Source: beaker
Severity: important
Tags: security
Please see:
https://github.com/bbangert/beaker/issues/191
https://www.openwall.com/lists/oss-security/2020/05/14/11
Cheers,
Moritz
Source: bareos
Severity: grave
Tags: security
CVE-2020-11061:
https://github.com/bareos/bareos/security/advisories/GHSA-mm45-cg35-54j4
CVE-2020-4042
https://github.com/bareos/bareos/security/advisories/GHSA-vqpj-2vhj-h752
Cheers,
Moritz
Source: cmark-gfm
Severity: important
Tags: security
This was assigned CVE-2020-5238
https://github.com/github/cmark-gfm/security/advisories/GHSA-7gc6-9qr5-hc85
https://github.com/github/cmark-gfm/commit/85d895289c5ab67f988ca659493a64abb5fec7b4
Cheers,
Moritz
Source: python-cmarkgfm
Severity: important
Tags: security
This was assigned CVE-2020-5238
https://github.com/github/cmark-gfm/security/advisories/GHSA-7gc6-9qr5-hc85
https://github.com/github/cmark-gfm/commit/85d895289c5ab67f988ca659493a64abb5fec7b4
And python-cmarkgfm seems to embed a copy of
Source: haskell-cmark-gfm
Severity: important
Tags: security
This was assigned CVE-2020-5238
https://github.com/github/cmark-gfm/security/advisories/GHSA-7gc6-9qr5-hc85
https://github.com/github/cmark-gfm/commit/85d895289c5ab67f988ca659493a64abb5fec7b4
And haskell-cmark-gfm seems to embed a copy
Package: r-cran-commonmark
Severity: important
Tags: security
This was assigned CVE-2020-5238
https://github.com/github/cmark-gfm/security/advisories/GHSA-7gc6-9qr5-hc85
https://github.com/github/cmark-gfm/commit/85d895289c5ab67f988ca659493a64abb5fec7b4
And r-cran-commonmark seems to embed a
Package: ruby-commonmarker
Severity: important
Tags: security
This was assigned CVE-2020-5238
https://github.com/github/cmark-gfm/security/advisories/GHSA-7gc6-9qr5-hc85
https://github.com/github/cmark-gfm/commit/85d895289c5ab67f988ca659493a64abb5fec7b4
And ruby-commonmarker seems to embed a
Source: qemu
Severity: important
Tags: security
>From oss-security:
---
A use-after-free issue was found in the INTEL 82574 NIC (e1000e) emulator of
the QEMU. It could occur while sending packets if the guest user set the
Source: openldap
Severity: important
Tags: security
Hi,
CVE-2020-15719 was assigned to an issue in OpenLDAP found by Red Hat:
https://bugzilla.redhat.com/show_bug.cgi?id=1740070
The underlying OpenLDAP bug is restricted, though:
https://bugs.openldap.org/show_bug.cgi?id=9266
The patch applied
Package: bcftools
Severity: normal
bcftools suggests python, python-numpy, python-matplotlib
python-matplotlib is already gone from the archive, python-numpy will be very
soon
and eventuall python as well. The 1.7 release notes mention "Improve python3
compatibility in plotting scripts", so
@@ -1,3 +1,9 @@
+transmission (2.94-2+deb10u1) buster; urgency=medium
+
+ * CVE-2018-10756 (Closes: #961461)
+
+ -- Moritz Muehlenhoff Fri, 29 May 2020 00:05:53 +0200
+
transmission (2.94-2) unstable; urgency=medium
[ Ondřej Nový ]
diff -Nru transmission-2.94/debian/patches/CVE-2018-10756
Package: ftp.debian.org
Severity: normal
Please remove opensvc. It's orphaned without an adopter since half a year,
virtually unused per popcon, has multiple RC bugand the last upload was
in 2017.
Cheers,
Moritz
+deb10u1) buster; urgency=medium
+
+ * CVE-2020-11736 (Closes: #956638)
+
+ -- Moritz Muehlenhoff Wed, 08 Jul 2020 20:12:00 +0200
+
file-roller (3.30.1-2) unstable; urgency=medium
* Restore -Wl,-O1 to our LDFLAGS
diff -Nru file-roller-3.30.1/debian/patches/02_CVE-2020-11736.patch
file-roller
Package: crispy-doom
Version: 5.8.0-2
Severity: important
Tags: security
(Obviously you're aware, but filing a bug to keep track in the BTS nonetheless):
CVE-2020-14983 also affects crispy-doom:
https://github.com/fabiangreffrath/crispy-doom/commit/8b6cfbfc6c934923b3c2c16e5e7e5a74d5d238e1
On Tue, Jul 07, 2020 at 10:56:18PM +0200, Hans van Kranenburg wrote:
> Additional To: t...@security.debian.org
>
> Hi Security team,
>
> After our last security update, which was
> 4.11.3+24-g14b62ab3e5-1~deb10u1, we found out that there is a bugfix to
> be done to help users upgrade from Buster
Source: ganglia
Severity: serious
Should ganglia be removed? It's dead upstream (last commits from over three
years ago,
last release from 2015), is now orphaned (last active maintainer is no longer a
DD, but
wasn't very actively maintained to begin with, the current packaged version is
from
Package: ftp.debian.org
Severity: normal
Please remove purity-ng. It depends on Python 2, is dead upstream (last commit
from 2011) and the last maintainer upload was in 2012.
Cheers,
Moritz
Source: ntpsec
Severity: important
Tags: security
This was assigned CVE-2020-13817 for ntp.org:
http://support.ntp.org/bin/view/Main/NtpBug3596
https://bugs.ntp.org/show_bug.cgi?id=3596
http://bk.ntp.org/ntp-stable/?PAGE=patch=5e312021VVVkyioYBR_aeIP1LqMCVg
Source: hylafax
Severity: important
Tags: security
Please see
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15396
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15397
Cheers,
Moritz
Source: freedroidrpg
Severity: important
Tags: security
Please see
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14938
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14939
Cheers,
Moritz
Source: guacamole-client
Severity: grave
Tags: security
Please see
https://www.openwall.com/lists/oss-security/2020/07/02/3
https://www.openwall.com/lists/oss-security/2020/07/02/2
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove qpid-qmf. It depends on Python 2 and there are no reverse
deps (related to 938314).
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove python-pychart. It depends on Python 2, there are no reverse deps,
it's dead upstream and the last maintainer upload was in 2009.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove pynifti. It depends on Python 2 and has been replaced
by nibabel. Acked by one of the maintainers in #937490
Cheers,
Moritz
On Tue, Jun 30, 2020 at 07:07:50PM +0200, Michael Biebl wrote:
> Am 30.06.20 um 11:20 schrieb Niels Thykier:
> > What about removal; is there any
> > action to be done for locking the users?
>
> Good question. Afaics there are no provisions in systemd-sysusers to
> remove users again.
Indeed.
>
Source: libemf
Severity: important
Tags: security
Please see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13999
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove util-vserver. It depends on Python 2, is unmaintained (last
maintainer upload
in 2015), Debian hasn't shipped the vserver patch for ages and current upstream
kernel support
is only available for 4.9.x.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove doxypy. It depends on Python 2 and there was just
a single maintainer upload a decade ago (followed by an NMU
in 2015) and there are no reverse deps.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove desktopnova. It's dead upstream (last commit in 2011),
unmaintained
(last maintainer upload in 2011), depends on outdated libs, is incompatible with
Gnome 3 (and missed Buster already) and depends on Python 2.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove opensips. It depends on Python 2, is unmaintained
(no activity since 2016) and was already dropped from Buster.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove snetz. It's dead upstream (last release in 2012), depends on
Python 2 and the last and only upload was in 2014.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove woof. It depends on Python 2, is dead upstream and the last
maintainer upload was in 2011.
Cheers,
Moritz
Source: golang-github-henrydcase-nobs
Severity: serious
Tags: sid bullseye
User: debian-pyt...@lists.debian.org
Usertags: py2removal
Python2 becomes end-of-live upstream, and Debian aims to remove
Python2 from the distribution, as discussed in
Package: ftp.debian.org
Severity: normal
Please remove gnome-doc-utils. There are seven reverse dependencies left in
unstable at this point (gconf-editor, gnome-chemistry-utils, viking, xiphos,
florence and mp3splt), but they are all dropped from testing for > two
months and have RC bugs already.
Package: ftp.debian.org
Severity: normal
Please remove rust-python27-sys. It's Python 2-specific and there are
no reverse deps. Acked by Sylvestre (CCed) in #938423.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove pysycache. It's dead upstream, unmaintained (last maintainer
upload in 2010)
and depends on Python 2.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove pymvpa2. It depends on Python 2 and the maintainer/upstream
(CCed) agreed to remove it until it's ported at a later point.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove qmail-tools, qmail was recently removed from the archive, so this
can go as well. Plus, it depends on Python 2.
Cheers,
Moritz
On Sun, Jun 14, 2020 at 11:23:41PM +0200, Felix Geyer wrote:
> Hi security team / maintainers,
>
> On Wed, 03 Jun 2020 20:58:53 +0200 Salvatore Bonaccorso
> wrote:
> > Source: docker.io
> > Version: 19.03.7+dfsg1-3
> > Severity: important
> > Tags: security upstream
> >
> > Hi,
> >
> > The
Package: ftp.debian.org
Severity: normal
Please remove virt-goodies. It depends on Python 2, is dead upstream and the
last maintainer upload was in 2013.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove denyhosts. It was originally removed back in 2014
for security issues and then eventually re-uploaded in 2015.
However, since then there have been no further uploads, it
depends on Py2 and the question of security support is still
unresolved
On Fri, Jun 12, 2020 at 08:53:35AM +0200, Jonas Smedegaard wrote:
> Quoting Salvatore Bonaccorso (2020-06-11 22:54:43)
> > On Sun, Dec 08, 2019 at 02:09:10PM +0100, Jonas Smedegaard wrote:
> > > Upstream releases are to be considered draft snapshots,
> > > and this package is therefore unsuitable
Package: ftp.debian.org
Severity: normal
Please remove python-cyclone. It depends on Python 2, there are no remaining
rdeps
and the last upload was in 2015.
Cheers,
Moritz
rver-sig-algs, this led to SHA2 RSA
+signature methods being excluded
+
+ -- Moritz Muehlenhoff Thu, 04 Jun 2020 14:45:31 +
+
openssh (1:7.4p1-10+deb9u7) stretch; urgency=medium
* Fix deadlock when the keys/principals command produces a lot of
diff -Nru openssh-7.4p1/debian/patches
Source: fwupd
Severity: grave
Tags: security
https://github.com/justinsteven/advisories/blob/master/2020_fwupd_dangling_s3_bucket_and_CVE-2020-10759_signature_verification_bypass.md
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove mysql-utilities. It's orphaned since 2018 without an adopter,
end-of-lifed
by Oracle (877856), RC-buggy since 2017 and depends on Python 2, which won't
get fixed
due to it being EOLed.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove pymtbl, it depends on Python 2, there are no reverse
deps and there's no upstream movement towards a Py3 port. Acked
by the maintainer in #937483.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove python-sqlite. It depends on Python 2, it's
obsolete and dead upstream (removal has also been suggested
by the maintainer in #938192)
Cheers,
Moritz
Package: debhelper
Severity: wishlist
It would be great if debhelper would support adding system users via
systemd-sysusers
in a simple, DRY-avoiding manner. System users seem like a common enough
feature to
be part of standard debhelper I suppose.
A system user is defined in a short config
Package: ftp.debian.org
Severity: normal
Please remove python-fcgi. It's dead upstream, depends on Python 2 and
there are no reverse deps.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove python-pysqlite2. It's obsolete with Python 3 (sqlite3
module from the standard lib). There's one remaining reverse dependency
(mysql-workbench), but please force the removal: mysql-workbench is
already affected by a bunch of other
Source: django-js-reverse
Severity: serious
phantomjs is being removed (962061), but django-js-reverse currently
build-depends
on it.
It doesn't actually appear to be used anyway:
| override_dh_auto_test:
|echo "tests require phantomjs harness which setup.py does not start"
Cheers,
Package: ftp.debian.org
Severity: normal
Please remove nfqueue-bindings. Upstream has vanished, it FTBFSes for almost
two years, there was no reaction to any of the RC bugs and the last maintainer
upload was in 2016.
Cheers,
Moritz
Source: libexif
Severity: important
Tags: security
Similar to CVE-2020-0198, another issue reported/fixed in Android, but not
applied upstream:
https://android.googlesource.com/platform/external/libexif/+/f6c54954cbfc25eb73d2d2902f0597c0220174a4
Cheers,
Moritz
Source: libexif
Severity: important
The latest Android security bulletin for Pixel phones included a patch for
libexif,
which was assigned CVE-2020-0198:
https://android.googlesource.com/platform/external/libexif/+/1e187b62682ffab5003c702657d6d725b4278f16
The patch in their repo is from March,
Package: ftp.debian.org
Severity: normal
Please remove phantomjs. It depends on Python 2, is orphaned since 2017 without
an
adopter. Plus, it depends on qtwebkit, which isn't covered by security support.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove pybloomfiltermmap. It depends on Python 2 and is dead upstream.
There are
no reverse deps and the last maintainer upload was in 2013.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove iptables-optimizer. It depends on Python 2, the last upload was in
2016 (and so were the last upstream commits, the maintainer is also upstream)
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove filemanager-actions. It was just a single upload
and there has been zero reaction to the license bug (922129)
since 15 months.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove libusbtc08. It FTBFSes for over four years (811980) and current
releases
no longer ship the source.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove xenomai. It's orphaned without an adopter since 2016, only
provides patches for vintage kernels (925453) and depends on removed
kernel-package (925451). It also missed the last two stable releases
already.
Cheers,
Moritz
Source: ntpsec
Severity: normal
Tags: security
There was a "new" CVE assignment for ntp (2018 ID, but appeared today):
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8956
Does this affect ntpsec?
And congrats to becoming a DD :-)
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove yagtd. It depends on Python 2, is dead upstream (homepage
vanished along with gna.org) and the last maintainer uploas was in 2011.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove termsaver. It depends on Python 2 and no port to Python 3
is planned (https://github.com/brunobraga/termsaver/issues/34), the
last upload was in 2014.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove kmodpy. It depends on Python 2, there are no reverse deps and
the last maintainer upload was in 2015.
Cheers,
Moritz
Source: glibc
Severity: important
Please see
https://sourceware.org/bugzilla/show_bug.cgi?id=25620
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1019
Cheers,
Moritz
Source: qemu
Severity: normal
Tags: security
This was originally reported in Red Hat Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1808510
https://bugzilla.redhat.com/show_bug.cgi?id=1786026
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove qmail from the archive. We'll keep it updated in stable until
Buster is EOLed,
but it should not be part of the next stable release.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove pyst. It's dead upstream, depends on Python 2 and there
are no reverse deps. (Acked by Apollon on IRC)
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove pycaml. It depends on Python 2 and has been replaced
by pyml. There are no reverse deps and removal was acked by Stéphane
Glondu in #937400.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove binplist. It depends on Python 2, is dead upstream and there are
no
rev deps in the archive. Acked by Raphael and Hilko in #936206.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove flask-oldsessions. It's an old compat package, depends on Python 2
and is dead upstream. It's last reverse dep (sagenb) has been removed in the
mean
time.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove python-pyxenstore. It depends on Python 2, is dead
upstream and there are no reverse deps. Acked by the maintainer
in 938108.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove pybitcointools. It's abandoned upstream (#937391), depends on
Python 2
and there was just a single upload back in 2017.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove tcpwatch-httpproxy. It depends on Python 2 and is dead upstream.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove python-halberd. It depends on Python 2 and is dead upstream.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove spdylay. It's orphaned and obsolete (the experimental SPY protocol
eventually got superseded by HTTP2).
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove ropemode. It depends on Python 2, is orphaned without
an adopter since nine months and there are no reverse deps.
Cheers,
Moritz
On Tue, May 05, 2020 at 11:04:13AM +0200, François Lafont wrote:
> Hi,
>
> On 5/4/20 10:54 PM, jmm@inutil.?Q?M=C3=BChlenhoff?= wrote:
>
> > Can you please file a removal bug (reportbug ftp.debian.org), then? It can
> > still be reintroduced when ported to Python 3 at some point.
>
> Currently I
Package: ftp.debian.org
Severity: normal
Please remove spikeproxy. It depends on Python 2, is dead upstream and the
last maintainer upload was in 2006.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove telepathy-python. It's dead upstream (last commit in 2010)
and was not ported to Python 3.
There's one remaining rdep (python-jarabe from src:sugar), but please
force this one through; src:sugar has been dropped from testing for over
half a
Package: ftp.debian.org
Severity: normal
Please remove seekwatcher. It depends on Python 2 and is dead upstream,
acked by the maintainer (CCed).
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove reclass. It depends on Python 2, no port to Py3
is planned (#938340) and there are no remaining rdeps.
Cheers,
Moritz
Package: systemd
Severity: wishlist
The default config in adduser configures
FIRST_SYSTEM_UID=100
LAST_SYSTEM_UID=999
FIRST_SYSTEM_GID=100
LAST_SYSTEM_GID=999
I'm wondering if systemd by default should ship
r -100-999
somewhere in /usr/lib/sysusers.d to mimic that default as well.
On Thu, Apr 30, 2020 at 03:06:57PM -0400, Yaroslav Halchenko wrote:
>
> On Thu, 30 Apr 2020, Moritz Mühlenhoff wrote:
>
> > On Fri, Aug 30, 2019 at 07:33:35AM +, Matthias Klose wrote:
> > > Package: src:pyepl
> > > Version: 1.1.0+git12-g365f8e3-3
> > > Severity: normal
> > > Tags: sid
Package: ftp.debian.org
Severity: normal
Please remove pymtp. It depends on Python 2, is dead upstream and there
are no remaining rdeps.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove keysync. It depends on Python 2 and is dead upstream.
Acked by the maintainer in #936790.
Cheers,
Moritz
On Tue, Apr 28, 2020 at 08:57:39PM -0400, Nicholas D Steeves wrote:
> Control: tag -1 upstream
>
> Hi Moritz,
>
> Moritz Muehlenhoff writes:
>
> > Source: puppet-mode
> > Version: 0.4-1
> > Severity: minor
> >
> > The short description cu
Package: ftp.debian.org
Severity: normal
Please remove nflog-bindings. It's RC-buggy and dropped from
testing for almost 20 months and the last maintainer upload
was in 2012.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove python-jsonrpclib. It depends on Python 2, is dead upstream (no
commits for four years,
no followup on https://github.com/joshmarshall/jsonrpclib/issues/58) and there
are no remaining
reverse dependencies.
Cheers,
Moritz
Source: duo-unix
Severity: normal
Tags: security
duo-unix seems to embed a copy of bson, which is affected by
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12135
Nothing inside duo-unix seems to call bson_ensure_space(), but
it probably still makes sense for upstream to update the
Source: puppet-mode
Version: 0.4-1
Severity: minor
The short description currently reads "major mode for Puppet 3 manifests in
Emacs",
which sounds as if the support were limited to older Puppet versions, let's
simply use "major mode for Puppet manifests in Emacs"? After all the mode
supports
Package: ftp.debian.org
Severity: normal
Please remove python-gd. It depends on Python 2, is dead upstream and
there are no reverse dependencies left.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove synopsis. It depends on Python 2 and is dead upstream (last
release from 2010).
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove python-kid. It depends on Python 2, is dead upstream and there
are no remaining rdeps.
Cheers,
Moritz
Source: tilix
Severity: normal
tilix suggests python-nautilus for the shipped Nautilus extension.
The python-nautilus source package dropped the Python 2 package, so
either the Suggests: should point to python3-nautilus (if the extension
is Py3 compatible) or the Suggests: and the extension
Package: kdeconnect
Severity: normal
kdeconnect suggests python-nautilus for the shipped Nautilus extension.
The python-nautilus source package dropped the Python 2 package, so
either the Suggests: should point to python3-nautilus (if the extension
is Py3 compatible) or the Suggests: and the
Package: ftp.debian.org
Severity: normal
Please remove pytracer. It depends on Python 2, is dead upstream (last commit
from 2013), there
are no reverse deps and the last maintainer upload was in 2010.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove moosic. It depends on Python 2, is dead upstream (last release in
2011)
and the last upload was in 2011.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove pylirc. It depends on Python 2, there are no reverse deps and
the last maintainer upload was in 2011.
Cheers,
Moritz
601 - 700 of 7407 matches
Mail list logo