Re: New DD applications from the team: wiene and sge
Hi Samuel, On 2024-06-08 14:30:40, Samuel Henrique wrote: I am excited to let you know that Peter and me completed our exams successfully and have been granted DD access this morning. Awesome! Congratulations to you both! thank you very much! My appreciation goes to everybody I worked with during the last few years, especially Samuel, for their support and their highly valuable feedback to my work. Appreciate it, you and Peter made it easy for me as a reviewer :) I can only underline what Sven wrote. I am deeply grateful for all the support and advice I received. I am looking forward to extending contributing to the team and the Debian Project in its entirety. Also consider attending a DebConf or MiniDebConf near you. DebConf25 will be in France and the project can cover some or all of your costs through the bursary program (applications for DC24 are closed already). If we ever get enough people and a plan, we can even organize an in-person BSP for the team (again, the project can cover some/all of the costs). As few as 4/5 people should be enough to organize something as long as we have a plan of things to work on. I attended the MiniDebConf in Berlin three weeks ago and I really enjoyed it. I am looking forward to more in-person Debian events. :-) Best regards Peter
Re: RFS: HexWalk Request for sponsor
Hello Carmine, > Thank you for your time, actually the reviewers on mentors started only few > days ago, it's the first time that I submit a package to debian, so pardon me > if I didn't follow all the best practices. Nothing to be sorry for, don't worry. > I think I have catched your point, as long as the package is going on on > mentors it is redundant to work on it on your side, Yes, to be more clear, you can submit the package to be maintained within the team, then we can perform the review and upload for you. For this to happen, though, the package will have to be maintained on salsa under the team, otherwise it will become impossible/cumbersome for the team to contribute. If you prefer to keep the packaging bundled with the upstream sources, in the same repo, and/or outside of salsa, then you would have to request review from someone else on mentors (as you're doing now). This requires a special workflow for submitting new packaging revisions vs. new upstream releases, but some people might prefer it this way. Cheers -- Samuel Henrique
Re: New DD applications from the team: wiene and sge
Hello everyone, > I am excited to let you know that Peter and me completed our exams > successfully and have been granted DD access this morning. Awesome! Congratulations to you both! > My appreciation goes to everybody I worked with during the last few > years, especially Samuel, for their support and their highly valuable > feedback to my work. Appreciate it, you and Peter made it easy for me as a reviewer :) > I am looking forward to extending contributing to the team and the > Debian Project in its entirety. Also consider attending a DebConf or MiniDebConf near you. DebConf25 will be in France and the project can cover some or all of your costs through the bursary program (applications for DC24 are closed already). If we ever get enough people and a plan, we can even organize an in-person BSP for the team (again, the project can cover some/all of the costs). As few as 4/5 people should be enough to organize something as long as we have a plan of things to work on. Cheers, -- Samuel Henrique
External check
CVE-2024-37280: missing from list CVE-2024-5742: missing from list -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
External check
CVE-2024-23445: missing from list CVE-2024-3049: TODO: check CVE-2024-3716: TODO: check CVE-2024-37279: missing from list CVE-2024-4812: TODO: check CVE-2024-5154: missing from list -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
External check
CVE-2024-3716: TODO: check CVE-2024-4812: TODO: check CVE-2024-5037: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
[SECURITY] [DSA 5706-1] libarchive security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5706-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 05, 2024 https://www.debian.org/security/faq - - Package: libarchive CVE ID : CVE-2024-26256 Debian Bug : 1072107 An integer overflow vulnerability in the rar e8 filter was discovered in libarchive, a multi-format archive and compression library, which may result in the execution of arbitrary code if a specially crafted RAR archive is processed. For the stable distribution (bookworm), this problem has been fixed in version 3.6.2-1+deb12u1. We recommend that you upgrade your libarchive packages. For the detailed security status of libarchive please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libarchive Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmZgy+pfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0ScPRAAi2HFosqr3NeyDgV7gT3bTjKrq5EwrG9HIYS0e21KPfLteXxcsDjNkfzN nhSY0CoEL29/vyQpON+ht1En7utYtiLrSgDcjak4E26mBcMy2haL3hqMuGQiJTGk clBUQ4iHFU1SL6+KoNEgpNPIDBgDtbVDTNJUz66IUTl/QTjPvTsbUkSdSuXAvN9C 9k5AEkSq4CIYl5UAQk4yJZ1MrU6pWdqPt6cpWULyaI5bIkC+fKdJ5T+2ElTnCT9V M/lkdePtI3V9iwj0vjEpelhmUlojjRUbbyuH+tDiCMUFj+GZueVvdZX1UuO4Je29 vcNZ4VU6YvxU5gsgnQb09KnZd5EFGnqGNBnaEq+EEzW3Q4p2non4q6PUj8H0qzgN DMz8fxXuwdIh/8bVkmRNVQPJFurfLp5aU4ECQ4NROk3rg/sotyAjgQb6QeP2tcax H0sKfgDc+SgcFgbUrGZ3CLanWiv19x7Oggt/I4DX/16GFSq3Z8xMzNlZOIotyr2T bKrIaPxwDrDyk8Qs2f6aPKOHZgiAIEOicpu3FP9Dr+oU9K/a8N2oDuz5Vwt4XOof N25GGZdhTTZtQ4uHBgEx1pmsWhpycdFSPUVHXW3pGoMNgIkOKau/oid73v224koB Xe2eWygGE9Tnk9EDL9FtqYRbq+zTJGElcF7URbVRrxR5MVE8Ejs= =BFbJ -END PGP SIGNATURE-
[SECURITY] [DSA 5705-1] tinyproxy security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5705-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 05, 2024 https://www.debian.org/security/faq - - Package: tinyproxy CVE ID : CVE-2023-49606 A use-after-free was discovered in tinyproxy, a lightweight, non-caching, optionally anonymizing HTTP proxy, which could result in denial of service. For the stable distribution (bookworm), this problem has been fixed in version 1.11.1-2.1+deb12u1. We recommend that you upgrade your tinyproxy packages. For the detailed security status of tinyproxy please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tinyproxy Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZgtJsACgkQEMKTtsN8 TjayjxAAv/O9LSl0hdPmdVluYepX1yso5nf8Qb42rSVNPfLegsy1gr/Q1NVPJjuy 471IezOPl6u/g8mg+3UquD6sRs5Q9vFc6seFWybo3TenVNNA2SMClwRAjJeuCWVW lEfAIpw0VTMpVh7cWqFuBBCOLJ0CMLXab/cXGib65L+jCxnmjTkvm3rXAfDxDec6 mF0UG0vQydGS7dBfMN86udhX3KMXQPY1lctG+6r0lhBnLC79+uJPHmfC6Qup18MS be80nB5pCc4kCk2+mbdGZ4UxnFW5sjKI40i9WAmw+7QRzunA6dgvqX6K9NINh3vr ol9yWcGMNVhdaw2OY1q37tlqc2DZmv6dUD3uQJ8QN7JKVjep+uukgzk99sLkgm6W Gxq815bQ1ExdFybxz+x4ixwJN5CoHlD9SjUONunPSq95wqYvkpMcmqDI2DMu3yRB Om7mOf9wePUnAFoqkQv3hUXX5VNfjnVPSYTh0ewNsj1mUv69flJBt9pmAQSuB24n 5SnnK4sRIQcVo/extDxtmLSNYqrKcM8FRD0mCGBv1CqyLHnYo9fLHdGzscO3GwzF FYBoH3Z6mVBpIICctWml0Sn5H1jr7/pu9pDmfmTGlJdyteW/XJLLtwLgu23CsFGW dcwTQPn8Uw21+qoFgullC94vsyvLjvn9yzTG59A0A6f5U9wODF0= =euKq -END PGP SIGNATURE-
[SECURITY] [DSA 5704-1] pillow security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5704-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 05, 2024 https://www.debian.org/security/faq - - Package: pillow CVE ID : CVE-2023-44271 CVE-2023-50447 CVE-2024-28219 Multiple security issues were discovered in Pillow, a Python imaging library, which could result in denial of service or the execution of arbitrary code if malformed images are processed. For the oldstable distribution (bullseye), these problems have been fixed in version 8.1.2+dfsg-0.3+deb11u2. For the stable distribution (bookworm), these problems have been fixed in version 9.4.0-1.1+deb12u1. We recommend that you upgrade your pillow packages. For the detailed security status of pillow please refer to its security tracker page at: https://security-tracker.debian.org/tracker/pillow Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZgtJUACgkQEMKTtsN8 TjZpSw//Ya0Ju4SEXNXTdbLtSMkJ/Mw76ooJgrvI3GaLSarant6LcK7WzyOnjbCH 9YKKPojJCyfa5RwBqphHU97dQ9apYmVRv5GVQdw7tjm+s0Uuu3oRMiE+S8c3FVBn Yl6nqiTAeQnGERWAnxH2be4P6p2izWaFgK4cBHY4Q958bivB3ebGgS8DfdtuhiQo 8tRdM0PREuF+xwiDb9UTRLqGGVNY+k8orkr7Imecu8IS2PakID4bnBB9AxwJ8hCC bRzNITaCh2c5BvovWNw8LADXH6mhYsnvWy0xlhDp7wrFuJBktzuXXLQuIxRkKcm0 QVO65rGFI7vrTMxdtxM7ORdnUa6OMxcOwTEYeQwVcQs4k4J7M3WTtH8rz9Bgtca1 DdY9foJw34bXitliJeekBibxoPbiQV+jluJAJOIvLVJ5eVeBKIowCsFmFgQbcHSb CgVA8khMMIcp4XFi3NypH2MkTJvJK+0RqchtaVmVFWoNnbamGoyr9Ml+YZbsLP22 kBBXSYw9MYCm8ZPN43owNhPHxD38rSg25hJYJOjVkLHoGZYMNse74xZkEaJpyPXk 5WS1QM7qYEcG1RK7a44E6xRXU4rLUfLJWCHPWsLLRTNVbKnm1EQsipbKnS4fGjc5 9dOD8HfNvRbwSpQ/+w9m3L/QU2F015d69UzgG1piGddGBdzLvdE= =oUWM -END PGP SIGNATURE-
External check
CVE-2019-14493: missing from list CVE-2019-14494: missing from list CVE-2019-14513: missing from list CVE-2019-14540: missing from list CVE-2019-14553: missing from list CVE-2019-14558: missing from list CVE-2019-14559: missing from list CVE-2019-14560: missing from list CVE-2023-1419: RESERVED -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
[SECURITY] [DSA 5703-1] linux security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5703-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 02, 2024 https://www.debian.org/security/faq - - Package: linux CVE ID : CVE-2022-48655 CVE-2023-52585 CVE-2023-52882 CVE-2024-26900 CVE-2024-27398 CVE-2024-27399 CVE-2024-27401 CVE-2024-35848 CVE-2024-35947 CVE-2024-36017 CVE-2024-36031 CVE-2024-36883 CVE-2024-36886 CVE-2024-36889 CVE-2024-36902 CVE-2024-36904 CVE-2024-36905 CVE-2024-36916 CVE-2024-36919 CVE-2024-36929 CVE-2024-36933 CVE-2024-36934 CVE-2024-36939 CVE-2024-36940 CVE-2024-36941 CVE-2024-36946 CVE-2024-36950 CVE-2024-36953 CVE-2024-36954 CVE-2024-36957 CVE-2024-36959 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. For the oldstable distribution (bullseye), these problems have been fixed in version 5.10.218-1. We recommend that you upgrade your linux packages. For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmZcl2BfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0T0Sw//XK7kn+jtJzbA6ZB2hI9ORfNOwOIuFpjc19ZRV1SVQDknnqqbbRn1R+oA Dlt8KqymYgIn+Mcqp96+xLfzS2F6dnLQlR/QBW47ve6dpjiVKWm7NxJHQaK7hmS6 q8glRv5yyJN5AOeNW2YB3+I18/ru/fuTUzspwQLhFd/8E9EIci8yWwT/xL4pOVHP Jg65Q/KJ1fUs+OkOkLHs6nMA5UokQ5P55irSdvI6vtOZpvPsmezM8ogQYJD4TU7h IxZNt13EfJooNMR8g6p/ddyZNRYQWSKpxUj/QP9D1jMrrvOH6YOvyvElbggpJJBE r5eEz4dziCXq8WeZeu2aEJusRZAug7H5wEq2RmR8UyHmkEjYsmufj3kbmzFdQvp1 GIuT3/BKVqrkMpZNf+1nh1ysVoHe3rA7jBEutUovV/GYMVkvy+mq9tlg2OrIIIwG 6Hl4gcMZ/bTHMr3BxAO6TZwnxMxcxu2pex1yRbs9KujBsa1aS2u5BbAddu1h141e BCSZbwYK/sE12Rl7S7WGEZkSevnmeovvHjPnx9hP0KhOb/lKCFFPP50YIesWfS2H NdpT1vCXdueIhCD+Jj1hnYZbHC/WVgjfAl9ghrDDrcDs3qvdEas/nLDI6VH98wew 8yFyp+3JikYNQP4cIqzRK2eD7q9VtH3WZQqORApB8zqlEfVuxZ4= =DCXU -END PGP SIGNATURE-
External check
CVE-2024-21506: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
[SECURITY] [DSA 5702-1] gst-plugins-base1.0 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5702-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 01, 2024 https://www.debian.org/security/faq - - Package: gst-plugins-base1.0 CVE ID : CVE-2024-4453 An integer overflow in the EXIF metadata parsing was discovered in the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed file is processed. For the oldstable distribution (bullseye), this problem has been fixed in version 1.18.4-2+deb11u2. For the stable distribution (bookworm), this problem has been fixed in version 1.22.0-3+deb12u2. We recommend that you upgrade your gst-plugins-base1.0 packages. For the detailed security status of gst-plugins-base1.0 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gst-plugins-base1.0 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmZay4pfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RlARAAmIfIncL6OtrDoqmsIdVoAhc3ouI+X6X+GdkTellF4MUxo5e5t7L4AwNC SxLAHqbqEgYRicB4pn6gv8AMBzN1Sn/8i3l8V74Eh93IVaId11hbXPEY4YUM3/Md bHQNf8HYkBxfB0PbkuuIWiZpxRTbI9eyo0TwzzF4r74J2032k3hH5hHA+dbO8RiU l//tv3WYpimyL6xrtxM7duws9r3iloEgUNHC2igJVZ0VRnYfmhIF23euzbcCbOal pufHn7DR5CSbp0y2DMDIjwOu14ZJSvvgKzr1knH2t/zW2TuHnVwbDoSP1KBvpcqe 8kaSKcIJZoetxsIv/5wNoVj2IikDUomFO02QPGXIEuMrzYc7ZkX8JC4/+6dgRzKX gFzPXuAU7gHtcmLLfIRnMkg5FVsbJfSUXDaL5tTW5YZ8aSoBUMHn/dNzfJXGn2oE 0nVce4cf0JpeTwMFYs9xT7xn0XCU8CggUjODGY11jGowPpgOXnLO3y08tx6iJ34M QPcFSbhFkrRCgWXEhLTF9N0xpnmiYM0VanA3m2zJlBacotOfEG3ipeRrHylMTUun 9ATrxXWvVNY5hSSB7eK9X6RBSvRdtDPzJ5gzbk3zlH7MKIIyx6CiI+Zx51I292K3 6kmi9zmyFBZgnBzPX2Eigp0bNNZlRwOlOFYKwClcdsgO5yvaxX4= =f9Uv -END PGP SIGNATURE-
External check
CVE-2024-21506: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
Re: New DD applications from the team: wiene and sge
Hi Samuel and Team, On Sun, 2024-03-03 at 18:10 +, Samuel Henrique wrote: > Peter Wienemann and Sven Geuer just started their DD application: > https://nm.debian.org/process/1264 > https://nm.debian.org/process/1268 > > They are long time contributors and I'm happy we are having them as DDs. > > If you've interacted with them on the team, you can consider advocating. > > If you're a member of the team and are interested in applying for DM or DD, > please let me know and I can do an assessment for you. This will give you some > perspective on what's missing for someone to advocate, or maybe if all the > requirements are fulfilled, you could start your process too. > I want to make sure people's work doesn't get unnoticed in the team. > > For Peter and Sven, good luck on your DD exam now :) I am excited to let you know that Peter and me completed our exams successfully and have been granted DD access this morning. My appreciation goes to everybody I worked with during the last few years, especially Samuel, for their support and their highly valuable feedback to my work. I am looking forward to extending contributing to the team and the Debian Project in its entirety. Regards, Sven -- GPG Fingerprint 3DF5 E8AA 43FC 9FDF D086 F195 ADF5 0EDA F8AD D585 signature.asc Description: This is a digitally signed message part
[SECURITY] [DSA 5701-1] chromium security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-5701-1 secur...@debian.org https://www.debian.org/security/ Andres Salomon May 31, 2024 https://www.debian.org/security/faq - - Package: chromium CVE ID : CVE-2024-5493 CVE-2024-5494 CVE-2024-5495 CVE-2024-5496 CVE-2024-5497 CVE-2024-5498 CVE-2024-5499 Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure. For the stable distribution (bookworm), these problems have been fixed in version 125.0.6422.141-1~deb12u1. We recommend that you upgrade your chromium packages. For the detailed security status of chromium please refer to its security tracker page at: https://security-tracker.debian.org/tracker/chromium Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmZaBlEACgkQZF0CR8Nu djcgGA//SPgci/IE8IgkqDwqhd/m2goBVMeCCg3D7pkDZmUPfXaC9wZsAdMi5ner 8S+UFUcSc1s9thCNIx7DNsyRa37f18Ou/qaEfu9iY1JAiKg8R23yBEuLqwfFtohV 4WjMVhqXu5UBizaz+BrUhHlvgBGkBAVvc1G2ornFNf19LNx1qcxmHdWRqPI7aKqo NKZ0V7V9RfnBC1KzIIA2V8dkhLZ2Kxb/i60KbDbqeIJVTIkHnhmVQ7QxRg/pUEjk zR752P2RHgYk8vlyYTHdv/8M0bPkNrXy07gxvUN5MLJmG9P69u3JDcoabnOoJ2r4 6HqhZZeUZZFcxiDn9Z9jP8S57HoxC9S4Xk2aZaey5B+/23DfWQLxbeHql24tRXRF MKzStFja7M6KjRVO9Y6xIHjiyQeDMULmV+7rEwC0PonoV2Ts0i0DtaOrtZTN3KGg R5p9eEUcIAP2QkIKKBtKTtvyzoFZL+ZQ8gBTpPdovkrJ86ZGBpy9J1c4oE6yN7Hh 9Aw8HWpYC4bM5QPSHBZLZVuM4mgNUB14PVVR8mQAwmy1VXGXkzSWGgsSKl+XlDyq Zl4AAgm3PORqw8vJ0xHbPJ5ez/fP2uXprToo4yMBgSEFt64e5n/YWROopfQK3TKT fclIK+96y/oK2GYtn6E0V+L+aloTIF4yA0oWATtTAO5dn7rhD60= =UO0f -END PGP SIGNATURE-
External check
CVE-2024-31079: TODO: check CVE-2024-32760: TODO: check CVE-2024-34161: TODO: check CVE-2024-35200: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
[SECURITY] [DSA 5700-1] python-pymysql security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5700-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 29, 2024 https://www.debian.org/security/faq - - Package: python-pymysql CVE ID : CVE-2024-36039 An SQL injection was discovered in pymysql, a pure Python MySQL driver. For the oldstable distribution (bullseye), this problem has been fixed in version 0.9.3-2+deb11u1. For the stable distribution (bookworm), this problem has been fixed in version 1.0.2-2+deb12u1. We recommend that you upgrade your python-pymysql packages. For the detailed security status of python-pymysql please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-pymysql Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZXZeAACgkQEMKTtsN8 TjY9cRAAkMErPcbiz3MnN7NmUuqkG/NmbuUM9smN4WZp8sF6kCsCm9G8M/dSioS+ IpZMFUv1DDELh2HtxWjvA+fqMTddY3CxINKmJEiMKPd8I02CjJsq1gArH8VVAaxN FQRyU69RA1hecMcQvR1lEssciddFfkzpe6E1SXK/Mp2JMNWmtpRJNUZ9khhIf4Pr thpForQN8EzQs8gJRQ/2rN48TgcAA/bGyS+W5PGJbb+1RjW5H4eaNo1HHgZNwJNc TjkylG9MV7nzC5ThCPb7ycrIadYPV/IAYqnh5qUHQnDDROFvWE1MDdn9cPxGYoDm Fk+/Sgxe9HXRE+Dr8/h0vb0tBBSqN6nBG/OBHKT3eKsDJVPt8TWkBuagsCvNFY3a 7Unu9NQC6NavUanspOacnY1W65BYHUq/5e/U0cLyZgJcPzaJSKeZHVsHLHLStqbK UCWVBpDxX+5eVd8v3hxGq32H3e71MKqoLV5FzWUzf77qe8SxhWJ+7YSUdYVpVjZX tronaUvPKTub8p2d32dAZOSQYTbeehQpb1pIoVBWNxAOi12xTz8y7qta/DspjF4T j3ks+9EiKtS7Bzf+jEQmYEI04RxRn/wdHRFhYjwaGsvhlaH221Y/w53fczJ5bj2z QODBJShGhuNmwpz9Jr7fvI+gZE3smVkMLWaJPl2BhtF2kAFB62s= =sLat -END PGP SIGNATURE-
External check
CVE-2024-2199: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
External check
CVE-2023-50977: TODO: check CVE-2024-26256: TODO: check CVE-2024-35219: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
External check
CVE-2018-11307: missing from list CVE-2018-1131: missing from list CVE-2018-1132: missing from list CVE-2018-11354: missing from list CVE-2018-11355: missing from list CVE-2018-11356: missing from list CVE-2018-11357: missing from list CVE-2018-11358: missing from list -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
Re: RFS: HexWalk Request for sponsor
Hi Samuel, Thank you for your time, actually the reviewers on mentors started only few days ago, it's the first time that I submit a package to debian, so pardon me if I didn't follow all the best practices. I think I have catched your point, as long as the package is going on on mentors it is redundant to work on it on your side, Thank you again, Best Regards, Carmix Il Sab 25 Mag 2024, 13:41 Samuel Henrique ha scritto: > Hello Carmine, > > > Anyway could you simply use the package that I have generated on mentors? > > Now I understand it better, yes the one on mentors does build, and in your > sources you put the packaging under deb-packaging. > > From a technical standpoint, the package has a few lintian findings that > have > to be fixed before the upload. > > I recommend you set up a lintian hook in pdebuild, or use another solution > which integrates with lintian, or even call lintian manually over the > artifacts. > > That's going to be useful even as upstream because lintian calls out > upstream > issues too, for example in this case there's lack of hardening and a typo > on > "Highlighting". > > Now, on the maintenance side, I see that the package is not under the > pkg-security team (d/control), which is fine. > > If the package were to be in the team, we would have to keep the packaging > separated from upstream (in a different git repo), because with the > current way > it's not really possible to team-maintain the package. The packaging repo > would > have all three branches we use (pristine-tar, upstream and > debian/unstable), > the packaging would live in the debian/ folder, and the repo would live on > salsa. > > Again, it's totally fine to not have the package under the team, if you > want to > keep it all in a single git repo, and I see you already got some reviews on > mentors. > > It's just that unfortunately I can't keep reviewing the package, I already > have > too many things to do for the team-owned ones and I have to prioritize > those. > > That is pretty much a never-ending task, so I rarely have time to do > reviews outside of the team, my own packages, or the people I mentor > directly. > Sorry. > > Cheers, > > > -- > Samuel Henrique >
Re: RFS: HexWalk Request for sponsor
Hello Carmine, > Anyway could you simply use the package that I have generated on mentors? Now I understand it better, yes the one on mentors does build, and in your sources you put the packaging under deb-packaging. >From a technical standpoint, the package has a few lintian findings that have to be fixed before the upload. I recommend you set up a lintian hook in pdebuild, or use another solution which integrates with lintian, or even call lintian manually over the artifacts. That's going to be useful even as upstream because lintian calls out upstream issues too, for example in this case there's lack of hardening and a typo on "Highlighting". Now, on the maintenance side, I see that the package is not under the pkg-security team (d/control), which is fine. If the package were to be in the team, we would have to keep the packaging separated from upstream (in a different git repo), because with the current way it's not really possible to team-maintain the package. The packaging repo would have all three branches we use (pristine-tar, upstream and debian/unstable), the packaging would live in the debian/ folder, and the repo would live on salsa. Again, it's totally fine to not have the package under the team, if you want to keep it all in a single git repo, and I see you already got some reviews on mentors. It's just that unfortunately I can't keep reviewing the package, I already have too many things to do for the team-owned ones and I have to prioritize those. That is pretty much a never-ending task, so I rarely have time to do reviews outside of the team, my own packages, or the people I mentor directly. Sorry. Cheers, -- Samuel Henrique
[SECURITY] [DSA 5699-1] redmine security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5699-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 24, 2024 https://www.debian.org/security/faq - - Package: redmine CVE ID : CVE-2023-47258 CVE-2023-47259 CVE-2023-47260 Multiple cross-site scripting vulnerabilities were found in Redmine, a project management web application. For the stable distribution (bookworm), these problems have been fixed in version 5.0.4-5+deb12u1. We recommend that you upgrade your redmine packages. For the detailed security status of redmine please refer to its security tracker page at: https://security-tracker.debian.org/tracker/redmine Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZQw0gACgkQEMKTtsN8 TjbXDhAAlwLX55/MEXwBGXK2/diyo0jALkcur3+674tfQQGzTDeOzN9LVxJLLSS6 FkgJEv/9bW/EjRpltBR64eqPjJC8JSmiqcEC7YU0paZi4gKyurBBy1F5hI2kHHFN M9KzjIh44Wak6W/3PtJHw8nClZMG2uJZFiXhqzrR1Gv+NWlFILhNyB1RGzB5hQYr 2/arb7tEj4heXGWtahrbzi7YZS5a0aREK0nQ7y09DCYpvlJTlpt3almGxPJhpbyz RTwhRMrOTOZJHfwAwxjND2xmblfvkeQxLrNbBBEO9NO18cN69lOMA/sG3haMMkVK RpZFIaEl+F8t0WIqlAog4JjiivrhkFL3Px4uthuD0HzAzxveHvC9rgqPWUOre2eL BONo74Wsx5kY+gY7RZyNJRQ7VRk71lRlqAlGSofJ9ckfOincXV8lT7DEEcki42Qh rx8Fw682z5m+ozyaI0FBK4yiKiZ44bgjIb166paoxhA+H9WiubhR70Z2SMUG2x7I qktbTa+oboSXOc2zYDFpIa5XWXWJz6OspHBxGE7JF+Zs/eRhxXsAJb/diJB6msgD GTFAmynvAifcfDHczRqG56AG8jVku4nIGT0Q7INAeukhdWUU5jyqYrcF0UoPa+c+ NW4g5CZNACKjpFAIwo+WJceUMsgVy8ZvIV/IRH12XtslD50K1yM= =Fejb -END PGP SIGNATURE-
[SECURITY] [DSA 5698-1] ruby-rack security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5698-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 24, 2024 https://www.debian.org/security/faq - - Package: ruby-rack CVE ID : CVE-2024-25126 CVE-2024-26141 CVE-2024-26146 Multiple security issues were found in Rack, an interface for developing web applications in Ruby, which could result in denial of service. For the oldstable distribution (bullseye), these problems have been fixed in version 2.1.4-3+deb11u2. For the stable distribution (bookworm), these problems have been fixed in version 2.2.6.4-1+deb12u1. We recommend that you upgrade your ruby-rack packages. For the detailed security status of ruby-rack please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby-rack Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZQw0YACgkQEMKTtsN8 TjaEDQ/+In6arFD5sCgR6IZW2RiwAgBlLY9SAPlcuSI4qYkoN3JDMsm3dWV38UEO IwhvEiNpOXRiHCi4V15Eo92I1ayKJIZYM9n5B1pjGQrci5tl1cnFIfhfkIEjRET7 OFRgL6TYgzsc5PKmlBNmff/yQOPXdw2q8dfgJkBb9Nc7GUxrhnsAdy/5mrW9NgSP erd65rYZ3NcGpSCiKcUcweatBalf2GycXFXSNzUlYw4nGuEOM5P4uyB8TI0lhaxy +hQA24fVGfKIldSHvQu4gs2jN2CaCNp4KyV5SkAtK7lBTxWMihmXwhzvpGeKF/AB okicqj4AC/T1BhjqS7S5/CjScmJwwkOcpaNhcqoI9wmFkx/bVYbQGmFuYPibziBH fBeucZhCFW2zhxSGYX/oWx/V4J3kBwMMUll4pI3AM0SEs/loeU3k+eLR7mq1ElcL t+IOmQpwNIIuvy/r8wvSySBLXu07b1lS29LMtqk3qXdb3HO6e2QznIdW6CatcewE c6uWOAzUBSFwvA1kgXWFqT9gj17RQ6VdMAdOw+5dkWIbJrWeJfiDdlT6R0KWpAfE xQFzLbywtKJAtOnS7v+jyBkPlTg5Rz6z7o6PCf5fYA42FnI6p5AAryPvEupbiE6N 72K1+8x+mDeiPFLlmrlP3tUsdhVwSfD5AEO+Qiyi04rYY7w55RM= =9BYJ -END PGP SIGNATURE-
[SECURITY] [DSA 5697-1] chromium security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-5697-1 secur...@debian.org https://www.debian.org/security/ Andres Salomon May 24, 2024 https://www.debian.org/security/faq - - Package: chromium CVE ID : CVE-2024-5274 A security issue was discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure. Google is aware that an exploit for CVE-2024-5274 exists in the wild. For the stable distribution (bookworm), this problem has been fixed in version 125.0.6422.112-1~deb12u1. We recommend that you upgrade your chromium packages. For the detailed security status of chromium please refer to its security tracker page at: https://security-tracker.debian.org/tracker/chromium Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmZQvDgACgkQZF0CR8Nu djemlQ//Q1bTXczbYNw/gT4PCqkr956Xe0sR9tQ660X/281kR132ri1mfMfU7WT8 HCmvM3aL7r9gy5ia9RCtvThRjde7CNrI4fDux6YIsv5xnfyalcxDDjXN9uz2Iy1J Mq3fRjH2MhR0zK6vNiovc8DI0BcC2sWiBy3OiXIewkzO0sq54Z8g3Q/VZq9waNAA hbW7GhznVCqC1KQOzYT6/bLi9WshF9x8tOmfbNVzqBVQ2vQIJsr02gQ+kygohuNB qJjHvkt7IgkawsdQCcxLrlM/Wwa+YYTSKtjEmFG4uoL3jvFS3uRiXoSmFBrawaS/ KVQ267IiXu9qt5gn/SfXLgH2/ERau9csmLW0hlX3QeHodLD/msFNRHpMKgIplkve hP0qYqcDLGhgvP2ZmaBJMq0eU/SVB+2BKYN9SrWGSG+AHalkCGqmFzlEgbhui2zs oH9hf41uaFiRSs9sr8eMVCP2q8JXXlZAEoCi1HfP0/nbwyfsKGQ2+vn4/kzQd/Ha ML9JeY57rfOS7E2F2hO2xpadYJtzA6+FY8nlv9Jh6UmgpvOMTYDdITuIS5nUy2AA hIBMgHVBnIrkcxFhbkfBCyDkDKIvQeIVxy6zFpRwvBaGpJCWsMgaTs2ibWX67G6t VZmu0iDpaS86cHK4OnQmgXY6HX02iSM6te88FGl61g7qbk7hbK4= =JmnS -END PGP SIGNATURE-
External check
CVE-2006-4811: missing from list CVE-2006-4812: missing from list CVE-2006-4813: missing from list CVE-2006-4814: missing from list CVE-2006-4842: missing from list CVE-2006-4924: missing from list CVE-2006-4925: missing from list CVE-2006-4980: missing from list CVE-2006-4997: missing from list CVE-2006-5051: missing from list CVE-2006-5052: missing from list CVE-2006-5158: missing from list CVE-2006-5159: missing from list CVE-2006-5160: missing from list -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
Re: RFS: HexWalk Request for sponsor
Hi Samuel, I just updated the repo both on git and on mentors with your hints: https://mentors.debian.net/package/hexwalk For packaging I'm using a different method than yours, I use "pdebuild --debbuildopts -sa --debsign-k xx" Effectively I noticed that "debian" folder is not enough for you to reproduce my building environment, I just added a folder (/deb-packaging) in the git that I hope helps. in my build environment inside deb-packaging/hexwalk-1.7.1 I add the src/ folder and inside it I put these two folders contained in the root of the git repo: hexwalk/ src/ I see that it is not so straightforward but it seems to work. Anyway could you simply use the package that I have generated on mentors? Thank you again for your time, Carmix On 21/05/2024 22:55, Samuel Henrique wrote: Hello Carmine, On Tue, 21 May 2024 at 05:41, Carmine wrote: Thank you for your time, I'll try to fix the issues by myself and will return to you asap. The strange thing is that I already generated the package here: https://mentors.debian.net/package/hexwalk/ and I didn't face all these issues Am I missing something? Hmm, how are you building the package? Here are the steps to reproduce the failure: git clone https://github.com/gcarmix/HexWalk.git cd HexWalk/ sed -i "s/stable/unstable/" debian/changelog origtargz # to generate the orig tarball sbuild Cheers, -- Samuel Henrique
[SECURITY] [DSA 5696-1] chromium security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-5696-1 secur...@debian.org https://www.debian.org/security/ Andres Salomon May 22, 2024 https://www.debian.org/security/faq - - Package: chromium CVE ID : CVE-2024-5157 CVE-2024-5158 CVE-2024-5159 CVE-2024-5160 Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure. For the stable distribution (bookworm), these problems have been fixed in version 125.0.6422.76-1~deb12u1. We recommend that you upgrade your chromium packages. For the detailed security status of chromium please refer to its security tracker page at: https://security-tracker.debian.org/tracker/chromium Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmZOH24ACgkQZF0CR8Nu djeemg//Y1GqBjx++55D6XDRa23a2g0T4Y7TxemSEojcb8jR7JaVfFroql0d8fFy mFyHjS9tk2dV2naoKjaOWmm87IHjGv1bQxr8b9/2qjPp5+cf7lu02jTEwSo6Sroq serY1NuuJUyQfCs6K48wOjAoRDsrYHMXt2Db7Pu+nev0KB3mFWBfWrTErRQf5yoh 0PxSik3hutUn8pGuLiiZZxrWsHopi+qyPSWPQU0O9o+u5jvtsmuVH1lmbu8B/QC6 6UWcEAWPlzstnJWf5i+4OoJA+go8jo/Z2UvRn7gEmMeUb0ykrVLJB3DY22iNrb+/ 801KxD2qrwZHOGR0Xm7ImnZrYG4VlWPJZjZ1AcMSZYb/cvMLaQ8Y+5k0wBipep1I CCD4/WvTN00a0D3OHIwpS2T5+gxRfQ3TWhQ6pfH90lzZZdxELOXeuiFZebW22aBj d+h5a97WPvYKoDpgM+em7a1k3cixfFucakEQA7FL5ovPmwFc9N59l/rjeFtu5QOp tgq//rgj0N1EC7REAL7FWtiu8u8KOSB/sF5P9+GfWEEroHpm8ScfzBzV95Z6bYrE T8qQnvGnSGz9ESaEb6W83v5oMPU54h03Xwm3gQRJqf89ke6UJYEIVkyeN5x6F2T+ DUqTHhqQ5eZP8nl320BG516JXmw6jjsBF4SJeYXn/R/KFAg5Lq0= =lRoo -END PGP SIGNATURE-
[SECURITY] [DSA 5695-1] webkit2gtk security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5695-1 secur...@debian.org https://www.debian.org/security/ Alberto Garcia May 22, 2024 https://www.debian.org/security/faq - - Package: webkit2gtk CVE ID : CVE-2024-27834 The following vulnerabilities have been discovered in the WebKitGTK web engine: CVE-2024-27834 Manfred Paul discovered that an attacker with arbitrary read and write capability may be able to bypass Pointer Authentication. For the oldstable distribution (bullseye), this problem has been fixed in version 2.44.2-1~deb11u1. For the stable distribution (bookworm), this problem has been fixed in version 2.44.2-1~deb12u1. We recommend that you upgrade your webkit2gtk packages. For the detailed security status of webkit2gtk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/webkit2gtk Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmZNsSQACgkQAAyEYu0C 2AL2wxAAnx+ORCkML2MQZukV0lBt7yHzBHWaZHDWF8C3hbo8DPxqpNPGSRwpLb6M xzRbW+7LvdlQUuSEMs0ms00jh1wkmQh1cAa09n778+pYhu5oLm09HOU51ybWaWRM gojJiHC6svqhov5vxtqbSTUrpXzGQhp9ZYUAyCI49eJSzROIdk188CHHY1PxHZH1 nwlQddTeaL63f+0nyXzHomFtgOhyA6ESmVgunS8/yoIxQUOn3T6MQOvdKlizMJAr watZ4fQq69AEqFMC2x8cCIZ6zZAhu4dLwagnundEdwZxeKRa6vAv6N5BLFx9lC8q HARmaMttDl1+3AMHwMiZDqdNt++L4Ldgy26PJQa8hsDlAmXQsR5qtR/xmS7+l6AN euXWeyF2DBM3GZgRzsACFJsnqYkQ9snQZdSYzHi2//xyskTpyHxYwMp/wFp4Kirt F05d66TocWkWviuYddytl0cRGb3X1I7pB+8vkw90ugIMJKFxh6cXDDPch6kTdMLg YPsSxV8/h1jcxr5MgST1LntvvhgGT70YV9HWJleQ33bmWqEQ6xF7vrIsKy3MiFx1 jKGoI7GvgOrWRDUIZuw4680f9Hv4Cpz4R0uKMOS4wTbrEQkhv96E/sAcER8P9VYm 9U6AuFAoA5KRU8BysUD3A/PzHo+wKwTSBUuKUGex8HnPIfmUEyw= =yLoR -END PGP SIGNATURE-
External check
CVE-2024-29651: TODO: check CVE-2024-31989: TODO: check CVE-2024-3744: TODO: check CVE-2024-5148: missing from list -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
Re: RFS: HexWalk Request for sponsor
Hello Carmine, On Tue, 21 May 2024 at 05:41, Carmine wrote: > Thank you for your time, I'll try to fix the issues by myself and will return > to you asap. > The strange thing is that I already generated the package here: > https://mentors.debian.net/package/hexwalk/ > > and I didn't face all these issues > > Am I missing something? Hmm, how are you building the package? Here are the steps to reproduce the failure: git clone https://github.com/gcarmix/HexWalk.git cd HexWalk/ sed -i "s/stable/unstable/" debian/changelog origtargz # to generate the orig tarball sbuild Cheers, -- Samuel Henrique
External check
CVE-2024-3744: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
Re: RFS: HexWalk Request for sponsor
Hi Samuel, Thank you for your time, I'll try to fix the issues by myself and will return to you asap. The strange thing is that I already generated the package here: https://mentors.debian.net/package/hexwalk/ and I didn't face all these issues Am I missing something? Thank you again, Carmix Il Mar 21 Mag 2024, 00:00 Samuel Henrique ha scritto: > Hello carmix, > > I've had some time to review the package today, I didn't review everything > in > depth so there might be more comments after these changes. > > 1) d/changelog: unstable distribution > I see that you're targeting "stable" in the changelog, but in Debian we do > uploads to unstable or experimental, new packages can only get to stable > through stable-backports (and that's after the package migrates from > unstable > to testing). > You can read more about it here: > https://backports.debian.org/ > This diagram shows the workflow of packages: > https://wiki.debian.org/DebianReleases#Workflow > > For more information, I suggest reading about the Debian release process. > > 2) debian/compat: deprecated file > We don't use this file anymore, check the following manpage section for > details: > > https://manpages.debian.org/unstable/debhelper/debhelper.7.en.html#COMPATIBILITY_LEVELS > > 3) Build fails > I'm not able to build the package, it fails with missing file errors, like: > > dh_install: warning: Cannot find (any matches for) "hexwalk.ico" (tried > in ., debian/tmp) > I think the solution to this might fall under #4 below. > > In order for a review to be done, the package needs to be buildable, if > not, > then I suggest reaching out for help with the specific issues. > > 4) No build system > It doesn't seem like debhelper is building anything, changes need to be > done to > actually trigger the build, they will depend on the buildsystem you use. > > You can search for how other packages make use of qmake here: > https://codesearch.debian.net/search?q=qmake=1=1 > > I believe finding someone to help you more directly would be useful, > packaging > is hard and I know how tough it is to be in this position. > > But also, you don't necessarily need to do the packaging yourself, if you > prefer, you can open an RFP bug (or turn your RFS into an RFP), this would > be a > request for someone to package it. > > The only reason I'm saying this is because usually upstreams don't want to > get > too much involved in packaging, but if you do, that's great. > > Cheers, > > > -- > Samuel Henrique >
Re: Request to join your team as new member
Hello Alicherif, On Mon, 20 May 2024 at 14:54, Alicherif Samir wrote: > I'm working on the Wapiti web scanner with a team of motivated people, and we > want to see our work published on the Salsa repositories. That's great, feel free to send an MR against the debian branch, you can skip doing an MR for the pristine-tar and upstream branches (but they need to be updated in your fork). > As nobody packages Wapiti anymore, I'd like to take care of it. That's not true, the package is still under the team and someone ought to package the latest version eventually. It's still being taken care of, but contributions are very much welcomed! > Now that you know what I want to do, let me introduce myself. I'm Samir. I am > a developer passionate about many subjects, including Cyber Security and Risk > Management. I work for a company that publishes a vulnerability management > software. Awesome, we don't have a strict definition of being part of the team, so for any MRs you make against wapiti, feel free to use "Team upload" in the changelog. Salsa does have the concept of the team, for the pkg-security namespace, but ayn members added will have permissions across all repos maintained by the team, so we tend to only add people if needed/after some contributions. This doesn't stop others from contributing, as anyone is allowed to send an MR doing a "Team upload" (d/changelog). Welcome! -- Samuel Henrique
Re: Request to join as new member
Hello Simon, On Sat, 11 May 2024 at 10:59, Simon Josefsson wrote: > I'm not up to speed on all the pkg-security tooling, so please review > and fix anything that needs fixing. I feel uncomfortable having a salsa > write permission token in plain text on my laptop, which seemed required > to use some of the suggested tools -- hopefully none of that stuff is > critical, and if important could be fixed by others too? It felt like > going down someone's personal work flow understanding, which is great > for inspiration (I quickly agreed with most concepts) but may require > some more polishing before everyone can adapt. I had the same feeling > when adapting to the Debian Go Packaging workflow, most of the workflow > concepts are great improvements but deep below some assumptions that may > not be universal are made. I hope to learn and adapt though. I think only a few people use the tools at https://salsa.debian.org/pkg-security-team/pkg-security-team. You should be definitely fine without using it. The feature we get is standardization of the packaging, the main one being setting up the IRC and BTS hooks, but then the logic around branch names is outdated :(. I should take some time to update that wiki and the scripts... But for now, feel free to skip that. > Regarding having the repository in debian/ but still use pkg-security > group maintenance, I'll think about that some more, but you can tell > from my decision to move libntlm to pkg-security that I wanted to give > this approach a try first. Ack, I'm interested in your findings after trying it out for a bit. Cheers, -- Samuel Henrique
Re: pkg-security-team vs debian namespace
Hello Simon, On Sat, 11 May 2024 at 11:51, Simon Josefsson wrote: > Following up on the namespace question separately. To clarify: I'm not > proposing any change. I'm mostly trying to learn and understand why > some decisions were made and if the rationale still apply. No worries, I think there's definitely room for improvement. I've been having discussions like this with the other curl maintainers but we haven't managed to find a good alternative for the issue yet. If you're going to attend DebConf, I'd love to chat about this with you (I have seen your emails on other threads and it looks like we are aligned on how we view the issue). > Samuel Henrique writes: > > > Downsides of keeping the packaging under debian/: > > * Lack of the salsa's view of current opened MRs, as seen on > > https://salsa.debian.org/groups/pkg-security-team/-/merge_requests. This > > is > > the biggest downside in my opinion. > > Couldn't this easily be solved by tagging merge requests for > pkg-security-related packages with a tag, and search for that? Assuming > all pkg-security-team packages were to be moved to /debian/ (for sake of > discussing this aspect). I'm not familiar enough with GitLab workflows > to tell if using Assignee, Reviewer, Label, Environment or some other > tag though then you could go to this page, using label CI as an > example but CI would be replaced with PKG-SECURITY or similar: > > https://salsa.debian.org/groups/debian/-/merge_requests?scope=all=opened_name[]=CI That would work, yes, but I don't think there's a straightforward way to automate this. It's an interesting idea nonetheless... > > * Team contributors who have received permissions to push to all team-owned > > repos (before becoming DDs) will still not be able to push to the packages > > under debian/. This is not a huge issue because they can still open MRs, > > but > > the process to contribute becomes a bit more cumbersome. > > Is there any documented policy for /debian/ packages including group > membership policy? Maybe lack of documented policy for /debian/ is the > biggest problem here though, it isn't even possible to evaluate if the > policies are compatible. Not that I'm aware, what's done in practice is that all DDs get permission to push to the debian namespace. The way we handle the concept of teams on debian is not very well defined, for good or for bad. We miss a few things to get an ideal process, but one that often gets to my mind is the ability for multiple teams to own the same package. For example, a security-related package written in python should be set up so that both the security-tools and the python team are able to push to git (and to upload) as a team upload. If we go further, we can also say that any DD is allowed to push and upload, while still keeping a team under its maintenance umbrella (the people from the team would be the ones receiving bug reports, watching MRs, etc...). Cheers, -- Samuel Henrique
Re: RFS: HexWalk Request for sponsor
Hello carmix, I've had some time to review the package today, I didn't review everything in depth so there might be more comments after these changes. 1) d/changelog: unstable distribution I see that you're targeting "stable" in the changelog, but in Debian we do uploads to unstable or experimental, new packages can only get to stable through stable-backports (and that's after the package migrates from unstable to testing). You can read more about it here: https://backports.debian.org/ This diagram shows the workflow of packages: https://wiki.debian.org/DebianReleases#Workflow For more information, I suggest reading about the Debian release process. 2) debian/compat: deprecated file We don't use this file anymore, check the following manpage section for details: https://manpages.debian.org/unstable/debhelper/debhelper.7.en.html#COMPATIBILITY_LEVELS 3) Build fails I'm not able to build the package, it fails with missing file errors, like: > dh_install: warning: Cannot find (any matches for) "hexwalk.ico" (tried in ., > debian/tmp) I think the solution to this might fall under #4 below. In order for a review to be done, the package needs to be buildable, if not, then I suggest reaching out for help with the specific issues. 4) No build system It doesn't seem like debhelper is building anything, changes need to be done to actually trigger the build, they will depend on the buildsystem you use. You can search for how other packages make use of qmake here: https://codesearch.debian.net/search?q=qmake=1=1 I believe finding someone to help you more directly would be useful, packaging is hard and I know how tough it is to be in this position. But also, you don't necessarily need to do the packaging yourself, if you prefer, you can open an RFP bug (or turn your RFS into an RFP), this would be a request for someone to package it. The only reason I'm saying this is because usually upstreams don't want to get too much involved in packaging, but if you do, that's great. Cheers, -- Samuel Henrique
Request to join your team as new member
Hello there, I'm working on the Wapiti web scanner with a team of motivated people, and we want to see our work published on the Salsa repositories. As nobody packages Wapiti anymore, I'd like to take care of it. Now that you know what I want to do, let me introduce myself. I'm Samir. I am a developer passionate about many subjects, including Cyber Security and Risk Management. I work for a company that publishes a vulnerability management software. Cheers, Samir
External check
CVE-2024-3744: TODO: check CVE-2024-5042: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
External check
CVE-2024-3744: TODO: check CVE-2024-5042: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)
Hello everyone, Just wondering if the Security team could spend some time availiating my proposal. Feedback from others is always welcomed too, but in order to go ahead I would like to understand where the team stands. Cheers, -- Samuel Henrique
External check
CVE-2024-3744: TODO: check CVE-2024-5042: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
[SECURITY] [DSA 5694-1] chromium security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-5694-1 secur...@debian.org https://www.debian.org/security/ Andres Salomon May 17, 2024 https://www.debian.org/security/faq - - Package: chromium CVE ID : CVE-2024-4947 CVE-2024-4948 CVE-2024-4949 CVE-2024-4950 Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure. For the stable distribution (bookworm), these problems have been fixed in version 125.0.6422.60-1~deb12u1. We recommend that you upgrade your chromium packages. For the detailed security status of chromium please refer to its security tracker page at: https://security-tracker.debian.org/tracker/chromium Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmZHldQACgkQZF0CR8Nu djdGzw//Zo/Kybc3RwFVXLvrISBKhxn8fckEayU2vL+WC8Zi2DzQRuNFxyvGmL0H m2v+dDZm1I2mtpdfjJSeM21AvFQA+GocwG3BTcxNKctCV48hyF3biqrtHSxtyfkM W2f0aDbtPhaO9sZfn5dfSrDQNYF8sOKfPv03A+irvNcYcFFVBGKsbXKm/Qpd1sfb tOcjoNIQE8jsTIA3RV8APJeEOIDrTUq76z0g5iICm2ZIQlL+KTrjX0gwwbR6NTFF wA2U+p3TL2VOwkknrTzlmtmFZF27oST7e5HT7e1rrqorxIAc2Txs8TPkwLv5LSBI J+HJNy3AZDgc8VhtZcVJ1/UU7jYhXeJr3EX1aaogehKvnIjeGuP7qhg6gVwK9wBV QxMLoRjGg/5nkd9WPURhfOlXa+icXKhZxtrWKKp3x+EX7yQsYYuS67JhRmB5OHHK 8kKmbdGdEf9+W7bBo/KoUZyyYbROV1MnqEVVefraiIVXwM42qDVxPM+z6HYJVUFY nrOxpSheA2V8l027o8n3Vh8Jv+DldXxnxDDtPSpXfDuCadARb1TlIREc+1XYXVxP 3yOjMljHvszFeSosRnXC8vUcDVG+NYFF6Ue0QlKgVI/Nnnap7qRJIHQyJMQTTeOs mS+Kc8nM4bah9uIMAEjcWtr54ccSxgsAZI2gEhS2377n9NHl1pQ= =v6Mr -END PGP SIGNATURE-
[SECURITY] [DSA 5693-1] thunderbird security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5693-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 17, 2024 https://www.debian.org/security/faq - - Package: thunderbird CVE ID : CVE-2024-4367 CVE-2024-4767 CVE-2024-4768 CVE-2024-4769 CVE-2024-4770 CVE-2024-4777 Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code. For the oldstable distribution (bullseye), these problems have been fixed in version 1:115.11.0-1~deb11u1. For the stable distribution (bookworm), these problems have been fixed in version 1:115.11.0-1~deb12u1. We recommend that you upgrade your thunderbird packages. For the detailed security status of thunderbird please refer to its security tracker page at: https://security-tracker.debian.org/tracker/thunderbird Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZHhvwACgkQEMKTtsN8 TjblehAAjdBymRSVaZikas4l3u+3RmsaSgg2CabDzMQI722DASHqseeqBvxTXrFC lLl0aFaweSIccV+G0Yh/Y446NofPibrAKQBOyMmo3U3pYkmYFwnJoJwrRyb+198F zt35McFfs6NZwWyve8BxezHvh5cCRQBn4PSwiVOtkf6aqmviW5jayyO86xb9SI5f 2CYNHzcoNpCqfxTxevkwJ4FOIYnvlKKIl72K2wXrCN99XSS2+mmJxhvrj/jG7zuR JDqCFlH08TXyAEklNxfQsdiojC2T2SLQT0U6viXxNjE6TicGSip3mFIvC1VD8ipP y+I1DZiSlYmxMqPfmQI/AO+sUGUUWKdenJPxevNZRppIG56yr6fhmWHuK6u6UnS4 DIwV2mc0a+mWzoG21otG2MJUBQJpulq8SnAmKE7UHLsVVSp+JysIgwq+4K4fOwbB 1oHFMaD/g9uFNjaBqRbkFpauaxcRpLqoP6L22qWM5fASuIYaxnvRmItbHPgHx8hA NND0bo7Fu5Uau4rr8pUfYdCWvYmCGhICc4jeXIeOAV/QtBYGuoLPiZ31iAFlro4m 4/CR0w3dUPTy7cUPMgU6akrvN0fuuznIjtQDyWuWRGG9JvmWPlN7vlSpT8vi0WDw 2zGD3owtPl0n0tvmSGZ+SRD9pVhzSOzPSEOCV2rJ8GHj1Zi3iOs= =8c2k -END PGP SIGNATURE-
External check
CVE-2006-5465: missing from list CVE-2006-5466: missing from list CVE-2006-5467: missing from list CVE-2006-5468: missing from list CVE-2006-5469: missing from list CVE-2006-5540: missing from list CVE-2006-5541: missing from list CVE-2006-5542: missing from list CVE-2006-5619: missing from list CVE-2006-5633: missing from list CVE-2006-5649: missing from list CVE-2006-5701: missing from list CVE-2006-5706: missing from list CVE-2024-326121: missing from list CVE-2024-326127: missing from list CVE-2024-326131: missing from list CVE-2024-326136: missing from list CVE-2024-326141: missing from list CVE-2024-326145: missing from list CVE-2024-326151: missing from list CVE-2024-326154: missing from list CVE-2024-326161: missing from list CVE-2024-326163: missing from list CVE-2024-326171: missing from list CVE-2024-326172: missing from list CVE-2024-326181: missing from list CVE-2024-326190: missing from list CVE-2024-326191: missing from list CVE-2024-3744: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
External check
CVE-2024-21823: missing from list CVE-2024-326121: missing from list CVE-2024-326127: missing from list CVE-2024-326131: missing from list CVE-2024-326136: missing from list CVE-2024-326141: missing from list CVE-2024-326145: missing from list CVE-2024-326151: missing from list CVE-2024-326154: missing from list CVE-2024-326161: missing from list CVE-2024-326163: missing from list CVE-2024-326171: missing from list CVE-2024-326172: missing from list CVE-2024-326181: missing from list CVE-2024-326190: missing from list CVE-2024-326191: missing from list CVE-2024-3744: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
[SECURITY] [DSA 5692-1] ghostscript security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5692-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 15, 2024 https://www.debian.org/security/faq - - Package: ghostscript CVE ID : CVE-2023-52722 CVE-2024-29510 CVE-2024-33869 CVE-2024-33870 CVE-2024-33871 Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed. For the oldstable distribution (bullseye), these problems have been fixed in version 9.53.3~dfsg-7+deb11u7. For the stable distribution (bookworm), these problems have been fixed in version 10.0.0~dfsg-11+deb12u4. We recommend that you upgrade your ghostscript packages. For the detailed security status of ghostscript please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ghostscript Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmZFFaFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0S3qQ/+L4NBqDHzbEmnYIqHMi578/wEX4UL7Y7LNXRz7K8fk7ltMaFeWNQIaHws vry6jGs471C5VL8v4TfzCfVQPc3YHPbAs7Dj/5JIHNSQm3Jljb2f+QYIUrUtpWnd tV/fbf0N8lQF6KDGzjU9ZWKy6vGAa/1KRTGJDXNp5r2YQi5FZeQsQvxpK/oQ7bZ4 auCKexJ5Yf/ybJNYcsAdPs+r2TlXOeHuq80yRkYOTNXwkSBv94xKrXswF6dlKOWz 8o+lmiVvva+qXguqaYvkviJiAGrWjW09tc58C0OtzwzCTgKNZ30Njkw8bGvghL2Q LmYZM/UEkzywCcF7eN9g/4xKKem26wLFKrn01i1Df815gE30/KFinC9+B/8F3UgZ Vng0ca9ddxeIRzdDLEERATBDwN+wJ5I4ips3NkqCBe3lNSyM+f+YMvzDj30/2UKx DrGYHLhNnQG3i2D2MJBQs8YTRjt0t9hIiAM7rYPBBUYaarTeINGfwIppktayYZIj Nika/GmgO9nljdWNHNaC26tfF2gWoHljyC7Qb4N5/VpSLlXT04o5db3SNDZBCANu pOjUKu7iuaa9aeqPwkWC5VLuJly9cGu+QP/s2DaPbJcAKaQDyTeFaUeFpXIzhJO6 YvL2/hd8C0RU+JHkeWK3i0xigODdmVCdoziN9CpAad68vkzD3L0= =ZjGy -END PGP SIGNATURE-
[SECURITY] [DSA 5691-1] firefox-esr security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5691-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 15, 2024 https://www.debian.org/security/faq - - Package: firefox-esr CVE ID : CVE-2024-4367 CVE-2024-4767 CVE-2024-4768 CVE-2024-4769 CVE-2024-4770 CVE-2024-4777 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or clickjacking. For the oldstable distribution (bullseye), these problems have been fixed in version 115.11.0esr-1~deb11u1. For the stable distribution (bookworm), these problems have been fixed in version 115.11.0esr-1~deb12u1. We recommend that you upgrade your firefox-esr packages. For the detailed security status of firefox-esr please refer to its security tracker page at: https://security-tracker.debian.org/tracker/firefox-esr Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZE9HkACgkQEMKTtsN8 Tjbi6w//b/rdFGGSmnEzHq/+18x5CgOKUmQa/iJRj1H4LJ0XGBphsHvrFGg3Yp7w aUFq9yKGy2rNlkpxMJ6vpI3aMDmLnxMYY+fcdWqgJOwk08mw1aX0pod2TzuAW4dc Vfl8wKWTDpylLgiBsfa8gXKwf4rqLx3xObwZe/khgnM/8gcOXe6g3cOzH6YCeI+K BoZb6W+R9RnHOmvLDYY6hnUyWraZBFNNVfpyiBeqklC6SeLvyrXbsal/vKa8NnPg IwslILuyHZ2UpdetKzu1eSLWgr0gQabAkTZVKfwapRqopx4ZK78LiNtEK7g41Tlg cwQsA7Tpfy8Di1MxxDVZ9+RcoO7klaoY99ZTwRB2oeDaRrerxa3odDmvN1LdbZGS Ttrl1ZiMPH+H3/LgKrwOBvqQEdE++CN9J6Ct5A5eisZl7etIWG7xCOukxORL/zVF eBhzbkkOGT1RoXBcNEYlTKvCO915jfqKSHhPCTxRaeRxT1U6BcKOzHRmF8gPG8th 08KD4rMcYfT8499rdRursHq0y9Cqm5/CxjKm9oDF4wyIb/jeuNzBtmbZD7IZRer0 iWCSvRyvH/3IONc3FHQ/G1WBGH+0mh80ysvmuR8l9MCGyZ9TqmbaGfQXAnJfSWMO cttxZ9ER426nbzfLQ9dIIWQTwxJu+ga/DfxlbsMMT1wbXWkMeAM= =cQZH -END PGP SIGNATURE-
[SECURITY] [DSA 5689-1] chromium security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-5689-1 secur...@debian.org https://www.debian.org/security/ Andres Salomon May 15, 2024 https://www.debian.org/security/faq - - Package: chromium CVE ID : CVE-2024-4761 A security issue was discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure. Google is aware that an exploit for CVE-2024-4761 exists in the wild. For the stable distribution (bookworm), this problem has been fixed in version 124.0.6367.207-1~deb12u1. We highly recommend that you upgrade your chromium packages. For the detailed security status of chromium please refer to its security tracker page at: https://security-tracker.debian.org/tracker/chromium Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmZE78YACgkQZF0CR8Nu djdWbxAAhwVb7xJ1usRG570j/6eybHZI35MpuYTsQA8sIihYiTUjaPTGrW3sD8Jw G1dLL9x3nxZ5esj/sjvwqTs2xZGNaULQDYUrfQ+tHehNovFMu/kSqpmp2Cs8wO5Y rI7NvvPDgm0IOEs+JlLHPB13OKxghddIBloazm272MNcjTlm8alFZzZUsD21FJMG HjyhtZVkHTJJ4iQ33PJ9IyCgh65LHBU5v5L3ogM4BQivuS7tbRfZ/UXtMmGjZfez uHYnuhdViBzXYxBARWEy/7m97drhvCmNfMh7WIymtz1Iy2q2lP1Sl0h1hbhQxewB 64uc281AkBKuDTVyhmwiMC7PONvWYL+8dw956q2iv0cOglAfOkWdU5pzIoFZeKJG HuvsdImqkGwxjFUOKsR1wFJeY4tXnoZjEElhB/tPHC4c6yemSuZUYBrDa1vLT8U8 LiLvDxAVkT9LJLETOj9OqhXu2334++IgfIsYEDyt39nc/9/Gi7bxaZC47N86nJ9T pKqkjkCEKrxPwhv0DMLtVZYcDmyf9DMuTY7Wh9XzYuA6llKz6kE+3Am8CRYORfxk Y3eEBvSpXw3g+0loymbyGHfIZ0TH5E4bpfzh2a1hiQujHPCN+cDCRMFZ2kJCt4E9 H2frrf+M24pl1px0dlML5igtY+sPNE8jeCoJuRyChQEO5VDFihs= =S3Mo -END PGP SIGNATURE-
[SECURITY] [DSA 5690-1] libreoffice security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5690-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 15, 2024 https://www.debian.org/security/faq - - Package: libreoffice CVE ID : CVE-2024-3044 Amel Bouziane-Leblond discovered that LibreOffice's support for binding scripts to click events on graphics could result in unchecked script execution. For the oldstable distribution (bullseye), this problem has been fixed in version 1:7.0.4-4+deb11u9. For the stable distribution (bookworm), this problem has been fixed in version 4:7.4.7-1+deb12u2. We recommend that you upgrade your libreoffice packages. For the detailed security status of libreoffice please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libreoffice Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZE9HcACgkQEMKTtsN8 TjafDQ//Sk+rmcpKLiOqNIAbIgwFYGGFW/Fd+MK2XscOlzT9a0xr+BLSguIVkssJ vVlvl6z18D5xrCkLeMTsbKcgZYhsSyA6ehnOIclgDHoCCwdqNwfMLwL7xHM0Gw6B nu5P4CrVLqn4hm3awI5ynOFkKnWtR7RR5pM4hHxXicCQBNCvXEigkrySh4OzAY1P 0qUCsxGWiukTXfecoT4zhLfAS8iaNnQBIAZ4MKUM8C7cgYD149crmmiDhS1HihNg waQcz/YkbRGpsUJXjqgpeTXmdhq/GP0TRWnBrBPqEt+9l+/j3tcjHHJst506Y0O+ uF+NwK+7SuSHHAebowuam9sL99lTgQuf+NUnz1BxHWFvMeBtW+gAJRRXb8SiUIR2 OWBTyH8o0ovsxB4TfcjZcUleGZepgVDGvh5QJube5IvGGeHZCynjqIc/W9myCpot awCKzsf8so66rizMRIYj00Po5ScMwGAXOo9EQysK2/jVnew1+OqkeiNwslaWUqzF s7S6zA3HN41i5dVT/EJlsvXjqIT0r6NE9lNXPVD7yNfMUI4yjVFXiP6h3UALMpgn qodIXvwJoHb2BPCXc+ZphgHtlhyXs0YYYEbevLcdOe43YIX1mRyXK1mcbAuS1YgB VfHSXG+AYVGZXvu3ZLMwuk4z1FGnouCcpVBucG7RUB5m6cGPvpw= =qatu -END PGP SIGNATURE-
External check
CVE-2024-21823: missing from list CVE-2024-30045: TODO: check CVE-2024-30046: TODO: check CVE-2024-32002: TODO: check CVE-2024-32004: TODO: check CVE-2024-32020: TODO: check CVE-2024-32021: TODO: check CVE-2024-32465: TODO: check CVE-2024-326121: missing from list CVE-2024-326127: missing from list CVE-2024-326131: missing from list CVE-2024-326136: missing from list CVE-2024-326141: missing from list CVE-2024-326145: missing from list CVE-2024-326151: missing from list CVE-2024-326154: missing from list CVE-2024-326161: missing from list CVE-2024-326163: missing from list CVE-2024-326171: missing from list CVE-2024-326172: missing from list CVE-2024-326181: missing from list CVE-2024-326190: missing from list CVE-2024-326191: missing from list -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
External check
CVE-2024-326121: missing from list CVE-2024-326127: missing from list CVE-2024-326131: missing from list CVE-2024-326136: missing from list CVE-2024-326141: missing from list CVE-2024-326145: missing from list CVE-2024-326151: missing from list CVE-2024-326154: missing from list CVE-2024-326161: missing from list CVE-2024-326163: missing from list CVE-2024-326171: missing from list CVE-2024-326172: missing from list CVE-2024-326181: missing from list CVE-2024-326190: missing from list CVE-2024-326191: missing from list CVE-2024-4840: missing from list -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
External check
CVE-2024-326121: missing from list CVE-2024-326127: missing from list CVE-2024-326131: missing from list CVE-2024-326136: missing from list CVE-2024-326141: missing from list CVE-2024-326145: missing from list CVE-2024-326151: missing from list CVE-2024-326154: missing from list CVE-2024-326161: missing from list CVE-2024-326163: missing from list CVE-2024-326171: missing from list CVE-2024-326172: missing from list CVE-2024-326181: missing from list CVE-2024-326190: missing from list CVE-2024-326191: missing from list -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
[SECURITY] [DSA 5688-1] atril security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5688-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 12, 2024 https://www.debian.org/security/faq - - Package: atril CVE ID : CVE-2023-52076 It was discovered that missing input sanitising in the Atril document viewer could result in writing arbitrary files in the users home directory if a malformed epub document is opened. For the oldstable distribution (bullseye), this problem has been fixed in version 1.24.0-1+deb11u1. This update also disables support for comic book archives, mitigating CVE-2023-51698. For the stable distribution (bookworm), this problem has been fixed in version 1.26.0-2+deb12u3. We recommend that you upgrade your atril packages. For the detailed security status of atril please refer to its security tracker page at: https://security-tracker.debian.org/tracker/atril Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZAwWEACgkQEMKTtsN8 TjYqAw/+OF7wq08UNm4f0fbj/1xH8rFftCj/pnB1XGjkPiOPQA7cYDHUM0kRjEQt 4MDCxzQXs5gWOR20XhZUUij95xj2d29t99N9xRWdhoC49pWOfAUKRNojrt+aa/LX SzEd2tQTWD+RuFd0ODUVJ8EYwwTH+U+NA2qVRnrXVS2PT3rUIotdXjIUPPe+LII+ UX/wx3c8AKBk8UH+2bJJnLpZ26KqzcoQR4Qx4hClx0mvDFtmbKPANBeiiJSmy3er Y9VG7PSDqI0m+N67Sa5mOqOr9rVFNpqXJegSm/RIEvN/K3J+HKtxpkDyWIsG8tro ZxA53WanVGLjWVU9HnE+XtwMvEQcjlg2r/vaN/oisbdFzybbBFrvoITVBQTeKnMP GVI3IIPGRBlHYGFJpvhc25xZfVphYlqB9gVwDIlkIIPCa23fr4KilCK/k7fDTrF/ 3ae91LnzyLMIxBIIDmtEbdWxKxCnizZtTpZf0Tdy1srueqdW5FdqT0fl/SZqtWhJ 2g/uAROk4lOvs8H609it8UCK4X9PPZwYci7gzKHBpzQ5vuI+oAjL9EN41R4sahq6 Wl0Z7n5gFcsfpfKSkdFosLMylsfQ3h2Wfdw/obiXr9VYjIUQHBdQ6zUgOnwdhNp8 hvwY2WNDWrpwg2mu0cp8zRcCFLeHtfYcza9VWtiJcEa+6WAAemQ= =6TWQ -END PGP SIGNATURE-
External check
CVE-2006-3813: missing from list CVE-2006-3835: missing from list CVE-2006-3879: missing from list CVE-2006-3918: missing from list CVE-2006-4019: missing from list CVE-2006-4020: missing from list CVE-2006-4023: missing from list CVE-2006-4031: missing from list CVE-2006-4093: missing from list CVE-2006-4095: missing from list CVE-2006-4096: missing from list CVE-2006-4124: missing from list CVE-2006-4144: missing from list CVE-2006-4145: missing from list CVE-2006-4146: missing from list CVE-2006-4168: missing from list CVE-2006-4181: missing from list CVE-2006-4192: missing from list CVE-2006-4226: missing from list CVE-2006-4227: missing from list CVE-2024-326121: missing from list CVE-2024-326127: missing from list CVE-2024-326131: missing from list CVE-2024-326136: missing from list CVE-2024-326141: missing from list CVE-2024-326145: missing from list CVE-2024-326151: missing from list CVE-2024-326154: missing from list CVE-2024-326161: missing from list CVE-2024-326163: missing from list CVE-2024-326171: missing from list CVE-2024-326172: missing from list CVE-2024-326181: missing from list CVE-2024-326190: missing from list CVE-2024-326191: missing from list -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
Re: Request to join as new member
Arnaud Rebillout writes: > On 11/05/2024 16:59, Simon Josefsson wrote: >> I feel uncomfortable having a salsa >> write permission token in plain text on my laptop, which seemed required >> to use some of the suggested tools > > Just passing by. > > What are you referring to, why is a salsa token required? Often > enough, you can store secrets in with libsecret (check package > libsecret-tools) rather than plain text. On https://wiki.debian.org/Teams/pkg-security#Packaging_rules it mention the 'bin/update-repos' which complains: It looks like no token has been configured for /usr/bin/salsa. see 'man salsa' and setup a SALSA_TOKEN in the devscripts configuration file. The man page for salsa https://manpages.debian.org/bookworm/devscripts/salsa.1.en.html says I should put a Salsa token in plaintext in ~/.devscripts. If I understand correctly, leaking that token will leak write-permission to my account on Salsa. I don't feel comfortable about having this magic cookie around, it seems safer to rely on SSH or PGP keys (which I have on a smartcard) instead. /Simon signature.asc Description: PGP signature
Re: Request to join as new member
On 11/05/2024 16:59, Simon Josefsson wrote: I feel uncomfortable having a salsa write permission token in plain text on my laptop, which seemed required to use some of the suggested tools Just passing by. What are you referring to, why is a salsa token required? Often enough, you can store secrets in with libsecret (check package libsecret-tools) rather than plain text. Cheers, Arnaud
pkg-security-team vs debian namespace
Following up on the namespace question separately. To clarify: I'm not proposing any change. I'm mostly trying to learn and understand why some decisions were made and if the rationale still apply. Samuel Henrique writes: > Downsides of keeping the packaging under debian/: > * Lack of the salsa's view of current opened MRs, as seen on > https://salsa.debian.org/groups/pkg-security-team/-/merge_requests. This is > the biggest downside in my opinion. Couldn't this easily be solved by tagging merge requests for pkg-security-related packages with a tag, and search for that? Assuming all pkg-security-team packages were to be moved to /debian/ (for sake of discussing this aspect). I'm not familiar enough with GitLab workflows to tell if using Assignee, Reviewer, Label, Environment or some other tag though then you could go to this page, using label CI as an example but CI would be replaced with PKG-SECURITY or similar: https://salsa.debian.org/groups/debian/-/merge_requests?scope=all=opened_name[]=CI > * Team contributors who have received permissions to push to all team-owned > repos (before becoming DDs) will still not be able to push to the packages > under debian/. This is not a huge issue because they can still open MRs, but > the process to contribute becomes a bit more cumbersome. Is there any documented policy for /debian/ packages including group membership policy? Maybe lack of documented policy for /debian/ is the biggest problem here though, it isn't even possible to evaluate if the policies are compatible. /Simon signature.asc Description: PGP signature
Re: Request to join as new member
Thanks for adding me to the pkg-security group! To get started, I have moved libntlm's git repo from the pkg-auth-maintainers group on Salsa to the pkg-security. I did an upload updating debian/control, together with some other fixes. I'm not up to speed on all the pkg-security tooling, so please review and fix anything that needs fixing. I feel uncomfortable having a salsa write permission token in plain text on my laptop, which seemed required to use some of the suggested tools -- hopefully none of that stuff is critical, and if important could be fixed by others too? It felt like going down someone's personal work flow understanding, which is great for inspiration (I quickly agreed with most concepts) but may require some more polishing before everyone can adapt. I had the same feeling when adapting to the Debian Go Packaging workflow, most of the workflow concepts are great improvements but deep below some assumptions that may not be universal are made. I hope to learn and adapt though. Regarding having the repository in debian/ but still use pkg-security group maintenance, I'll think about that some more, but you can tell from my decision to move libntlm to pkg-security that I wanted to give this approach a try first. /Simon signature.asc Description: PGP signature
External check
CVE-2024-326121: missing from list CVE-2024-326127: missing from list CVE-2024-326131: missing from list CVE-2024-326136: missing from list CVE-2024-326141: missing from list CVE-2024-326145: missing from list CVE-2024-326151: missing from list CVE-2024-326154: missing from list CVE-2024-326161: missing from list CVE-2024-326163: missing from list CVE-2024-326171: missing from list CVE-2024-326172: missing from list CVE-2024-326181: missing from list CVE-2024-326190: missing from list CVE-2024-326191: missing from list -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
[SECURITY] [DSA 5687-1] chromium security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-5687-1 secur...@debian.org https://www.debian.org/security/ Andres Salomon May 10, 2024 https://www.debian.org/security/faq - - Package: chromium CVE ID : CVE-2024-4671 A security issue was discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure. Google is aware that an exploit for CVE-2024-4671 exists in the wild. For the stable distribution (bookworm), this problem has been fixed in version 124.0.6367.201-1~deb12u1. We highly recommend that you upgrade your chromium packages. For the detailed security status of chromium please refer to its security tracker page at: https://security-tracker.debian.org/tracker/chromium Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmY+V2EACgkQZF0CR8Nu djc6KxAAmbOIpJDKJntYp1sgQdqm6PKSMYSnUWlcZXSAyJkhGPlkGiMyttmLD5X2 CO3wk8R7bkV0SDZZPhN58+KKe6m0QjyI8QuXav47aQd+YePRkqweUDJYCMf9Wf3S 3zte5tIloXwofTv0uW0ZXJ9WU0ADu9Q9PATK1121RVqD0a2js3H1z6nMTbOPn2S8 QF/Khm9IdfihweaJA2MJYncsxTSZgFbVUIiVq2Zu3d1OfkJbtx/wgcZFo2+O9dcK suR6p/PrhjujwUIw9cxyiTuU8D4FFEk86Lr52akM60dFJLiF6XPvGHdfb2BZ3ev2 QTvRzA9msMNAWf+GlV3hed9S3+F866mOK0LRXBNlJvGtJFJRzFs0q5VrDM5hSEEa 0c6tm8gw8id+NHcS8iXr/CHDP9w8nu0iJxtupA3jRTsNyLPu5kXRyATPMVjZtssV Dz/TQSpnxFNaMWdCu9TxPs4/3kPEEu0HW8PbVV0rWaF5PvnT5JU/rEp6ho9Omx/f KzJPfjO4t/GxgZ7gcTm7QrRKI4W3VhNSn1kTvA15mndKm0YMNZfvD7tURytU7Qm0 EGTzpNc4MScGKASZ8XRuygQnj9oCHegyu1el5BmCu/mbOLDr4neh1hDq3YDHIlkf Tnv/txolKV9hFrQPdf/Wn/CA2f9Zw3HMWECCbYkVTvxak/+Nj0g= =/LcI -END PGP SIGNATURE-
Re: REMINDER: Re: ITA: vpnc -- Cisco-compatible VPN client
Hello Samuel, On Thu, 2024-05-09 at 23:51 +0100, Samuel Henrique wrote: > Hello Sven, > > > Would you do a final review and grant DM rights to me? > > Done, I suggest in the future you try to minimize the amount of > "update > changelog" commits by only running gbp dch once you're about to > upload. This > will help considerably reduce the amount of commits (would be half of > them for > this upload). > > Thank you for contributing and for the reminder :) Thank you for granting the rights and for the advice. Cheers, Sven -- GPG Fingerprint 3DF5 E8AA 43FC 9FDF D086 F195 ADF5 0EDA F8AD D585 signature.asc Description: This is a digitally signed message part
External check
CVE-2024-3727: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
Re: RFS: assetfinder package
I've sent this to Aquila last month but CC'ed the wrong list, sending it to the right one for tracking purposes now. Hello Aquila, > I have taken the initiative to package assetfinder for Debian, and the > package is > readily accessible in my Salsa repository at > https://salsa.debian.org/aquilamacedo/assetfinder I see that the package is currently in NEW by Josenilson. Me and you spoke about this but I'm sending this email so we can "close" this request. -- Samuel Henrique
Re: RFS: paramspider package
I've sent this to Aquila last month but CC'ed the wrong list, sending it to the right one for tracking purposes now. Hello Aquila, > I have taken the initiative to package paramspider for Debian, and the > package is readily accessible in my Salsa repository at > https://salsa.debian.org/aquilamacedo/paramspider > > I would be grateful if you would consider sponsoring the paramspider > package. I am confident that it would be a valuable addition to the > Debian repositories. :-) I see that sergiodj has already uploaded this one, replying here so it won't look like it's pending. Thank you for contributing! -- Samuel Henrique
Re: RFS: HexWalk Request for sponsor
Hello carmix, > I didn't receive any response from you on my last mail. I added the > debian material on github. Sorry, I didn't have time to look into this yet, but it's on my todo list. Regards, -- Samuel Henrique
Re: REMINDER: Re: ITA: vpnc -- Cisco-compatible VPN client
Hello Sven, > Would you do a final review and grant DM rights to me? Done, I suggest in the future you try to minimize the amount of "update changelog" commits by only running gbp dch once you're about to upload. This will help considerably reduce the amount of commits (would be half of them for this upload). Thank you for contributing and for the reminder :) -- Samuel Henrique
[SECURITY] [DSA 5686-1] dav1d security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5686-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 09, 2024 https://www.debian.org/security/faq - - Package: dav1d CVE ID : CVE-2024-1580 Nick Galloway discovered an integer overflow in dav1d, a fast and small AV1 video stream decoder which could result in memory corruption. For the oldstable distribution (bullseye), this problem has been fixed in version 0.7.1-3+deb11u1. For the stable distribution (bookworm), this problem has been fixed in version 1.0.0-2+deb12u1. We recommend that you upgrade your dav1d packages. For the detailed security status of dav1d please refer to its security tracker page at: https://security-tracker.debian.org/tracker/dav1d Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmY84YwACgkQEMKTtsN8 TjbRiRAAvuyxl16M5vv5sRP7cBXJOG1AXtEAmw7uId5GNiRIrIPPs9JuP8fPBqxH +tasEIF7Il88KgSKDt+ZYa2R3iG57KQNjTxCvZ5XZ9rlOhb1C1Z69Qm7beYXFpTa sygIteKYzvrW3qvcDvmqsYuLd8ZDIPFhLeb5XbBdm2a+vE1dhvdyYwMj+MZP2Sq7 ZwCEd/ez6pKhsrZZjOWcoDeH/64CBnpNy/tpXW1KDvS0TsfWdlJbvG+3USBNaGq9 rk+jc1XKcKlYmPV4VKxrlUvuWFGv+s99pPNGWhE8Xf84DlssGj2Hi+m6QUHSfqxB tf+YiArHjLPihgW8CGnNZ7vJBAjUO26pwwxZcx6AemsjyJAynqcd9c38SDDwvTZu ka+mhJwZbrVcJqe5NU2jmrbzV6RpJtTzmCeZwuvSlmUxH36p9fVYhEIaeflaRtIi dDnnVo2ervwAKPDfVnIt+X6bHnF6m+GGIw8I1+6RhNulUQhwivNtbGXhp/9vf3e1 TmDr0awyY2yG7v2Qv1SSzQGQA4W5ARMb/DliFFZTpvRDzEp1iuVyduPO0y8bWORN hIsAjirq1DhzHBxquZY4tHBi3AfoVGO09Yh3ZE/KyMP/98P5XU3gH4xLsz3PziHH 15GWSpxkcjgFblNOYdtYrp4K+8YC0fB7cuKEIWaHRO5CCgx/UHs= =59hW -END PGP SIGNATURE-
[SECURITY] [DSA 5684-1] webkit2gtk security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5684-1 secur...@debian.org https://www.debian.org/security/ Alberto Garcia May 09, 2024 https://www.debian.org/security/faq - - Package: webkit2gtk CVE ID : CVE-2023-42843 CVE-2023-42950 CVE-2023-42956 CVE-2024-23252 CVE-2024-23254 CVE-2024-23263 CVE-2024-23280 CVE-2024-23284 The following vulnerabilities have been discovered in the WebKitGTK web engine: CVE-2023-42843 Kacper Kwapisz discovered that visiting a malicious website may lead to address bar spoofing. CVE-2023-42950 Nan Wang and Rushikesh Nandedkar discovered that processing maliciously crafted web content may lead to arbitrary code execution. CVE-2023-42956 SungKwon Lee discovered that processing web content may lead to a denial-of-service. CVE-2024-23252 anbu1024 discovered that processing web content may lead to a denial-of-service. CVE-2024-23254 James Lee discovered that a malicious website may exfiltrate audio data cross-origin. CVE-2024-23263 Johan Carlsson discovered that processing maliciously crafted web content may prevent Content Security Policy from being enforced. CVE-2024-23280 An anonymous researcher discovered that a maliciously crafted webpage may be able to fingerprint the user. CVE-2024-23284 Georg Felber and Marco Squarcina discovered that processing maliciously crafted web content may prevent Content Security Policy from being enforced. For the oldstable distribution (bullseye), these problems have been fixed in version 2.44.1-1~deb11u1. For the stable distribution (bookworm), these problems have been fixed in version 2.44.1-1~deb12u1. We recommend that you upgrade your webkit2gtk packages. For the detailed security status of webkit2gtk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/webkit2gtk Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmY8e60ACgkQAAyEYu0C 2ALK/g/7BzT5OfeZ1/2nK7TVdiyOjPuQgoZBqIV1LAmUBy5gHvKjOtrujqI9pVaU DZtGhgfRwu2AZjAvR1A5gCNTwWyGhvFrLN23/BaloxcveYr6iY6HuYFymlQp24fM o35x8DQJySgO3cGmNR1GwwLatr3dVrHh+Kot1J449G4mqlQxH4UQ8ytWOSfpWLdZ 3ndArvVrO35eBUgPbUEooPHITSlusZQPbaVJkmU69zbpW1z220sQldSmObWHbAGG 41NHl74LMqe64tI5EfrgSwdY7L+FEby/M0JlO37e1Hut0WpQckHuNgrlq6IO20Ed h80kmkN91TDCihQ1vovZaTbg9bCYcSYCWBxPGomip1v8EL1AybO8c7pEI/v/lcVO x4Ya6++JrJ1994U5esZB7VC0ucEUOc0SqwARyHv6NMmkKxxIPv2YdqPFE196x2Ns 1rTM6dMriuCaKLOb2WUtOawLKPnBNQ0dRS1JLcNDA1Dy9zbDDB6ev8idKnixRMbv EOyZjBm8RTBK7dGw0BlTdHAoCZvczQJvinAJptvL+771qwcwq7SaL+6L1Ht1MGcN WS+wrb+DzpSvfprtv5Qvs0NEpmGISwbK3T/XOEnyyKMQdhemNtpvjWvF+0WNBf/d 3nPAa5F9ZxJJMEuJFjAmm/HiK3R6Uko899yBtNbDkJbbA+vQlM8= =MdSz -END PGP SIGNATURE-
[SECURITY] [DSA 5682-2] glib2.0 regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5682-2 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 09, 2024 https://www.debian.org/security/faq - - Package: glib2.0 Debian Bug : 1070730 1070736 1070743 1070745 1070749 1070752 The update for glib2.0 released as DSA 5682-1 caused a regression in ibus affecting text entry with non-trivial input methods. Updated glib2.0 packages are available to correct this issue. For the oldstable distribution (bullseye), this problem has been fixed in version 2.66.8-1+deb11u3. For the stable distribution (bookworm), this problem has been fixed in version 2.74.6-2+deb12u2. We recommend that you upgrade your glib2.0 packages. For the detailed security status of glib2.0 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/glib2.0 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmY8V7JfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RJGA/+IOsDXWcvXMOYEueKNZ+pIFVXLbT4GVMBvUIBf0wqJFbnmwaTXaEojqNR HKFcCLIBKzhHkJvCmhaEsaZXj05GxI0jIKV0CULuEl1PeYpXaypIF0BIbtH7Jd0j Q7/3qQgafewuJgqwn7e3CG9mF8oZv/QfwH4VPaJMkMd7cdRNytKOiJosg2ZEl3FK ycO/t58SMPxApzY5eebAU/u37UKAzI7PeCIz9FaCUQdwMUFuUeJvsYD21PwxYN/R LK79UsnHiw6sr3cpNirOhm7F3HXSh7WFBqQdcLGrTaix3X+RKW7NymNhIW8m7qWg kJ7w6JArMuvxj2Y2RiBF0eqVVkYcTHOe964+nvDHjzFIUkLU0yhw2GLhK4GzbWjl VpXc/+Rv1I9OsFF4SiKNSbi728NM4GUS3ziew//1l9EPM281UrCDoFRkwi1FP2jT KVWB0CZacqLmo62cT49HBb1rSxDXSEi0qc0yMKus+Jk+NT8H1k+cpjrK5hy0flJt JJWTOJMJ2Ph7LvLbrfsVoeuxeIz+taoLz6JW5dkpk1/LkxSmZkIKztdolirONMqF vBCTyz7IvBxqro5+vRsBnSFPJdw4pCVxhfgI/BFIUe8dA2Sh8bE+o69wTgcGDst5 ZHf28D3hClhMSc/SgotNTUf8KycA15VjxhvNtAeFL0HpOvAKiKI= =T+EA -END PGP SIGNATURE-
[SECURITY] [DSA 5685-1] wordpress security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5685-1 secur...@debian.org https://www.debian.org/security/ Markus Koschany May 08, 2024 https://www.debian.org/security/faq - - Package: wordpress CVE ID : CVE-2023-2745 CVE-2023-5561 CVE-2023-38000 CVE-2023-3 CVE-2024-31210 Debian Bug : 1036296 Several security vulnerabilities have been discovered in Wordpress, a popular content management framework, which may lead to exposure of sensitive information to an unauthorized actor in WordPress or allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack. Furthermore this update resolves a possible cross-site-scripting vulnerability, a PHP File Upload bypass via the plugin installer and a possible remote code execution vulnerability which requires an attacker to control all the properties of a deserialized object though. For the oldstable distribution (bullseye), these problems have been fixed in version 5.7.11+dfsg1-0+deb11u1. For the stable distribution (bookworm), these problems have been fixed in version 6.1.6+dfsg1-0+deb12u1. We recommend that you upgrade your wordpress packages. For the detailed security status of wordpress please refer to its security tracker page at: https://security-tracker.debian.org/tracker/wordpress Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmY78XJfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeRBIBAAlHttuzHU3awlLA5WFHprj6S3PJA2YQSQjt+Ejk+pFGVpHjs4/gaI8S/t 3rb9hEf2ClK6NdNxqAHSNzOuYLAG3S1rfATtQGfxEpYTBrngXKSUgFltElhRBACe GOLxtfh7Yha94hbf/HBiFEpKEmFXLnmGuSv1M0z77SEcNEdQ0sd5Be5VDwKcxnY6 FYrrvoFjYUiDj66B19/B8ytUlRb7Mgr8KakqOiO6jzINL/mtJ52pcd63+JrkBF0L 8br30YKxII9Rb10ygBhl5AzjhC/yrQexVtYyK0l1avm7/JC08kxDch++ANRekCJA kTx0ARi2AZJv1ktzm1DIfxNLrLtiCTJjSFFi6/WTCW3UAFNiVbEQOYal95lKBLXG V6AJhYYYPI3rbwnUJX5FZn4PEKoHTXotuveqdGHF2727ROUrConLZrrBa/hovj7v GPIe4SZZHLizK2CO84Gxgy7mI4F46I2C6TlIMvsJKyL1XUopti+Ds8f7e5AIgzB9 rSkYPTBfLsm5fIeVpodja1qJMQdo9NklnamaPnbjL8BTmExedf638WYJfMLBqgXY Kl9M6uSwfBpl2dfvKqg2iUos359X65Nt+Cd3Ve5zsSigDssvsQ7YTV/TJHMavq6z f294k2zHfMaCiathCpOayN8KFX7WHeBEL8N8j/bukYgFaHD8y5o= =qCem -END PGP SIGNATURE-
[SECURITY] [DSA 5683-1] chromium security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-5683-1 secur...@debian.org https://www.debian.org/security/ Andres Salomon May 08, 2024 https://www.debian.org/security/faq - - Package: chromium CVE ID : CVE-2024-4558 CVE-2024-4559 Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure. For the stable distribution (bookworm), these problems have been fixed in version 124.0.6367.155-1~deb12u1. We recommend that you upgrade your chromium packages. For the detailed security status of chromium please refer to its security tracker page at: https://security-tracker.debian.org/tracker/chromium Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmY7uGgACgkQZF0CR8Nu djd22Q//dbbbPSmdO9POoo84j9bYe8zylzsajP6m9eCkZhWlLrH/Rd81mjO8azs7 5F32yeGdbx17T3hG0MHsPxVpCaIj2DUvjd+r0k1voeYmovGdNIqt6rKZeQNVfFym f7EuOMcq271nIZ5VHFfDKis5p5s4SXyt4+8sOIWf39IzoEdm8tnNJU+7ALsEkvQX dFIf3mVtOgKQSgtzeNV6qz4Pp9w8t9aK4zjOZTBcYaZDbhUfjiNKWh7oiTlmAkre gOhUdwG3PgztwbAVWPzjOmaWnWaZCTZ4haO9zWY4B8h6ULdAjVmR0wDy9R3RL4XG Hp8Jvj6i5n19cMjGk/tQtDOVIUaPLF6F3/o4E5AB6r6daAiZIDWePcb4VuLXEMTn kZWaZ39P718aSykCX1A9g4ka8py3nFOEE7J+4ktgx8h3Hk3yVxl6VWMhVfJ8bRwr lvlNzU4FRqxsxlNylNKDcw98juPqQ0U7lWv+U1QXWhzkFCiM18uv7pdGCUlCqXBl QFJ4bWDtdgPn71OSE9m6oIKSWD1wisuig1tIPF4ZxeE+jhTMS3t/yEZk1FgPKixh Fs9xuuv/CaXEe5sJP2vD8aFp7kdpV0HnuJDb2rqCfxjegKQY43IsMlUH8Q02wXVP 00Aq/1A/8YHBcT9uBaAltuBMZY7tn1xL5eHijwYxhCA9dEB7mEo= =L3HH -END PGP SIGNATURE-
The problem with security newsletters and newsletters on the security center
Hi! We noticed that you have discrepancies in the mailing list and the information provided on https://security-tracker.debian.org/tracker/ Example: DSA-5248-1 link to the message https://www.debian.org/security/2022/dsa-5248?ref=cve.news redirect to DSA 5246-1, but there is https://security-tracker.debian.org/tracker/DSA-5248-1 on the tracker, and unfortunately it is not clear why it overwrites the DSA 5246-1 in the mailing list, although they are completely different. Here is a list of newsletters where there is a discrepancy between the tracker and the newsletter: DSA-5248-1 php-twig -- security update DSA-4986-1 tomcat9 -- security update DSA-4727-1 tomcat9 -- security update DSA-4342-1 chromium-browser -- security update DSA-3941-1 iortcw -- security update DSA-3931-1 ruby-rack-cors -- security update DSA-3768-1 openjpeg2 -- security update DSA-3529-1 redmine -- security update DSA-3525-1 pixman -- security update DSA-3383-1 wordpress -- security update DSA-3265-1 zendframework -- security update DSA-3249-1 jqueryui -- security update DLA-3177-1 python-django -- LTS security update DLA-2941-1 linux-4.19 -- LTS security update DLA-2887-1 lighttpd -- LTS security update DLA-2785-1 linux-4.19 -- LTS security update DLA-2714-1 linux-4.19 -- LTS security update DLA-2690-1 linux-4.19 -- LTS security update DLA-2652-1 unbound1.9 -- LTS security update DLA-2610-1 linux-4.19 -- LTS security update DLA-2594-1 tomcat8 -- LTS security update DLA-2557-1 linux-4.19 -- LTS security update DLA-2556-1 unbound1.9 -- LTS security update DLA-2483-1 linux-4.19 -- LTS security update DLA-2417-1 linux-4.19 -- LTS security update DLA-2385-1 linux-4.19 -- LTS security update DLA-2323-1 linux-4.19 -- LTS new package DLA-2066-1 gthumb -- LTS security update DLA-1709-1 waagent -- LTS security update DLA-1543-1 gnulib -- LTS security update DLA-1541-1 jekyll -- LTS security update DLA-1540-1 net-snmp -- LTS security update DLA-1539-1 samba -- LTS security update DLA-1538-1 tinc -- LTS security update DLA-1537-1 php-horde-kronolith -- LTS security update DLA-1536-1 php-horde-core -- LTS security update DLA-1535-1 php-horde -- LTS security update DLA-1533-1 git -- LTS security update Could you tell us or improve the experience of using newsletters?
External check
CVE-2023-27349: TODO: check CVE-2023-44431: TODO: check CVE-2023-50229: TODO: check CVE-2023-50230: TODO: check CVE-2023-51580: TODO: check CVE-2023-51589: TODO: check CVE-2023-51592: TODO: check CVE-2023-51594: TODO: check CVE-2023-51596: TODO: check CVE-2024-2410: TODO: check CVE-2024-4436: missing from list CVE-2024-4437: missing from list CVE-2024-4438: missing from list -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
[SECURITY] [DSA 5682-1] glib2.0 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5682-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 07, 2024 https://www.debian.org/security/faq - - Package: glib2.0 CVE ID : CVE-2024-34397 Alicia Boya Garcia reported that the GDBus signal subscriptions in the GLib library are prone to a spoofing vulnerability. A local attacker can take advantage of this flaw to cause a GDBus-based client to behave incorrectly, with an application-dependent impact. gnome-shell is updated along with this update to avoid a screencast regression after fixing CVE-2024-34397. For the oldstable distribution (bullseye), this problem has been fixed in version 2.66.8-1+deb11u2. For the stable distribution (bookworm), this problem has been fixed in version 2.74.6-2+deb12u1. We recommend that you upgrade your glib2.0 packages. For the detailed security status of glib2.0 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/glib2.0 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmY6hPhfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0SluA//YDiwiCjSmeQFXuFfSBga+BnPqAx5PHWjPbnjOyTefp6TH0xXiw0mQ2vF 5c99+cwy1kQkWffYJErX7XyLeoaOHxanXOUzyqhCLBH7iJFWIDiKDntYsd1BELDo 2H+9zOISltTowkcx9H0tq3HKM18SFHc/iiImc28wX6PdkosqGHGtTFF/qPOEDqi1 oqObyJV+F0RjGSiTE3qzF6zxmJHrn8oCvQ53L3VbspL+eohfCurkRMjLeg897Opo A67Eh82ZhUouKIBNRNZ6UGVsJ55vKWsYdyvC2zi4e9dbUSumijcPr2kci4C3Rb1M e63SYSL3xWA42z7LbtOdJZh0l7HcHZHDSw4UKhPw6jrCl+4ck5fQN9ezuGU5Rg8d 5oUjuDRIvH6G1vGELd6+P90hj/c+z23g3N41J05YWsLr1imoYuc/zHAHFlpt7NzI dJRczbKl0SUcxQGnevDmgj5LNmqTQvH/Q9t+d8jy6E8n1OP2IweMn+Tiit4abEGN 9bKAc09/qUhKwGrnHFfi7S9lPF9rpQun+voVylacrQsf2ijs2sgWX0kyH81Govxv s/QbTNUJUkXrQmAIahFQPzqEokdZd4phP1w25urjEx1ji7RklR9KtF6bBu6V1mhz fZ1Md3uhUt+8Vktbqwzfj18lvEXYg808ClX7ZA+x5cgTOJJKf8o= =uIf7 -END PGP SIGNATURE-
REMINDER: Re: ITA: vpnc -- Cisco-compatible VPN client
Hello Samuel, I hope you find the time to deal with my request below soonish. On Thu, 2024-04-25 at 16:04 +0200, Sven Geuer wrote: > Hello Samuel, > > [...] > > > The vpnc package has been moved to the group recently [1] and I > updated > this repo with the changes from my personal repository plus I added > d/salsa-ci.yml. > > Would you do a final review and grant DM rights to me? > > [1] https://salsa.debian.org/pkg-security-team/vpnc > Thanks, Sven -- GPG Fingerprint 3DF5 E8AA 43FC 9FDF D086 F195 ADF5 0EDA F8AD D585 signature.asc Description: This is a digitally signed message part
[SECURITY] [DSA 5681-1] linux security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5681-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 06, 2024 https://www.debian.org/security/faq - - Package: linux CVE ID : CVE-2023-6270 CVE-2023-7042 CVE-2023-28746 CVE-2023-47233 CVE-2023-52429 CVE-2023-52434 CVE-2023-52435 CVE-2023-52447 CVE-2023-52458 CVE-2023-52482 CVE-2023-52486 CVE-2023-52488 CVE-2023-52489 CVE-2023-52491 CVE-2023-52492 CVE-2023-52493 CVE-2023-52497 CVE-2023-52498 CVE-2023-52583 CVE-2023-52587 CVE-2023-52594 CVE-2023-52595 CVE-2023-52597 CVE-2023-52598 CVE-2023-52599 CVE-2023-52600 CVE-2023-52601 CVE-2023-52602 CVE-2023-52603 CVE-2023-52604 CVE-2023-52606 CVE-2023-52607 CVE-2023-52614 CVE-2023-52615 CVE-2023-52616 CVE-2023-52617 CVE-2023-52618 CVE-2023-52619 CVE-2023-52620 CVE-2023-52622 CVE-2023-52623 CVE-2023-52627 CVE-2023-52635 CVE-2023-52637 CVE-2023-52642 CVE-2023-52644 CVE-2023-52650 CVE-2024-0340 CVE-2024-0565 CVE-2024-0607 CVE-2024-0841 CVE-2024-1151 CVE-2024-22099 CVE-2024-23849 CVE-2024-23850 CVE-2024-23851 CVE-2024-24857 CVE-2024-24858 CVE-2024-24861 CVE-2024-26581 CVE-2024-26593 CVE-2024-26600 CVE-2024-26601 CVE-2024-26602 CVE-2024-26606 CVE-2024-26610 CVE-2024-26614 CVE-2024-26615 CVE-2024-26622 CVE-2024-26625 CVE-2024-26627 CVE-2024-26635 CVE-2024-26636 CVE-2024-26640 CVE-2024-26641 CVE-2024-26642 CVE-2024-26643 CVE-2024-26644 CVE-2024-26645 CVE-2024-26651 CVE-2024-26654 CVE-2024-26659 CVE-2024-26663 CVE-2024-26664 CVE-2024-26665 CVE-2024-26671 CVE-2024-26673 CVE-2024-26675 CVE-2024-26679 CVE-2024-26684 CVE-2024-26685 CVE-2024-26687 CVE-2024-26688 CVE-2024-26689 CVE-2024-26695 CVE-2024-26696 CVE-2024-26697 CVE-2024-26698 CVE-2024-26702 CVE-2024-26704 CVE-2024-26707 CVE-2024-26712 CVE-2024-26720 CVE-2024-26722 CVE-2024-26727 CVE-2024-26733 CVE-2024-26735 CVE-2024-26736 CVE-2024-26743 CVE-2024-26744 CVE-2024-26747 CVE-2024-26748 CVE-2024-26749 CVE-2024-26751 CVE-2024-26752 CVE-2024-26753 CVE-2024-26754 CVE-2024-26763 CVE-2024-26764 CVE-2024-26766 CVE-2024-26771 CVE-2024-26772 CVE-2024-26773 CVE-2024-26776 CVE-2024-26777 CVE-2024-26778 CVE-2024-26779 CVE-2024-26781 CVE-2024-26782 CVE-2024-26787 CVE-2024-26788 CVE-2024-26790 CVE-2024-26791 CVE-2024-26793 CVE-2024-26795 CVE-2024-26801 CVE-2024-26804 CVE-2024-26805 CVE-2024-26808 CVE-2024-26809 CVE-2024-26810 CVE-2024-26812 CVE-2024-26813 CVE-2024-26814 CVE-2024-26816 CVE-2024-26817 CVE-2024-26820 CVE-2024-26825 CVE-2024-26833 CVE-2024-26835 CVE-2024-26839 CVE-2024-26840 CVE-2024-26843 CVE-2024-26845 CVE-2024-26846 CVE-2024-26848 CVE-2024-26851 CVE-2024-26852 CVE-2024-26855 CVE-2024-26857 CVE-2024-26859 CVE-2024-26861 CVE-2024-26862 CVE-2024-26863 CVE-2024-26870 CVE-2024-26872 CVE-2024-26874 CVE-2024-26875 CVE-2024-26877 CVE-2024-26878 CVE-2024-26880 CVE-2024-26882 CVE-2024-26883 CVE-2024-26884 CVE-2024-26885 CVE-2024-26889 CVE-2024-26891 CVE-2024-26894 CVE-2024-26895 CVE-2024-26897 CVE-2024-26898 CVE-2024-26901 CVE-2024-26903 CVE-2024-26906 CVE-2024-26907 CVE-2024-26910 CVE-2024-26917 CVE-2024-26920 CVE-2024-26922 CVE-2024-26923 CVE-2024-26924 CVE-2024-26925 CVE-2024-26926 CVE-2024-26931 CVE-2024-26934 CVE-2024-26935 CVE-2024-26937 CVE-2024-26950 CVE-2024-26951 CVE-2024-26955 CVE-2024-26956 CVE-2024-26957 CVE-2024-26958 CVE-2024-26960 CVE-2024-26961 CVE-2024-26965 CVE-2024-26966 CVE-2024-26969 CVE-2024-26970 CVE-2024-26973 CVE-2024-26974 CVE-2024-26976 CVE-2024-26978 CVE-2024-26979 CVE-2024-26981 CVE-2024-26984 CVE-2024-26988 CVE-2024-26993 CVE-2024-26994 CVE-2024-26997 CVE-2024-26999 CVE-2024-27000 CVE-2024-27001 CVE-2024-27004 CVE-2024-27008 CVE-2024-27013 CVE-2024-27020 CVE-2024-27024 CVE-2024-27025 CVE-2024-27028 CVE-2024-27030 CVE-2024-27038 CVE-2024-27043 CVE-2024-27044 CVE-2024-27045 CVE-2024-27046
[SECURITY] [DSA 5680-1] linux security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5680-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 06, 2024 https://www.debian.org/security/faq - - Package: linux CVE ID : CVE-2024-26605 CVE-2024-26817 CVE-2024-26922 CVE-2024-26923 CVE-2024-26924 CVE-2024-26925 CVE-2024-26926 CVE-2024-26936 CVE-2024-26939 CVE-2024-26980 CVE-2024-26981 CVE-2024-26983 CVE-2024-26984 CVE-2024-26987 CVE-2024-26988 CVE-2024-26989 CVE-2024-26992 CVE-2024-26993 CVE-2024-26994 CVE-2024-26996 CVE-2024-26997 CVE-2024-26999 CVE-2024-27000 CVE-2024-27001 CVE-2024-27002 CVE-2024-27003 CVE-2024-27004 CVE-2024-27008 CVE-2024-27009 CVE-2024-27013 CVE-2024-27014 CVE-2024-27015 CVE-2024-27016 CVE-2024-27018 CVE-2024-27019 CVE-2024-27020 CVE-2024-27022 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. For the stable distribution (bookworm), these problems have been fixed in version 6.1.90-1. We recommend that you upgrade your linux packages. For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmY5EA9fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Q/jw/+IhGBeIu0f4EoDnOXWtKNIqL154QeSW5iChMM18xupN/kHpYYJOuIsZfy 4U5gGJaiPe/ibLSAzpunZGd6TtTAu5U/TMjoUFBlyhWYLrzIrqCjJP7Jcxoufutx qDZGFokd3k8YazJmZPCnHyTFHfZH008YEHmZSHwq8VIgP3cyIqiSryPxFiFXQfp1 0XzsV1DBGNt4gDFj25TTVzfz4DCOBY9wHcgZW5y7AmVDvG674al16JdfV0K/Kma3 4gizb+d26sEd1E6qQXVJbTQf5RKt156fadJicG59Fv/A4hQoUy+lKapaMNuhyRSk u0r1BGEphKL7Z51PEVcm02XRHa18JuzuEoX+lkWjZvwItvQyz6fMzQLHrUSAYPoM 5hGEYgd3W/h2ss3jmoWKjwsEz6uAbFKleCHKIoYK7iRtPjzcTlSVlN01UxLwIFXJ r2M8axaYDW36jo3t/oCe6wsJekILoSx3MSokTiXrcGq/AWY3z+i33EB1XYN76oTt L/bn8BdPhXBC2ofZ757hMJdvh5fUHO0sfg+L2CrBCENPU/jgDCC0NG7NX2lnVRm6 RW6abfIRHPBn27FyyEvCzyxHpixxMiMp3hBf1tn7iXknU1x9evn9mvw0QW/7n0+W uubWWVe3g/BdEiGsSPKYTnDMx01uj+snjmKKzBd88eG7B8PRGhY= =3Xuh -END PGP SIGNATURE-
[SECURITY] [DSA 5679-1] less security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5679-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 03, 2024 https://www.debian.org/security/faq - - Package: less CVE ID : CVE-2022-48624 CVE-2024-32487 Debian Bug : 1064293 1068938 1069681 Several vulnerabilities were discovered in less, a file pager, which may result in the execution of arbitrary commands if a file with a specially crafted file name is processed. For the oldstable distribution (bullseye), these problems have been fixed in version 551-2+deb11u2. For the stable distribution (bookworm), these problems have been fixed in version 590-2.1~deb12u2. We recommend that you upgrade your less packages. For the detailed security status of less please refer to its security tracker page at: https://security-tracker.debian.org/tracker/less Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmY1UxpfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Rt9Q//RATJdOip2H457Vmye1lZb/mUKci2CJBtj5/JOE1MVH8B0w/Vv5EIWCCa MaBzfq3Wv9FmkLMIkfLp1IbM1KZ20+tVz9rz2tVHq0vp+fSjw8wurBv4AoFiRyI8 pFwTzXEtwWVPVBhsquvOXLNVuOyNBq4fmAc8ETccvhcm9rODsEh4gxKR/BURJxPF jckpSv2EnEx/EEwSdFCaeJ5mjGDVN+Sd4V1LldyDLGCbRfY0RuC1hzGsX99o5NZ9 IEt2ZNQ+9OVQQCcpC6ayKtOkPFGKcRKTxhWZ2Q2gNl6tb0bYaQygHlxxRhiqok3G li898tnb+nI/ZlksblIn6gUwEzBH2a5P0/LJg4iF/N1htz2fv1C+/C8/AVvE9iBr lTV7RAo1xaIuV4yAgFsv+XJ7YsWtJKSwXkSRHAlcU3OGNmtQUxs6iQUrRJ97ax9L 0O/3wh7dXbmkU42EZlybTxYh7eMi074PzLva7t0im8KwC5sjvH7yLe6jLXCJ2+Kx 4apKfxPwTYn0bBqaeNgBBFHWwlYn+Rkofo4N5VdbFDWaMwctZ2FFLrpn3LQ3Mojn ssgf/uchU1M8Vpjp01H3Jr0S97nz5cCwE+LlFddMNVlqNL/hA1xU8zNkyRLJcFai JQVhtvLmuSFOW+FtvTjBB09T3o8lbPKYHacO1/h8/ZB+TKqlwQo= =tUOa -END PGP SIGNATURE-
[SECURITY] [DSA 5678-1] glibc security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5678-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 03, 2024 https://www.debian.org/security/faq - - Package: glibc CVE ID : CVE-2024-33599 CVE-2024-33600 CVE-2024-33601 CVE-2024-33602 Several vulnerabilities were discovered in nscd, the Name Service Cache Daemon in the GNU C library which may lead to denial of service or the execution of arbitrary code. For the oldstable distribution (bullseye), these problems have been fixed in version 2.31-13+deb11u10. For the stable distribution (bookworm), these problems have been fixed in version 2.36-9+deb12u7. We recommend that you upgrade your glibc packages. For the detailed security status of glibc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/glibc Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmY1QD5fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Ra3hAAlAcmsW7eSdxGVoa90/83MD/hjEl2PF52Fhh2aCbSohifLlz/fnpg+2Fo pRsvva5ZK3o5hzTwaLdaNL3MkS80qSGI5LYB24gP7EU6jTkltHoHumQ7X8cQZ8Hn c0Sp5BK0UI2sfCsL/xtGusk0GnYXzw/SgAvcBSD4bh/xOusZjHa5XA4ox96v+IAN HAunVpepllXW2T0NrGhq+bdPhTOVn35lNCR3HU6/SrpaldeWl1xT+1mEyuG+0jOd bAJAC51fR/VMBqv6r37OGyS+62Vu5KETvQf8dCKPeFGMmpc3kZHVtv2y5VtXOdLn Yl1BdRQRk+AuW+y7MQwdMUxtppzI8y2GJ0cZlprnkFzf0SnC/aCs9gmq6ekrGLlB JVduPWiwxUjrhaIW4jH+FGFoCE4tUP0fCB/3epq647qkAxz2Op9ApDeySzYRVcuL 74g8vb7lMwlLA0qbRguaqWDj8PQLj1SQH4OyVu2EjfcSB6Kxt+zpJB1rw+AldfCz AYKiI1qfgCW5i5NzvCfpVDjlQGUyWS/d7G9Z9IRZUryvQALgnxt67HG48u50KXE2 n0kZ3FWyI2unYkTZS3xrtt4CeAE47j3+obCYJ3ZGDct/3cJ2PAcWqbtf2kIt7jFp xIdCRAGBIuMR/8zbXi6uMsagxQbEUuY4pA2TKrpp37RyN8d+UDY= =E5yF -END PGP SIGNATURE-
[SECURITY] [DSA 5677-1] ruby3.1 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5677-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 03, 2024 https://www.debian.org/security/faq - - Package: ruby3.1 CVE ID : CVE-2024-27280 CVE-2024-27281 CVE-2024-27282 Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may result in information disclosure, denial of service or the execution of arbitrary code. For the stable distribution (bookworm), these problems have been fixed in version 3.1.2-7+deb12u1. We recommend that you upgrade your ruby3.1 packages. For the detailed security status of ruby3.1 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby3.1 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmY1PxYACgkQEMKTtsN8 TjZftBAAoJ8Fvgz0vhJl8HNpozdLc7nyThu/dZ8QCcSLgCt1xJQYModeC+1PnQds wTnEXDjWKTVB4N+xot663SmdnKptCgqqI9zb7ZLZQodo9euZAOyT/cXmaa7+/QPg kULr3rGco8xh2yirKLhoEwpOvVQ7dKePc66Pnj1ni9mnMRCYPRjfXrBsPHkt+KiH 2MAHdeP5Na5rWzlXvKS7W5hRU8siovSnqg5Apc8Zx1MKuOI2ni7dm0i9s9DeWsNT J54Y5Q+6QxqpajzmowL3dQNHJHebyzRbBWhqOhmQojVkyIY2s0WOOHXRD6gS+wwE MJGVnluBTAuUHn8JMXHX5A2I5d8vhDkUq1QZZxSjNbNqU/FXKuyfAGKQNvtedesu 10nfq5StWPoV24aKBp+bMuopO6jVExXNvAmPHTpXC59a2N3WBmUuXOas4tJHBTfJ 6XgP6JX8hom24/LUjrS1xOlfCt5BEKoU6FICVv3Vx3Uc8yeBD2/bSxaY/qbotnN7 EgdZ6MhzAga2OxMzSqJJ7iUZLBg3C2A1AdoQRYfp8i9NFu8vvd3Ra3pjn38ELJUa xQAvpFw6xhuYsY4HyIcHqQ3SnrFRH3DrEHjncD2L9iRZktpKpRJJ5os/Fs1Wd4gJ wfGic7yfmKOyDQYRPrZgWyyezwHsWy1YeffVXATlBJHvvuXiuFY= =+u3s -END PGP SIGNATURE-
External check
CVE-2024-4029: missing from list CVE-2024-4418: missing from list -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
[SECURITY] [DSA 5676-1] chromium security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-5676-1 secur...@debian.org https://www.debian.org/security/ Andres Salomon May 02, 2024 https://www.debian.org/security/faq - - Package: chromium CVE ID : CVE-2024-4331 CVE-2024-4368 Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure. For the stable distribution (bookworm), these problems have been fixed in version 124.0.6367.118-1~deb12u1. We recommend that you upgrade your chromium packages. For the detailed security status of chromium please refer to its security tracker page at: https://security-tracker.debian.org/tracker/chromium Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmYzMtsACgkQZF0CR8Nu djeJow//chgfC7BgVCbwFDpcCT7inL0/ikBr94LbLqd4cFyZaoZ+fDCktwWnw6NQ J3ua3mR6LoKZs+P8wsvR0nSXgYTPJPCK3Wn4yLK7t4tEZAgyjNIiJhKBtK4H3Y+s MitgBBxHgslK7nHjxd5gPk9We9qbYH5UihlmbVwHF3O2c2DYXQnloLPn5b7Nbixu wosZna04+5T03h6jdRbaQuw9ZRM5uy4oqKccdrr9A78TZGL96c7MU1vGOUbkUJp7 LMCnwXA0AJYi+NuB+CRE9q738t4JaY//2pLJw1fL8gney27yii8/J11UiVBfuRB9 622gWNK3wS3ADIORQPBzt8TNWzy+DKg0W9ZbKmsxx0KvGqr8d04MeFDaM4KXH0Cf NYSt89RzYxtMzlstTu/XkDj8CXNoTQIBrsDHft4/Ty6qs1s+ZWyv7VrF0sj99xdf DhrIGORUoeQdOe92jDaf9f8vRNDq4E9qPkLPyDbtx5ajDXY8jC/oVXx4lp8ZaLtF +GctGXQUM7jMPbRq5INP579R6aRv0uXW0niLsn9SYA4I1NbKgqAAGFibJI9LhYdH ehggFCqzsqzrD9pjLaLflKGoenELAtgQdCRsu3uVFpEygpZJEqvm37ySDDCXIFEV GfBanWWaeQ3nbQI28+wKuA089kFznuq9ajHcjCeqMKEsj0/j1XI= =pyNF -END PGP SIGNATURE-
External check
CVE-2024-4369: missing from list -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
External check
CVE-2009-4020: missing from list CVE-2009-4021: missing from list CVE-2009-4022: missing from list CVE-2009-4023: missing from list CVE-2009-4026: missing from list CVE-2009-4027: missing from list CVE-2009-4028: missing from list CVE-2009-4029: missing from list CVE-2009-4030: missing from list CVE-2009-4031: missing from list CVE-2009-4032: missing from list CVE-2009-4033: missing from list CVE-2009-4034: missing from list CVE-2009-4035: missing from list CVE-2009-4067: missing from list CVE-2009-4076: missing from list CVE-2009-4077: missing from list CVE-2009-4111: missing from list CVE-2009-4112: missing from list CVE-2009-4124: missing from list CVE-2009-4128: missing from list CVE-2009-4129: missing from list CVE-2009-4130: missing from list -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
External check
CVE-2024-22091: TODO: check CVE-2024-32046: TODO: check CVE-2024-4182: TODO: check CVE-2024-4183: TODO: check CVE-2024-4195: TODO: check CVE-2024-4198: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
[SECURITY] [DSA 5675-1] chromium security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-5675-1 secur...@debian.org https://www.debian.org/security/ Andres Salomon April 26, 2024https://www.debian.org/security/faq - - Package: chromium CVE ID : CVE-2024-4058 CVE-2024-4059 CVE-2024-4060 Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure. For the stable distribution (bookworm), these problems have been fixed in version 124.0.6367.78-1~deb12u1. We recommend that you upgrade your chromium packages. For the detailed security status of chromium please refer to its security tracker page at: https://security-tracker.debian.org/tracker/chromium Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmYrzngACgkQZF0CR8Nu djeBDhAAwv8Jjx9kW24nm38S7nkcLfWl8tojuUOvsruQpFoz5fZdDvuDrXwWzOnI +Nx7sOoAllbiER7mEZI39Qj1IKWaKttmNEtPdt52VApigxFizkgKq7TBdn1cOiSD fp81ueOkg4UUl4rNTT3IJpzaZuBd7oZJCg2/3DDXzs3j3Ike7nNOYlv936wqxlX9 EBdQv+Y10zsc9MsJNm/Bx1LJKrk2mM4b9q/9COV+QLJvArT4Uv8NrmZ3eu+gv/JN mmeOG9nfmcz0sGa0Ez+SVq2Gj2wJdLIMM1fO252J5+JGQwM2bP4hRtXtwOoeyjc8 6a57/NI0Ew35Jydr0B/bsYaRLHZ5rz+AVqA5xh98cAUaOvNshrTUVJvlzaoTlXwy sFQjZZE4Iv3VQcYQcanSi+WidZ/aqbC1RCYVKP73JchGCgGfyZi7f7U9Cq3dIlju AQ411weneGn6RjSG8AGLZgek0KnQoGM0nXb9Tps27V/sm7+c3N/2xsMEoaZ/yjts YSSRUlUhi/tRjIlGY73DvQxUxuM3mSMO1+/UVKnKXekIqK8qFvRTBcT96bwc3Eul pz96kmyFCiZA8JNYtg6VD3WxDPq+Rr6n5rEDO2ZhUfBL5+OOR/nOWqBJjDatUqXK 26ScM2iX1b72UxP6DEWuBL9jIpUfTrein5LNIWu+JvyT6lSfZIM= =8WgU -END PGP SIGNATURE-
External check
CVE-2005-1467: missing from list CVE-2005-1468: missing from list CVE-2005-1469: missing from list CVE-2005-1470: missing from list CVE-2005-1476: missing from list CVE-2005-1477: missing from list CVE-2005-1519: missing from list CVE-2005-1531: missing from list CVE-2005-1532: missing from list CVE-2005-1544: missing from list CVE-2005-1625: missing from list CVE-2005-1636: missing from list CVE-2005-1686: missing from list CVE-2005-1689: missing from list CVE-2005-1704: missing from list CVE-2005-1705: missing from list CVE-2005-1730: missing from list CVE-2005-1739: missing from list CVE-2005-1740: missing from list CVE-2005-1751: missing from list CVE-2024-1347: TODO: check CVE-2024-2434: TODO: check CVE-2024-27282: missing from list CVE-2024-2829: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
[SECURITY] [DSA 5674-1] pdns-recursor security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5674-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 25, 2024https://www.debian.org/security/faq - - Package: pdns-recursor CVE ID : CVE-2024-25583 It was discovered that PDNS Recursor, a resolving name server, was susceptible to denial of service if recursive forwarding is configured. For the stable distribution (bookworm), this problem has been fixed in version 4.8.8-1. We recommend that you upgrade your pdns-recursor packages. For the detailed security status of pdns-recursor please refer to its security tracker page at: https://security-tracker.debian.org/tracker/pdns-recursor Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmYqrogACgkQEMKTtsN8 TjbKDg//bFtgtpr7H0WEGL6u5aHSqnIU5HNnKDW3rCy7OdHE6GHrnhADszvImyiH +IkLXb7uEdoL+Hy4A8ymr9KS+w2Ai90NYAjhYexWuTi4Kse0oKGkPYIEfAmeybf6 zduxdsKJUU7x92VwnMybQN9E6g+a0b6c+UyFYPZpUAywTqU5aT4ZH1KwjwFeu1Ab 1Uj0ySEWdd/qe/ZHS6rWB0SKWTjv15L+lx2IcO6dPDQtZA8B9SpOoTQWtIwroQtx eZrdH/V9O1D796TFFyrrr1afJCBb++nH7f191qDPrkLCaC7/EhVxEqKrbTHaVwqh OmsSR9kxvvC9wSA+FshgBfJEFSyPbX7TGOvBNjMBVGr1R/NpQeDY4L9Ta1fz6z0E UpTCuer+QU9bo5A1LMbC4sEwoGRD2/oSdmgiXSnBfJ7HXsrUUVqTeTmkMDSXwAd7 WFI68awRnNuqC4CqOvynbLc19QeH8TDWNpB4dwVevrXjEdVgQANSAJmcOhN/dyyn C5WoIDOXPHc9TNtGROxhP84Nj5gKgrkCh3bG5uEHycIT0S+PIWZDJvYAm6YoZKX4 6jZqgGSrz5/Foa0dvOlriQRFtVPpODsNSkVce8Uwvyonc1SxvytcNMugEjBP4ePG XruQ2wy+RZ4VXJvYNnQImrJ1Vvi0CCygRcK4e/4qaq8o3/fofvk= =PwIZ -END PGP SIGNATURE-
Re: ITA: vpnc -- Cisco-compatible VPN client
Hello Samuel, On Sun, 2024-03-03 at 20:35 +0100, Sven Geuer wrote: > Hello Samuel, > > On Sun, 2024-03-03 at 18:23 +, Samuel Henrique wrote: > > Hello Sven, > > > > > Would you be kind enough to review my work under my personal repo > > > [3]? > > > > > > If everything looks good to you, would you state you're agreeing > > > to > > > moving the repository from the Debian group to the Debian > > > Security > > > Tools Packaging Team? I would raise a ticket with the Salsa Team > > > then. > > > > Your fork is missing commits on the pristine-tar and upstream > > branches, but > > other than that, everything looks good. > > I just pushed these to branches, thanks for the hint. > > > > > I agree with the salsa move as well. > > Excellent! I will request the repo's move. > > The vpnc package has been moved to the group recently [1] and I updated this repo with the changes from my personal repository plus I added d/salsa-ci.yml. Would you do a final review and grant DM rights to me? [1] https://salsa.debian.org/pkg-security-team/vpnc Thanks, Sven -- GPG Fingerprint 3DF5 E8AA 43FC 9FDF D086 F195 ADF5 0EDA F8AD D585 signature.asc Description: This is a digitally signed message part
Re: golang-github-disintegration-imaging: CVE-2023-36308
Hi Security team, There's a third party patch for this CVE[2], and at least testing locally with the PoC in[1] seems to mitigate the issue. Do you think this is OK to pick and upload? Maytham Alsudany wrote: > Hi Anthony, > > As you are the uploader for golang-github-disintegration-imaging, I'd like > your input on CVE-2023- > 36308 and approval for the proposed patch, before any new upload is made. > > There has been a failed attempt to inform upstream of this issue at [1], and > their last commit was 4 > years ago, so we're not likely to see a fix from upstream. > > Instead, I've found a (very minimal) third-party patch at [2] which fixes > this issue, and have > pushed it to the Salsa repo[3]. > > The original security bug report is attached below. > > Kind regards, > Maytham > > On Mon, 15 Apr 2024 21:30:20 +0300 Maytham Alsudany > wrote: > > Package: golang-github-disintegration-imaging > > X-Debbugs-CC: t...@security.debian.org > > Severity: normal > > Tags: security > > > > Hi, > > > > The following vulnerability was published for > > golang-github-disintegration-imaging. > > > > CVE-2023-36308[0]: > > | disintegration Imaging 1.6.2 allows attackers to cause a panic > > | (because of an integer index out of range during a Grayscale call) > > | via a crafted TIFF file to the scan function of scanner.go. NOTE: it > > | is unclear whether there are common use cases in which this panic > > | could have any security consequence > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2023-36308 > > https://www.cve.org/CVERecord?id=CVE-2023-36308 > > > > Please adjust the affected versions in the BTS as needed. > > > > Kind regards, > > Maytham > > [1]: https://github.com/disintegration/imaging/issues/165 > [2]: https://github.com/kovidgoyal/imaging/commit/68f6e7d > [3]: > https://salsa.debian.org/go-team/packages/golang-github-disintegration-imaging/-/commit/24e17d9e > Best, Nilesh signature.asc Description: PGP signature
External check
CVE-2024-30171: missing from list CVE-2024-3154: missing from list -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
[SECURITY] [DSA 5673-1] glibc security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5673-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 23, 2024https://www.debian.org/security/faq - - Package: glibc CVE ID : CVE-2024-2961 Debian Bug : 1069191 Charles Fol discovered that the iconv() function in the GNU C library is prone to a buffer overflow vulnerability when converting strings to the ISO-2022-CN-EXT character set, which may lead to denial of service (application crash) or the execution of arbitrary code. For the oldstable distribution (bullseye), this problem has been fixed in version 2.31-13+deb11u9. For the stable distribution (bookworm), this problem has been fixed in version 2.36-9+deb12u6. We recommend that you upgrade your glibc packages. For the detailed security status of glibc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/glibc Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmYnXlRfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QQVQ//SFTCEazXKFiaeBQD+lGr4ROP2/rSm0WE682g+Xz7HVLJkLtNyLd7Y4SA MVNQDlKntGM//MMQiIUsTGxc4Hq/HgMYVvhXZTlmwRaayTUlJ5jY704vrzMbyaTo iK+88z8SrPwGlHvzzzpNx4/pN8uQYNIK7oLrvCv5ng50Lnh1jBxBTXuEgZQtMq7m Wlo8B+nAaZQKpxHJK+ilNx9kT0g6au4FD+KXzyISBwz4KBEqb10fToHYzl/Wf209 boG9CAbn/rgTM0/wvXb3kDPc3k6yDk+6NI9NVqXSHzkpvbtBJxNi/crnR1Mu7KAh MGqKC9pq6t8zL9v6YV9lGuL/dFBOg+bihsZ3dVyX0B6PDqvmRyZ5lDGZKiiS2jWT RxWoEnM9JdzADd6bbJTICNbFgKNIzmcSxPgfS6/wRp0R679wrq+jhxhAhSNN1ozh dQciRKiLfguTTI4HTRH42frSdXRFue4W48s7LS+Fy0oAaxUza5QNrsFgP9tPBFKl t9ehi3sXqzWTD+Tl51np1dc3yOW9xq0btlUejy0W1L6q6POKIkRrNllVczWJixOA UwuWY4u6zrcX1wgDRSmUsG8k4seHoH7EpfTIaaQ4qgPGalG+9r6ZrMApUS0eOVzd ure7Qo7w6w/UGRxCsuU7pToZlkiHwOlimd7lAGqNMJwofDKbc8k= =8z2B -END PGP SIGNATURE-
Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)
Hello everyone, I've done some small updates to the proposal, mostly improving readability and making my suggestion more clear. v2 below: I would like to propose something which will lower the amount of reported false-positive CVEs to our users by about 20%. # tl;dr We don't have a unique way of stating that a CVE does not affect us when we don't build the affected package's feature or hardening blocks exploits. This leads to our users being required to manually distinguish which CVEs affect them and which don't. I propose we mark those cases as not-affected. Alternatively, I mention an option to create a new state to indicate that the resulting package is not affected due to the build options. I also explain why that's not my prefered approach. # Problem statement The possible outcomes of a CVE assessment in our security-tracker are[0]: > | | | | | | > We also have the following severity levels [0]: > SEVERITY_LEVEL : (unimportant) | (low) | (medium) | (high) "unimportant" being defined as: > unimportant: This problem does not affect the Debian binary package, e.g., a > vulnerable source file, which is not built, a vulnerable file in > doc/foo/examples/, PHP Safe mode bugs, path disclosure (doesn't matter on > Debian). All "non-issues in practice" fall also into this category, like > issues only "exploitable" if the code in question is setuid root, exploits > which only work if someone already has administrative privileges or similar. > This severity is also used for vulnerabilities in packages which are not > covered by security support. We have a problem in the way we assess CVEs when the generated package is not affected (but the source code contains the vulnerability). Our current process is to set "no-dsa" and lower the severity to "unimportant", although it's also possible that in some cases people are making use of "ignored", which represents "won't fix". The result is that "unimportant/no-dsa" CVEs can mean two things: 1) We are affected but we the severity is too low, eg.: packages not covered by security support, the CVE is considered a non-issue by our security-team but we are still affected... 2) We are definitely not affected since we don't build that feature of the software or we have hardening in place which prevents this from being exploited. This leads to our users, who are interested in knowing which CVEs affect their systems, having to check the notes of every CVE on security-tracker to filter-out the false-positives. # Proposed solution I propose that we start setting CVEs to not-affected also when the following is true for all officially supported architectures: * We don't ship the affected source package. * We don't build the affected feature. * We have hardening which makes the exploit impossible (only in the cases when there's no doubt about it). If we still want to flag the cases where a build with different flags might change that assertion, we can use the "(free text comment)" section of the NOTES[0] to mention it. Effectively this proposal means I would push an MR updating the documentation at [0] and start changing those CVEs to not-affected. I'm not asking for anyone to do the work. # Stats As a way of sampling the impact of this issue, I've done a high-level check on how many sets of affected package-CVE we have in our debian:stable docker image[1]. Out of the 82 affected package/CVE pairs, 15 were clear cases of our packages not being affected. Out of the rest of those, the majority are other cases where we are reporting non-issues, but those require a deeper investigation so I don't want to assume they also fall under this case. So 18% of the reported affected packages are false-positives. Based on what I've seen, I believe this is a fair estimate to extrapolate. I've listed some examples to this issue at [2]. # Alternative solution If using the "free text comment"[0] is not a good enough way of stating that only the source contains the vulnerable code: ## A1) Add a new sub-state "only-source-vulnerable", to be used in addition to "not-affected" ## A2) Add a new mutually exclusive state to the set: "not-affected-build-artifacts" I don't like these approaches because they increase the complexity of our process (a new state is more costly than a free text mention) where there's not a clear benefit/motivation. What's the value in saying the sources carry the vulnerable code? If someone does their own modified build of a package, all bets are off and that's not an official package. It should also be mentioned that identifying cases where only the source-code is vulnerable will never be done perfectly due to how easy it is to miss a bundled library which is not used. For example, rsync bundles zlib and we do not set rsync as affected for all zlib CVEs (rsync does not use the bundled lib), would we like otherwise to be the case? Coming up with a new state is confusing as systems/people reading that might end up parsing it as "affected".
[SECURITY] [DSA 5672-1] openjdk-17 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5672-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 22, 2024https://www.debian.org/security/faq - - Package: openjdk-17 CVE ID : CVE-2024-21011 CVE-2024-21012 CVE-2024-21068 CVE-2024-21094 Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service or information disclosure. For the oldstable distribution (bullseye), these problems have been fixed in version 17.0.11+9-1~deb11u1. For the stable distribution (bookworm), these problems have been fixed in version 17.0.11+9-1~deb12u1. We recommend that you upgrade your openjdk-17 packages. For the detailed security status of openjdk-17 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openjdk-17 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmYmcqoACgkQEMKTtsN8 TjYjzw/+MwGuvMC25asTYdrFA08Ir85aJ3hj14N43NoquAO/i9NIZaGYv7sau1xp boHiGg9QnDkXbV/5CGwsnRUNsvHrgC8t17Tjebh795s/v22Z+77pePTiaXC9Sj06 lnVaDYX/WWfCSJL2p5teKgzL032hN4Crmihkmg/wSvwSi8q4k/lIMBZFg2JfTZS3 buZiqaviUH0jJZUnbJYtlPasC9YNnCO9WAzHTC1TfLDS9ATLymCHAeBs0Heny2W1 V68xbN+nVsAa6+kwUZCU8wppwaE+Uvnc+SO4mra8PrhPdw//AiU8/ZplKH2fNYfA lgkId/itLJKqlELvm7h8WhGvi4QvbDvB/QYveW8phYwWWeoHPOUGLqJZDbxk0w96 PjTDgiwHzkjMKSp+Y9Eb2XKrhz2l5poBPsKy8e0qkF+I+euALwoEPZs2YZ3jcIE6 l5RR00UiYPLZLfvZ93HQKjlo85QyjByruHWIxo3hrK1oFo71vMFsBXpafRP6qOre txnkSd/i1yzeHTZmmyUnIF05G5EUVMTaRBrsCVTONA6rAK69+GQrWj87bkrhZEcu vuuyoFiNDi4zEO09y70QbIyrPjc0bD7gKdvxKVlzTovdIYcU7paMIVdFmIliF4GQ lkO5hWE+7aUZzr0JvD2TilUGUXRheqE0e6e3CbGZnNmCMi7doIQ= =seiM -END PGP SIGNATURE-
[SECURITY] [DSA 5671-1] openjdk-11 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5671-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 22, 2024https://www.debian.org/security/faq - - Package: openjdk-11 CVE ID : CVE-2024-21011 CVE-2024-21012 CVE-2024-21068 CVE-2024-21085 CVE-2024-21094 Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service or information disclosure. For the oldstable distribution (bullseye), these problems have been fixed in version 11.0.23+9-1~deb11u1. We recommend that you upgrade your openjdk-11 packages. For the detailed security status of openjdk-11 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openjdk-11 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmYmH9YACgkQEMKTtsN8 TjaKAA//fw8DPGbtJdWNqxvG+mFaHqdTCuy+kBfa63IJ2pdM0q8e4vI4QwwvKYks dFsDL4u/wX9VKSUxcFyrX1lfP1gcZkFClVGDU2u/t4rbDCNpyRHRxxO7On9Q/EJ8 cRH7ncEi1BeSSMYgPAF2Bnm8KNDD4TRBH94MMpppAopPsesBsibP/8oNjjk2X2MT Cdt0VZ+NH+lb93OW2bKyd0toU75I1/yuN4Xc4m+iUgDFnYLadkYBiUoyL/p2BMas myXpEgxrdOj4x/yiOCi8LwIwFkB2BnQtjYfYKk5c1l4c40TaGzkYHHFTfTLYsq5i LSzPRwMnysiHPZvVQTMaUQrGZRG1Qm6v5mrvSpLq8uiypz9gDTY1xmJ01U+iDnfl lpBhqXjhHOdep3XOT0pbcHYtd4xuO2nxiNb0rv3NyfJfEUqe3y1gaa0GOuBPzKJV jda9g4lzu0GLGxuQ+fHfPKjXMJRyeVisis1XxZ1kEcJIArOE+vOwngTwpQf1n0Pm 8gVGKmZm5pmbC/CQCy9gai6UBeaH13cIYxQylL6lD1kBjardVAB0C3u3jaNKGPlJ Rqn2ZhV+XahLlK93D4bOEEg5eh4U5iNRG4OwiN/iIQmSoSUDcFRktLuEQQSwkQ+d O5KAw8SwwpPgKwIM176O+xeCdkPPjWbBosnHmkrvfEmw3zWFRNY= =i85/ -END PGP SIGNATURE-
[SECURITY] [DSA 5670-1] thunderbird security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5670-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 22, 2024https://www.debian.org/security/faq - - Package: thunderbird CVE ID : CVE-2024-2609 CVE-2024-3302 CVE-2024-3852 CVE-2024-3854 CVE-2024-3857 CVE-2024-3859 CVE-2024-3861 CVE-2024-3864 Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code. For the oldstable distribution (bullseye), this problem has been fixed in version 1:115.10.1-1~deb11u1. For the stable distribution (bookworm), this problem has been fixed in version 1:115.10.1-1~deb12u1. We recommend that you upgrade your thunderbird packages. For the detailed security status of thunderbird please refer to its security tracker page at: https://security-tracker.debian.org/tracker/thunderbird Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmYmEi4ACgkQEMKTtsN8 TjYidA/+PvxudnviZz8CZMPFH9PTFAVbrhZKW0Ns4GS+Y4+oSZJycTroYQSukfE0 Suame/p8jYTCkeKhQ+oF1cjPgVbEmgpAx4aMXHeRTMpsTNUA/S1xdcnqalEWL/4m TJJuB2jLIdq8b0fKnbsK4jItc5N5IyXKubQ51SUl+IkVi3LCohChMhv8lx3XfSZd p/x5JXXkoG7fbjVcpy+G55hS3DemUGe9p2fZyT7cXdeq7C6KhKbf42i41iZysc7h Osa/rYVw1rCAoDg46/lBEoUydXsagYQMk9BQkWLygwn45zll2JBDL/shjwTTUL97 jj166GcimA3L3NA6tt062XDrlF2dELxSbtX6Cgef+6BBDt8f4xsk+AjCLdZN5bQ4 /C7DVhzrLUecTxp93vapLsmQAlSc/7F3aXJD6mNfrIX4qG1iREhjt09bxmuDua5W du4ppHPqTioWPP1aCFnXp1G3UFkcW/Q6gp54sfJOWla+S2bBaq/2AS4qMq8rCz1Y I52XYMWMQ4lCfC2ObeGfkPaOLWcYIGn8s8tYCp1ke6AHbKhivz+ccUZ5nZT6GdL9 kBitHRL4bPKgXXKKUYxdNwOngVV6AuoX+JRhwyFH4vmKjBH6YnqiK8WHUd0sWXsI 3QFiYZCplDAL30vLOw8vk5oq2j2T6SgmzO/AkOI+0oN7MaB7F8U= =9I0b -END PGP SIGNATURE-
[SECURITY] [DSA 5669-1] guix security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5669-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 22, 2024https://www.debian.org/security/faq - - Package: guix CVE ID : CVE-2024-27297 It was discovered that insufficient restriction of unix daemon sockets in the GNU Guix functional package manager could result in sandbox bypass. For the oldstable distribution (bullseye), this problem has been fixed in version 1.2.0-4+deb11u2. For the stable distribution (bookworm), this problem has been fixed in version 1.4.0-3+deb12u1. We recommend that you upgrade your guix packages. For the detailed security status of guix please refer to its security tracker page at: https://security-tracker.debian.org/tracker/guix Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmYmEj0ACgkQEMKTtsN8 TjadOg//QNwxj1LaUW92byZO1DaMWzwnPElHIwwgTUIWj2NCxZQbumPb6PF0AnYq n15GcHY1y3jvJ9VnvLI7uns82Gtjqhr9m/sfrDnX/9JPlLBNXTdjQ3/mpECUp6aU BvN+kmw4irmsfXqtWR33nrdxID+/mCuDfDHM0Cl64JSbrntqOhpRbkML3DNOdWs0 h6BeIhFRoGkLLzh2M8U9uyivrLwrlf8ONem4kmn0xtRowc2Y/0GSg/fJIJPwR3/K j8FmuydKkm3oVNITr2z2f+b9mzSxXbC7tOgoA6o7Vuxc3Ha7cGn9DojFWKV5DCPv VFMKjeos9ELIetmSA/GtSMqTn5rV2QlRWHvUnxtGTyewHsz4j/cXXo5F59f+t2zB LZ8aAlzbM5c5/ZVhQVNnuzY8ueaPkOAyFkdawPjSTis0S0KYjgz9/4F8peYNEyJ7 GUgS2b9aXp3j1dLPKjXDXHXUNL3quemK3aUZCZElgsGN6oHZnOvf/t04jL9BN0/o gL7wShs2ZsS/AQ7HRQ+OuYTTcs8patbgitCKI74u8oS/ArrG/U4TfgKhwqFaAICX x5cJFreSKzhTQWIhGaxPY73s1zDy5KyLBQjQ67DPbqqYcCC0SwrUFegYrOllORnj TLlkkG7vkelx/PxYqzy+YrWeoHt/jdSTR8j5bn1XEYPa/4MZrIg= =0oSL -END PGP SIGNATURE-
External check
CVE-2023-50186: missing from list CVE-2024-31463: TODO: check CVE-2024-31745: TODO: check CVE-2024-32473: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.