18:53 +0100, Christoph Berg wrote: > I would like to upload postgresql-common/165+deb8u2 with the diff > quoted below to jessie. It's fixing a data-loss bug, and a security > issue. The issues are already addresses in unstable (both in 178). Please go ahead. Regards, Adam
Processed: Re: Bug#849869: jessie-pu: package unrtf/0.21.5-3
Processing control commands: > tags -1 + confirmed Bug #849869 [release.debian.org] jessie-pu: package unrtf/0.21.5-3 Added tag(s) confirmed. -- 849869: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849869 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#849869: jessie-pu: package unrtf/0.21.5-3
Control: tags -1 + confirmed On Sun, 2017-01-01 at 19:59 +0100, Willi Mann wrote: > As per request of the security team, I intend to upload a security fix > (CVE-2016-10091) of the unrtf package for the next jessie point release. > > The changelog is: > unrtf (0.21.5-3+deb8u1) stable; urgency=medium > > * Add patch from upstream to fix CVE-2016-10091 (buffer overflow in various > cmd_ functions) closes: 849705 Please go ahead. Regards, Adam
Processed: Re: Bug#850084: jessie-pu: package asterisk/1:11.13.1~dfsg-2+deb8u2
Processing control commands: > tags -1 + confirmed Bug #850084 [release.debian.org] jessie-pu: package asterisk/1:11.13.1~dfsg-2+deb8u2 Added tag(s) confirmed. -- 850084: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850084 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#850084: jessie-pu: package asterisk/1:11.13.1~dfsg-2+deb8u2
Control: tags -1 + confirmed On Wed, 2017-01-04 at 00:05 +0100, Bernhard Schmidt wrote: > I would like to fix CVE-2016-9938 (Bug #847668) with the upcoming point > release. > The issue has been categorized no-dsa by the security team before. Please go ahead. Regards, Adam
Bug#849962: jessie-pu: package libpng/1.2.50-2+deb8u3
Control: tags -1 + confirmed On Mon, 2017-01-02 at 17:27 +, Gianfranco Costamagna wrote: > CVE-2016-10087 is not worth a DSA, Security Team asked for a point release > update. > > diff -Nru libpng-1.2.50/debian/changelog libpng-1.2.50/debian/changelog > --- libpng-1.2.50/debian/changelog 2016-01-07 20:39:14.0 +0100 > +++ libpng-1.2.50/debian/changelog 2017-01-02 18:24:35.0 +0100 > @@ -1,3 +1,10 @@ > +libpng (1.2.50-2+deb8u3) jessie; urgency=medium > + > + * debian/patches/CVE-2016-10087.patch: > +- cherry-pick upstream fix for CVE-2016-10087 Please go ahead. Regards, Adam
Processed: Re: Bug#849967: jessie-pu: package exim4/4.84.2-2+deb8u3
Processing control commands: > tags -1 + confirmed Bug #849967 [release.debian.org] jessie-pu: package exim4/4.84.2-2+deb8u3 Added tag(s) confirmed. -- 849967: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849967 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#849962: jessie-pu: package libpng/1.2.50-2+deb8u3
Processing control commands: > tags -1 + confirmed Bug #849962 [release.debian.org] jessie-pu: package libpng/1.2.50-2+deb8u3 Added tag(s) confirmed. -- 849962: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849962 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#849967: jessie-pu: package exim4/4.84.2-2+deb8u3
Control: tags -1 + confirmed On Mon, 2017-01-02 at 19:44 +0100, Andreas Metzler wrote: > I (and Heiko from exim upstream) would like to fix #845569 in jessie. > sid/testing already include the fix, it was part of 4.88~RC6. > > The issue is a memleak in the GnuTLS code, the patch is a towo line > change. Heiko has provided a very nice writeup in > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845569#20 Please go ahead. Regards, Adam
Bug#850287: RM: readline6 -- remove from testing
user release.debian@packages.debian.org usertags 850287 + rm thanks On 05/01/17 18:26, Matthias Klose wrote: > Package: release.debian.org > > According to #840397, readline6 can now be removed from testing. emilio@tatooine:~$ dak rm -Rn -s testing readline6 [...] Checking reverse dependencies... # Broken Depends: bashdb: bashdb heimdal: heimdal-clients [amd64] heimdal-kdc [amd64] libsl0-heimdal [amd64] sdb: sdb sdb and bashdb are scheduled for auto-removal because of this. But heimdal is blocked on the binutils/mips* bug... Cheers, Emilio
Bug#850287: RM: readline6 -- remove from testing
Package: release.debian.org According to #840397, readline6 can now be removed from testing.
Bug#849020: jessie-pu: package systemd/215-17+deb8u6
Am 05.01.2017 um 07:18 schrieb Adam D. Barratt: > Michael, please feel free to upload. Thanks. done (I'm assuming that the resulting > package has had at least some testing on a jessie system already.) I did test the invididual fixes in a jessie VM and lxc container, which included installing and running the final version of systemd_215-17+deb8u6. Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#848341: jessie-pu: package intel-microcode/3.20161104.1~deb8u1
On Thu, 05 Jan 2017, Adam D. Barratt wrote: > On Fri, 2016-12-16 at 10:17 -0200, Henrique de Moraes Holschuh wrote: > > I would like to update the intel-microcode packages in stable to address > > several critical errata in newer Intel processors. > > > > The updated packages being proposed in this bug report are identical to > > the ones in unstable/testing and jessie-backports, other than > > debian/changelog and version numbering. > > > > These changes have been tested in unstable since 2016-11-09, in testing > > since 2016-11-15, and in jessie-backports since 2016-11-17, without any > > issues being reported. > > Please go ahead. Uploaded. Thank you! -- Henrique Holschuh
Re: pbseqlib testing migration
On 05/01/17 07:16, Afif Elghraoui wrote: > I'd like to follow-up on this. I will try for an executive summary in > case my original message was too long: > > * pbseqlib builds three arch:any libraries as well as the arch:all > libpbseq-dev that depends on all of their -dev packages > > * pbseqlib has a new build dependency that does not build on 32-bit > architectures (all old pbseqlib binaries have already been removed) > > * the un-installability of libpbseq-dev on i386 is preventing testing > migration. > > I believe this needs a force-hint. This is also somewhat urgent because > some rdeps with fixed RC bugs cannot migrate without this one going first. I have added a force-hint. The package should migrate in ~12 hours. Cheers, Emilio
Bug#848365: jessie-pu: package coquelicot/0.9.2-4+deb8u1
Adam D. Barratt: > Control: tags -1 + moreinfo > > On Fri, 2016-12-16 at 18:31 +0100, Jérémy Bobbio wrote: > > I would like to important issues affecting coquelicot in jessie: > > > > #809351: properly run coquelicot under the 'coquelicot' user and not > > as root. It was always intended that way, that's why the cron is running > > under the coquelicot user already. The issue has been fixed a while ago > > for stretch (in 0.9.4-1, uploaded September 2015). This backports the > > changes from the unstable branch which switched to using > > init-d-script(5). > > > > #808018: silence deprecation warnings coming from cron. While the > > warnings actually come from ruby-fast-gettext, they make the garbage > > collection cron send an email on every run. > > + sysvinit-utils (>= 2.88dsf-50), > > What's that for? sysvinit-utils is Essential:yes. > > Hmmm, so the answer appears to be "because that's when init-d-script(5) > was added". That doesn't really seem like a minimal change for fixing > the user that the daemon is running as. You are right. I agree it's not a minimal change but the initscript using init-d-script has been in Stretch for more than a year. I thought it would be safer to use a version that has received more testing than to patch the older one. I could still do that if you'd prefer. -- Lunar.''`. lu...@debian.org: :Ⓐ : # apt-get install anarchism `. `'` `- signature.asc Description: Digital signature
Processed: severity of 850196 is normal
Processing commands for cont...@bugs.debian.org: > severity 850196 normal Bug #850196 {Done: Niels Thykier} [release.debian.org] unblock: dgit/2.14 Severity set to 'normal' from 'grave' > thanks Stopping processing here. Please contact me if you need assistance. -- 850196: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850196 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems