process to include upstream jar sig in Debian-generated jar
I want to run an unusual idea by everyone here as an approach to getting an outside signature into a packaged Java jar built from source on the Debian build machines: we want to get http://martus.org packaged and into Debian. Martus is an app that has high requirements for security, so they have a very careful build and signing process. They want to be able to include their jar signature in the jar that is included in the Debian package. We figured we could structure the build like this: 1) include the official martus.jar in the source tarball 2) after the Debian build process completes, verify that contents of the Debian generated jar matches the contents of the martus generated jar, except for timestamps 3) if that passes, then set the timestamps in the Debian generated jar to match the timestamps in the martus.jar, then copy the signing material into place in the Debian generated jar That should then result in a debian-generated jar that has the martus signature on it. If Debian Security needed to update the package to fix an urgent issue, then they could still do so. The package build process would only include the upstream signature from martus.jar if it was an exact match. The security fixed version would then result in an unsigned jar, which is standard for jars in Debian. Is this a workable solution here? .hc signature.asc Description: OpenPGP digital signature
Re: [SECURITY] [DSA 2744-1] tiff security update
Bonjour, Vous n'êtes pas sans savoir que nous sommes en période de congés. Il se trouve que, pour mon plus grand plaisir, les miens sont en ce moment, malheureusement pour vous, celui où vous estimez nécessaire de devoir me contacter. Je ne pourrai donc vous répondre que début septembre. Merci de votre patience. Cordialement. G. Planelles g.planel...@kelyos.fr -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130827153221.31791.qm...@srv10.haisoft.net
Re: [SECURITY] [DSA 2740-1] python-django security update
On Fri, Aug 23, 2013 at 05:53:12PM +, Salvatore Bonaccorso wrote: > Package: python-django > Vulnerability : cross-site scripting vulnerability > Problem type : remote > Debian-specific: no > > Nick Brunn reported a possible cross-site scripting vulnerability in > python-django, a high-level Python web development framework. > > The is_safe_url utility function used to validate that a used URL is on > the current host to avoid potentially dangerous redirects from > maliciously-constructed querystrings, worked as intended for HTTP and > HTTPS URLs, but permitted redirects to other schemes, such as > javascript:. > > The is_safe_url function has been modified to properly recognize and > reject URLs which specify a scheme other than HTTP or HTTPS, to prevent > cross-site scripting attacks through redirecting to other schemes. > > For the oldstable distribution (squeeze), this problem has been fixed in > version 1.2.3-3+squeeze6. > > For the stable distribution (wheezy), this problem has been fixed in > version 1.4.5-1+deb7u1. Hi, Are there any plans to update squeeze-backports with this release, please? (I can do so otherwise). Cheers, Dominic. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130828101519.gb19...@urchin.earth.li
