Source: roundcube
Version: 1.6.6+dfsg-2
Severity: important
Control: found -1 1.6.5+dfsg-1~deb12u1
Control: found -1 1.4.15+dfsg.1-1~deb11u2
Control: found -1 1.3.17+dfsg.1-1~deb10u5
Tags: security upstream
Roundcube webmail upstream has recently released 1.6.7 [0] which fixes
the following
Hi,
On Tue, 16 Apr 2024 at 21:35:22 +0200, Salvatore Bonaccorso wrote:
> The following vulnerability was published for python-idna.
>
> CVE-2024-3651[0]:
> | potential DoS via resource consumption via specially crafted inputs to
> | idna.encode()
I'm preparing an update for this issue for Buster
Control: tag -1 pending
Hi,
On Tue, 26 Mar 2024 at 13:44:28 +0100, Simon Chopin wrote:
> interimap is packing structs that are sensible to the time_t transition.
> Please see the attached debdiff as a *very* crude attempt to fix it in
> Ubuntu. I'm hoping it'll be possible to come up with a
Package: release-notes
Severity: wishlist
Hi,
cryptsetup 2:2.7.0~rc0-1 has a backward incompatible change for plain
mode when relying on defaults cipher and password hashing algorithm.
The change affects users upgrading from bookworm to trixie. Plain mode
is generally advised against but it
Hi Tomasz,
On Fri, 5 Apr 2024 at 01:11:41 +0200, Tomasz Buchert wrote:
> Looking into older versions and appropriately patching them will take
> more time.
I'm preparing an update for this issue for Buster LTS and can hand
tested debdiffs over to the Security Team for newer suites if you'd
like.
On Sat, 27 Apr 2024 at 02:07:21 +0200, Christoph Anton Mitterer wrote:
> So you say it's a glibc thingy, that this doesn't show up anymore?
Yup, that's what I wrote https://bugs.debian.org/1032235#97
| It was intentional, see the article
|
Hi,
On Sat, 27 Apr 2024 at 00:33:51 +0200, Christoph Anton Mitterer wrote:
> Now the problem is that argon2 is statically linked, so there's no
> libpthread showing up in its ldd, and thus copy_exec doesn't realise it
> needs to invoke copy_libgcc.
Even it weren't, libpthread wouldn't show up
Control: reassign -1 dropbear-bin 2022.83-1+deb12u1
Control: retitle -1: The 'no-agent-forwarding' key restriction disables server
alive message support
Control: tag -1 upstream
On Wed, 24 Apr 2024 at 18:38:26 +0200, Guilhem Moulin wrote:
> On Wed, 24 Apr 2024 at 17:10:57 +0200, Guilhem Mou
Control: tag -1 - moreinfo unreproducible
On Wed, 24 Apr 2024 at 17:10:57 +0200, Guilhem Moulin wrote:
>> It should be trivially reproducible by running `ssh -o ServerAliveCountMax=3
>> -o ServerAliveInterval=1 root@yourdropbearserver`. The client should then
>> disconne
On Wed, 24 Apr 2024 at 16:32:09 +0200, Lee Garrett wrote:
> Although the dropbear man page is not explicit, I'm assuming it refers to
> TCP keepalive.
I think this assumption is incorrect:
https://sources.debian.org/src/dropbear/2024.84-1/src/common-session.c/#L497
> It should be trivially
Control: tag -1 unreproducible moreinfo
Hi,
On Wed, 24 Apr 2024 at 14:42:43 +0200, Lee Garrett wrote:
> After some debugging, it turns out that ServerAliveInterval != 0 will cause
> the
> ssh client to reset the connection, which dropbear will count as unlock
> attempt,
> and after three tries
Hi Chris,
On Mon, 22 Apr 2024 at 01:43:26 +0200, Chris Hofstaedtler wrote:
> I've prepared an NMU for netcat-openbsd (versioned as 1.226-1.1) and
> uploaded it to DELAYED/7. Please feel free to tell me if I
> should delay it longer.
Ooops sorry, that bug fell off-screen. No issue with the NMU,
Control: reopen -1
Control: tag -1 - unreproducible moreinfo
On Sun, 14 Apr 2024 at 21:26:25 +0200, Guilhem Moulin wrote:
> At this point something triggered rebuilding a new initramfs image, but
> that's not src:cryptsetup as none of its binary packages have been
> upgraded yet.
On Sat, 13 Apr 2024 at 10:06:32 -0400, Wesley Schwengle wrote:
> I had the same issue a while back, because of the t64 transitioning I chaulked
> it up to that. I fixed it as described in Ubuntu bug:
>
> https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1958594
libcryptsetup12
On Fri, 12 Apr 2024 at 14:37:16 +0200, Guilhem Moulin wrote:
> What is that “GUI” view? src:cryptsetup doesn't provide that, I wonder
> if it might be what needs libphtread.
FWIW, I later noticed you used a splash screen (plymouth) and thought it
might be because of that, but I still
Control: tag -1 + unreproducible moreinfo
On Fri, 12 Apr 2024 at 12:45:09 +0200, Milan Broz wrote:
> Just FYI (for upstream code): if cryptsetup/libcryptsetup is linked with
> OpenSSL >= 3.2,
> it does not need libphtread (as threads are implemented in OpenSSL for Argon2
> internally).
Thanks
On Sat, 06 Apr 2024 at 13:37:23 +0200, Christian Schwamborn wrote:
> Just out of curiosity: Why aren't those patches the current stable
> bookworm package of roundcube-plugins-extra included?
Because the issues were not fixed in time for the Bookworm freeze. An
upload to bookworm-backports might
On Tue, 19 Mar 2024 at 13:50:34 +0100, Daniel Gröber wrote:
> Ah, that makes sense. Well that's easy enough for me to fix then not sure
> how I missed that while staring at the hook script. I really should have my
> green tea before reporting bugs ;)
>
> Sorry for the noise.
No worries :-) I
Control: tag -1 moreinfo
Hi,
On Tue, 19 Mar 2024 at 12:37:08 +0100, Daniel Gröber wrote:
> In that setup there's really no point to reusing the hosts' private
> keys and expose them in the initrd unencrypted.
Agreed, but AFAICT that's not the case anymore since 2015.68-1. New
host keys are
Hi Sebastian,
Great to hear OpenSSL 3.2 will soon be entering sid! :-)
On Wed, 06 Mar 2024 at 07:59:53 +0100, Sebastian Andrzej Siewior wrote:
> I'm currently puzzled where to look at. Could you please have a look?
It seems openssl-req(1ssl) now generates X.509 version 3 certificates by
Hi Helmut,
On Tue, 27 Feb 2024 at 14:28:33 +0100, Helmut Grohne wrote:
> Please reupload the patch to experimental (with a version higher than
> unstable) assuming that cryptsetup-nuke-password will use version 5 as I
> am in contact with Raphael Hertzog.
Done in 2:2.7.0-1+exp2. Note though
found in the ‘cryptsetup’ binary
package have spewed a loud warning for plain devices from crypttab(5)
where ‘cipher=’ or ‘hash=’ are not explicitly specified. The
cryptsetup(8) executable now issue such a warning as well.
-- Guilhem Moulin Wed, 29 Nov 2023 17:19:10 +0100
Also the
On Tue, 27 Feb 2024 at 13:19:16 +0100, Helmut Grohne wrote:
> Can you explain why you reverted? We need this change in unstable
> sooner rather than later to move forward with base-files and I already
> announced my intention to NMU.
The first message of this bug reads:
| * Please upload these
On Wed, 14 Feb 2024 at 13:58:00 +, Patrick Schleizer wrote:
> This is not a bug in a downstream distribution.
> […]
> Could this be fixed in Debian please?
I don't see how this would be a bug in cryptsetup-initramfs when
mkinitramfs(8) explicitely says DESTDIR should not be mounted with the
Control: reassign -1 roundcube-mysql
Control: tag - 1 unreproducible
On Tue, 13 Feb 2024 at 11:47:12 +, Andrew Gallagher via
Pkg-roundcube-maintainers wrote:
> When upgrading roundcube to the latest version, the mariadb schema
> upgrade fails due to a missing table "roundcube.filestore".
>
Control: tag -1 moreinfo
Hi,
On Fri, 02 Feb 2024 at 18:44:43 -0500, abrasamji wrote:
> update-initramfs log excerpt with set -x:
>
> Calling hook cryptkeyctl
> + PREREQ=cryptroot
> + . /usr/share/initramfs-tools/hook-functions
> + [ ! -x
On Thu, 01 Feb 2024 at 17:08:39 +0100, Jordi Mallach wrote:
> Upstream fixed this in
> https://github.com/roundcube/roundcubemail/commit/504cdb89a5ed2c0c3491f99abb206dfb42b1200b
> and the patch applies well to the bookworm branch.
That branch aims at following upstream's 1.6.x so I'm reluctant
On Thu, 25 Jan 2024 at 04:44:12 +0100, Guilhem Moulin wrote:
> [ Changes ]
>
> Fix CVE-2023-34194: Reachable assertion (and application exit) via a
> crafted XML document with a '\0' located after whitespace.
Per https://bugs.debian.org/1061473#12 I guess you'd like CVE-2023-40462
t
Control: tags -1 - moreinfo
On Mon, 29 Jan 2024 at 21:55:37 +, Adam D. Barratt wrote:
>
> On Thu, 2024-01-25 at 04:45 +0100, Guilhem Moulin wrote:
>> Fix CVE-2023-34194: Reachable assertion (and application exit) via a
>> crafted XML document with a '\0' locate
Control: reassign -1 roundcube-core 1.6.6+dfsg-1
Control: forwarded -1 https://github.com/roundcube/roundcubemail/issues/5051
Control: tag -1 upstream
On Sat, 27 Jan 2024 at 15:38:43 +0100, BohwaZ wrote:
> I am suggesting this patch here as upstream doesn't want to fix
> this longstanding issue:
to 4G as the previous size was
+too small for bullseye-security updates (kernel etc.).
+ * Salsa CI: Target bullseye and disable lintian job.
+
+ -- Guilhem Moulin Fri, 26 Jan 2024 12:00:26 +0100
+
dropbear (2020.81-3) unstable; urgency=medium
* Initramfs: Use 10 placeholders in ~root
end up with a
+connection for which some security features have been downgraded or
+disabled, aka a Terrapin attack. (Closes: #1059001)
+
+ -- Guilhem Moulin Fri, 26 Jan 2024 10:01:00 +0100
+
dropbear (2022.83-1) unstable; urgency=medium
* New upstream release 2022.83. Support
after whitespace.
+(Closes: #1059315)
+
+ -- Guilhem Moulin Thu, 25 Jan 2024 04:27:36 +0100
+
tinyxml (2.6.2-6) unstable; urgency=medium
* Import fix for CVE-2021-42260.
diff -Nru tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch
tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch
' located after whitespace.
+(Closes: #1059315)
+
+ -- Guilhem Moulin Thu, 25 Jan 2024 04:12:05 +0100
+
tinyxml (2.6.2-4+deb11u1) bullseye; urgency=medium
* Import fix for CVE-2021-42260.
diff -Nru tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch
tinyxml-2.6.2/debian/patches/CVE-2023-34194
On Thu, 25 Jan 2024 at 03:54:46 +0100, Guilhem Moulin wrote:
> [x] attach debdiff against the package in oldstable
Oops, doing that now :-)
--
Guilhem.
diffstat for xerces-c-3.2.3+debian xerces-c-3.2.3+debian
changelog |
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: xerce...@packages.debian.org
Control: affects -1 + src:xerces-c
[ Reason ]
xerces-c 3.2.3+debian-3 is vulnerable to CVE-2023-37536 (Integer
overflows in
Hi,
On Tue, 19 Dec 2023 at 09:08:00 +0100, Salvatore Bonaccorso wrote:
> The following vulnerability was published for dropbear.
>
> CVE-2023-48795[0]:
> […]
> Dropbear commit [1] implements the Strict KEX mode as well. In my
> understanding of [2] the issue might be less of a security concern
Hi,
On Tue, 23 Jan 2024 at 10:15:02 +0100, Raphael Hertzog wrote:
> when do you plan to upload a cryptsetup moving the files to /usr?
I can have a look after the week-end or in early February. There are
other issues I'd like to fix in the next upload.
| I see that this may sound scary. We'll
On Sun, 31 Dec 2023 at 22:07:07 +0800, YunQiang Su wrote:
> systemd-cryptsetup doesn't have suspend support.
> cryptsetup-suspend will fails.
Hence a wishlish bug? :-) FWIW I'm part of the cryptsetup packaging
team, which is upstream for cryptsetup-suspend. cryptsetup-suspend
supports all
On Sun, 31 Dec 2023 at 21:22:36 +0800, YunQiang Su wrote:
>> Is there any reason to not just use systemd-cryptenroll?
>
> Yes. I tried to use systemd-cryptenroll, while it cannot work with
> cryptsetup-suspend.
> I need a way to suspend or hibernate without disks decrypted.
Seems like this should
Hi,
On Sun, 31 Dec 2023 at 18:49:30 +0800, YunQiang Su wrote:
> 2 mthods are supported for 2 FA:
> - Yubikey Challenge
> - TPM2 Keypair
If your concern is to make these work with cryptsetup-initramfs, there
are #1023700 and #1031254 open against src:cryptsetup. The plan is to
have that in
Hi,
On Thu, 28 Dec 2023 at 13:28:53 -0500, de...@blough.us wrote:
> Thanks for doing this.
>
> I don't have a lot of free time at the moment, so please feel free to NMU.
Thanks for the fast reply! 3.2.4+debian-1.1 is now in trixie, you'll
find the commits and tag at
On Sat, 30 Dec 2023 at 21:02:16 +0100, Felix Geyer wrote:
> There are some minor changes staged in the salsa git repo. It would be good
> to include them as well. Feel free to push the patch to git and upload.
> Alternatively a merge request works as well of course.
Thanks for the fast response!
, bookworm and sid, evade the
infinite loop by blindly advancing the pointer.
Cheers,
--
Guilhem.
[0] https://www.forescout.com/resources/sierra21-vulnerabilities
From: Guilhem Moulin
Date: Sat, 30 Dec 2023 14:15:54 +0100
Subject: Avoid reachable assertion via crafted XML document with a '\0'
lo
Hi,
Upstream has now released 3.2.5 which fixes the issue
https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12352411=Text=10510
The fix can be found at
https://github.com/apache/xerces-c/pull/54
Control: tag -1 - moreinfo
Hi,
On Thu, 21 Dec 2023 at 21:59:40 +, Jonathan Wiltshire wrote:
> On Mon, Dec 18, 2023 at 02:10:20PM +0100, Guilhem Moulin wrote:
>> [ Reason ]
>>
>> 1. cryptsetup-suspend 2:2.6.1-4~deb12u1 was found incompatible with
>> systemd 254.1
)
+
+ [ Guilhem Moulin ]
+ * add_modules(): Change suffix drop logic to match initramfs-tools.
+ * Fix DEP-8 tests with kernels shipping compressed modules.
+ * d/salsa-ci.yml: Set RELEASE=bookworm.
+
+ -- Guilhem Moulin Mon, 18 Dec 2023 03:41:04 +0100
+
cryptsetup (2:2.6.1-4~deb12u1) bookworm; urgency
On Sun, 10 Dec 2023 at 19:05:05 +0100, Daniel Huhardeaux via
Pkg-roundcube-maintainers wrote:
> root@wwwmail11:/etc/roundcube# ls -l /etc/roundcube/plugins/jqueryui/
> total 20
> -rw-r--r-- 1 root root 1030 14 oct. 18:34 composer.json
> -rw-r--r-- 1 root root 307 14 oct. 18:34
Control: tag -1 moreinfo unreproducible
Hi,
On Sat, 09 Dec 2023 at 16:37:58 +0100, tootai via Pkg-roundcube-maintainers
wrote:
> -- Configuration Files:
> /etc/roundcube/defaults.inc.php changed:
Hmm I guess we shouldn't ship that file as a conffile, but since
1.4.1+dfsg.1-1 its header reads
Control: tag -1 moreinfo unreproducible
On Thu, 23 Nov 2023 at 12:26:21 +0100, Harald Dunkel wrote:
> If you upgrade your Laptop from Debian 11 to 12, then resume from an
> encrypted swap partition is broken. There is a passphrase dialog at
> boot time as usual, but the image on the swap
Control: tag -1 - wontfix
On Thu, 30 Nov 2023 at 00:22:45 +0100, Guilhem Moulin wrote:
> On Thu, 30 Nov 2023 at 00:13:44 +0100, Dmitry Katsubo wrote:
>> For the subsequent calls I ma not sure – I've got an impression that
>> this service is run only once at system startup.
>
&
On Thu, 30 Nov 2023 at 00:13:44 +0100, Dmitry Katsubo wrote:
> For the subsequent calls I ma not sure – I've got an impression that
> this service is run only once at system startup.
No, it's supposed to run once a day at 00:05 local time, see the
associated .timer unit.
If the impact is only
On Wed, 29 Nov 2023 at 19:48:09 +0100, Dmitry Katsubo wrote:
> After= is not the same as Requires=
> If the service is not present, it is just noop.
> You might wish to add all supported RDBMS into After=.
One could also imagine systems where one (or more) of these .service
files exists but isn't
On Wed, 29 Nov 2023 at 14:11:09 +0100, William Desportes wrote:
> I had put an interface name: ens9.123 thinking it would take the VLAN tag.
> But it triggered the crash. Removing the ".123" fixes it.
That's #1015287.
As written in msg#42 dropbear-initramfs doesn't configure the network by
Control: tag -1 moreinfo
On Wed, 29 Nov 2023 at 01:14:27 +0100, Dmitry Katsubo via
Pkg-roundcube-maintainers wrote:
> The service roundcube-cleandb should be run after MySQL/MariaDB is started:
>
> === file /lib/systemd/system/roundcube-cleandb.service ===
>
> [Unit]
> After=mariadb.service
>
>
On Mon, 20 Nov 2023 at 11:24:00 +0100, Yannik Sembritzki wrote:
> I just had a look at your patch. I think it's the right idea to rather use
> what is already there, instead of always creating our own stuff/overwriting
> existing /etc/passwd and /etc/nsswitch.
>
> Thank you!
You're welcome :-)
>
On Mon, 20 Nov 2023 at 10:42:30 +0100, Yannik Sembritzki wrote:
> Would you be open to a two step approach like this:
>
> 1. fix the reproducibility bug
> 2. improve the root directory creation process (I can create another bug to
> track this)
Just pushed
Control: retitle -1 dropbear-initramfs makes initramfs non-reproducible
Control: severity -1 wishlist
Control: tag -1 - patch
Hi,
On Sun, 19 Nov 2023 at 15:45:22 +0100, Yannik Sembritzki wrote:
> One solution would be to simply always use /root-dropbear-initramfs.
I'm not in favour of that
Control: tag -1 wontfix
Hi,
On Tue, 07 Nov 2023 at 10:38:49 +0100, Marco Emilio Poleggi wrote:
> It looks like the file 'opengpg.js.min' for the 'enigma' plugin is
> missing.
This is intentional, see roundcube-plugins.NEWS:
Source: roundcube
Version: 1.6.4+dfsg-1
Severity: important
Control: found -1 1.6.4+dfsg-1~deb12u1
Tags: security upstream
Roundcube webmail upstream has recently released 1.6.5 which fixes the
following vulnerability:
* Fix cross-site scripting (XSS) vulnerability in setting
Source: roundcube
Version: 1.6.3+dfsg-2
Severity: important
Tags: security upstream
Control: found -1 1.3.17+dfsg.1-1~deb10u3
Control: found -1 1.4.14+dfsg.1-1~deb11u1
Control: found -1 1.6.3+dfsg-1~deb12u1
Control: forwarded -1 https://github.com/roundcube/roundcubemail/issues/9168
In a recent
On Thu, 28 Sep 2023 at 18:53:46 +0100, Adam D. Barratt wrote:
> --- a/CHANGELOG.md
> +++ b/CHANGELOG.md
> @@ -1,5 +1,54 @@
> # Changelog Roundcube Webmail
>
> +## Unreleased
> +
>
> That seems wrong, given that you're uploading a released version.
Well spotted but that one is upstream's, see
On Thu, 28 Sep 2023 at 18:26:07 +0300, Martin Dosch via
Pkg-roundcube-maintainers wrote:
> Are there plans to also upload it to stable-pu?
See #1052629
--
Guilhem.
ency=high
+
+ * New security/bugfix upstream release:
++ Fix CVE-2023-43770: cross-site scripting (XSS) vulnerability in handling
+ of linkrefs in plain text messages. (Closes: #1052059)
++ Enigma: Fix initial synchronization of private keys.
+ * d/u/signing-key.asc: Add Alec's key BE
Control: tag -1 + moreinfo unreproducible
Hi,
On Sun, 24 Sep 2023 at 14:42:27 +0200, Eduard Bloch wrote:
> we have a problem here. After latest upgrades, I am no longer able to
> boot into a system with LUKS-encrypted rootfs. This worked just fine a few
> weeks ago. I jumped in circles in the
On Fri, 22 Sep 2023 at 10:56:59 +0300, Guilhem Moulin wrote:
> I'll suggest debdiffs targetting {bullseye,bookworm}-security after
> the week-end.
Oh, didn't see the Security Team tagged this as no-dsa. Will target
{bullseye,bookworm} then.
--
Guilhem.
signature.asc
Descriptio
Control: retitle -1 roundcube: CVE-2023-43770: XSS vulnerability in handling of
linkrefs in plain text messages
On Mon, 18 Sep 2023 at 13:59:47 +0200, Guilhem Moulin wrote:
> I requested a CVE ID for this issue.
CVE-2023-43770 for this. I'll suggest debdiffs targetting {bullseye,bookw
On Thu, 21 Sep 2023 at 13:58:18 +0200, J.L. Fernandez Jambrina wrote:
> Unfortunatelly I don't know how to use setDebug() to see what's is
> being passed to send()
Please see https://github.com/pear/Net_SMTP#debugging to debug Net_SMTP.
> but I used two calls to var_dump() to see it:
AFAICT
Control: tag -1 moreinfo
On Tue, 19 Sep 2023 at 22:39:40 +0100, Tj wrote:
> On reaching initialramfs it fails to unlock either of the LUKS devices;
> eventually dropping to the shell after reporting:
>
> Error: Timeout reached while waiting for askpass.
>
> After using `break=mount` and
Control: tag -1 moreinfo
Hi,
On Tue, 19 Sep 2023 at 12:42:34 +0200, J.L. Fernandez Jambrina wrote:
> As php-mail didn't change in the upgrade and I verified the arguments
> to the MAIL::send method are the same in both cases I suspect from the
> underlying php-net-smtp package, but I can be
Control: tag -1 moreinfo
Hi,
On Mon, 18 Sep 2023 at 10:46:30 +0100, Luca Boccassi wrote:
> With sysvinit scripts no longer being mandatory, the udev one has been
> removed from src:systemd. It is in the process of being adopted by
> src:sysvinit, but being optional and all that might take some
I requested a CVE ID for this issue.
--
Guilhem.
signature.asc
Description: PGP signature
On Mon, 28 Aug 2023 at 01:56:04 +0200, Guilhem Moulin wrote:
> cryptsetup-run has been a transitional package since the buster release,
> and has now been removed following #1038285. Looks like I failed to
> properly check reverse depends; yubikey-luks should replace ‘Depends:
> cr
Source: yubikey-luks
Version: 0.5.1+29.g5df2b95-6.1
Severity: serious
Hi,
cryptsetup-run has been a transitional package since the buster release,
and has now been removed following #1038285. Looks like I failed to
properly check reverse depends; yubikey-luks should replace ‘Depends:
Control: tag -1 pending
On Sun, 09 Jul 2023 at 13:13:55 -0400, David Mandelberg via
Pkg-roundcube-maintainers wrote:
> I tried setting up oauth2 in roundcube, but when the OIDC provider redirects
> back to roundcube, I get an "Oops... something went wrong!" page. When that
> happens,
Control: tag -1 pending
Control: found -1 1.6.1+dfsg-1
On Thu, 10 Aug 2023 at 07:46:40 +0300, Antti Kultanen via
Pkg-roundcube-maintainers wrote:
> in the crontab file /etc/cron.d/roundcube-core file the garbage collector
> is set run 60 times, or every minute from 5:00 to 5:59.
> […]
> Is there
On Tue, 25 Jul 2023 at 14:39:29 +0200, Jonas Smedegaard wrote:
> I have no objections at all - on the contrary: Thanks!
>
> I will have a look at applying the patch to trixie, then - since there
> is unfortunately little hope that the whole Haskell stack will get
> upgrading any time soon, so wi
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pan...@packages.debian.org, Guilhem Moulin
Control: affects -1 + src:pandoc
[ Reason ]
pandoc 2.17.1.1-1.1 is vulnerable to CVE-2023-35936: Arbitrary file write
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pan...@packages.debian.org, Guilhem Moulin
Control: affects -1 + src:pandoc
[ Reason ]
pandoc 2.9.2.1-1 is vulnerable to CVE-2023-35936: Arbitrary file write
3.1.6 release.
+
+ -- Guilhem Moulin Fri, 21 Jul 2023 20:22:42 +0200
+
pandoc (2.17.1.1-1.1) unstable; urgency=low
* Non-maintainer upload.
diff -Nru pandoc-2.17.1.1/debian/patches/CVE-2023-35936.patch
pandoc-2.17.1.1/debian/patches/CVE-2023-35936.patch
--- pandoc-2.17.1.1/debian/patches
On Fri, 30 Jun 2023 at 11:14:35 -0500, Michael Meier wrote:
> I had to edit the file /usr/share/initramfs-tools-hooks so it also copies the
> dss key:
src:dropbear doesn't ship that file, do you mean
/usr/share/initramfs-tools/hooks/dropbear?
> The option DROPBEAR_OPTIONS="-E" should be
in lapi.c. (Closes:
+#920321)
+ * Fix CVE-2020-24370: Segmentation fault in getlocal and setlocal functions
+in ldebug.c. (Closes: #988734)
+
+ -- Guilhem Moulin Thu, 22 Jun 2023 22:03:38 +0200
+
lua5.3 (5.3.3-1.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru lua5.3-5.3.3
Hi,
On Sun, 25 Jun 2023 at 21:19:10 +, Bastien Roucariès wrote:
> I found the commit that remove the stack overlfow check line 688
> https://github.com/lua/lua/commit/287b302acb8d925178e9edb800f0a8d18c7d35f6
That also matching my finding from https://bugs.debian.org/1034847#12 .
Asked for
Hi carnil,
On Fri, 23 Jun 2023 at 21:49:21 +0200, Salvatore Bonaccorso wrote:
> thanks for the analysis. I want to point out that it's really
> important to not rely on the POC for making the not-affected
> assessment (and when not confirmed, rather err on the safe side and
> keep something
On Thu, 22 Jun 2023 at 18:08:39 +0200, Guilhem Moulin wrote:
> bullseye
>
>
> $ lua5.1 ./cstack.lua
> testing stack overflow detection
> nesting coroutines running after recoverable errors
> final count:198
>
> $ lua5.2 ./cstack.lua
> te
Hi Moritz,
On Tue, 25 Apr 2023 at 20:58:00 +0200, Moritz Mühlenhoff wrote:
> CVE-2021-43519[0]:
> | Stack overflow in lua_resume of ldo.c in Lua Interpreter 5.1.0~5.4.4
> | allows attackers to perform a Denial of Service via a crafted script
> | file.
While trigaging this for LTS I was unable to
On Tue, 13 Jun 2023 at 20:45:19 -0500, Bryan K. Walton wrote:
> Previous Roundcube version: 1.4.13+dfsg.1-1~deb11u1
> Previous Debian version: 11.7
Which DB backend are you using? I'm unable to reproduce this in a
Bullseye (11.7) VM with roundcube-mysql (the default):
~# apt install -y
Control: tag -1 unreproducible moreinfo
On Tue, 13 Jun 2023 at 16:16:51 -0500, Bryan K. Walton via
Pkg-roundcube-maintainers wrote:
> Today, I tried to upgrade my webserver to Debian 12.0 (bookworm).
> Everything succeeded but Roundcube.
What was the previous Roundcube (and Debian itself)
Control: tag -1 moreinfo unreproducible
Hi,
On Sun, 04 Jun 2023 at 10:41:56 +0200, Georg Gast wrote:
> But dropbear did not start as it was complaining about the missing dss host
> key.
> […]
> If i delete /etc/dropbear/initramfs/dropbear_dss_host_key and generate a new
> one
> dropbearkeygen -t
Control: tag -1 unreproducible
On Wed, 10 Jun 2020 at 23:19:41 +0200, Marco Herrn wrote:
> When writing into a logfile, rainloop writes the passwords of all
> login attempts (successful or not) into the logfile in cleartext.
FWIW I'm not able to reproduce this with the version from Debian buster
On Thu, 11 May 2023 at 18:12:52 +0200, Bastian Blank wrote:
> Nope, not really. Half VG was never a real thing. It might work in
> some cases.
And these use-cases are unbootable since 2.03.15…
> Then, degraded is the default activation mode, so overriding that would
> not be appropriate. But
: Guilhem Moulin
Date: Wed, 10 May 2023 00:42:28 +0200
Subject: udev rules: Try to call activate incomplete VGs at initramfs stage.
The upstream udev rules don't autoactivate LVs residing on incomplete
VGs, see https://bugzilla.redhat.com/show_bug.cgi?id=1337220#c10 .
This change adds new rules to try
Control: tag -1 - unreproducible
Control: reassign -1 lvm2 2.03.15-1
Control: forcemerge 1018730 -1
Control: affects -1 cryptsetup-initramfs
Thanks for the the reproducer! Much appreciated. So the problem is
that your VG spans over multiple PVs, but the LVs that are required at
early boot stage
Control: tag -1 - moreinfo
On Tue, 09 May 2023 at 18:39:33 +0200, Pásztor János wrote:
> I have attached the machine definition and already sent the vm images for
> you (via filesender.hu).
Many thanks! Will have something to put teeth into once the images have
been downloaded :-)
--
Guilhem.
Control: tag -1 + unreproducible moreinfo
On Tue, 09 May 2023 at 17:10:03 +0200, Pásztor János wrote:
> The machine and the disks are having two snapshots named 'good' and 'bad' so
> it is easy to jump between the states.
> I am willing to share with you the VM(disks + virsh dump) via a
Control: tag -1 unreproducible moreinfo
What does `lsinitramfs /initrd.img | grep -e{crypt,lvm}` return (after
removing your hook and rebuilding the initramfs image)? And also
install -m0700 -d /tmp/initramfs
unmkinitramfs /initrd.img /tmp/initramfs
cat
ay be what we
+observe when the server is fast enough, but according to RFC 8555 sec.
+7.1.6 the state actually transitions via "processing" and we need to
+account for that (closes: #1034834).
+ * d/gbp.conf: Set 'debian-branch = debian/bullseye'.
+
+ -- Guilhem Moulin Fri,
"valid". The latter may be what
+we observe when the server is fast enough, but according to RFC 8555
+sec. 7.1.6 the state actually transitions via "processing" state and
+we need to account for that.
+ - Test suite: Point stretch's archive URL to archive.d.o.
+
+
Package: lacme
Version: 0.8.1-1
Severity: important
Control: found -1 0.8.0-2
The lacme client fails to handle "ready" → "processing" → "valid" status
change during newOrder, instead of just "ready" → "valid". The latter
may be what we observe when the server is fast enough, but according to
RFC
200
+++ cryptsetup-2.6.1/debian/changelog 2023-04-21 00:54:29.0 +0200
@@ -1,3 +1,17 @@
+cryptsetup (2:2.6.1-4~deb12u1) bookworm; urgency=medium
+
+ * Rebuild for Bookworm.
+
+ -- Guilhem Moulin Fri, 21 Apr 2023 00:54:29 +0200
+
+cryptsetup (2:2.6.1-4) unstable; urgency=med
1 - 100 of 1049 matches
Mail list logo