Hello,
Le 2024-05-17 à 16 h 38, Santiago Vila a écrit :
Package: src:libevent
Version: 2.1.12-stable-8.1
Severity: serious
Tags: ftbfs
Dear maintainer:
During a rebuild of all packages in unstable, your package failed to build:
[...]
dpkg-gensymbols: error: some symbols or patterns
Le 2024-04-22 à 13 h 08, Jonathan Wiltshire a écrit :
Please go ahead.
Thanks, it's uploaded
Hello,
I took over the package for libevent and I'm wondering if this bug is
still relevant.
The bug hasn't received any update for more than 12 years so it may be
outdated now.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=632490
/Nicolas
Hello,
I'm digging up old bugs on this package to clear them if possible.
This one looks not relevant anymore:
- it's about an old version
- the last message was over 13 years ago
Unless someone objects, I'll simply close it in the next days/weeks
Le 2024-04-06 à 18 h 38, Jonathan Wiltshire a écrit :
Sorry for the delay; please go ahead.
Thanks, it's uploaded!
/Nicolas
Hello,
On Sat, 30 Mar 2024 09:55:07 +0100 Mattias Ellert
wrote:
The package fails to build on hurd due to the use of MAXPATHEN:
session_fixture.c:231:36: error: ‘MAXPATHLEN’ undeclared (first use in
this function)
231 | static char filepath[NUMPATHS][MAXPATHLEN];
|
@@ -1,3 +1,12 @@
+glewlwyd (2.7.5-3+deb12u1) bookworm; urgency=medium
+
+ * d/patches: Fix CVE-2023-49208
+possible buffer overflow during FIDO2 credentials validation
+ * d/patches: Fix CVE-2024-25715
+open redirection via redirect_uri
+
+ -- Nicolas Mora Thu, 23 Nov 2023 17:12:13 -0500
Control: tag +1 moreinfo
Thanks,
Control: tag -1 moreinfo
Thanks,
Control: tag - moreinfo
Thanks,
Sorry, it seems that I'm not very well aware of the BTS process,
according to [1] this is how I should untag the bug.
[1] https://www.debian.org/Bugs/server-control
Hello,
Le 2024-01-07 à 10 h 42, Gioele Barabucci a écrit :
libopenzwave1.6 currently installs 1489 in /etc, including 635 PNG
images, 9 JPEG images, and 1 Zip file.
These files are obviously not conffiles but are treated as such.
Could they be moved under /usr, for example under
Hello,
I've uploaded a new package with the patch for unstable, instead of waiting for
the new upstream release. I didn't want the holidays and the new release
process to delay the fix too much...
Hello,
On Tue, 14 Dec 2021 11:53:15 -0500 Nicolas Mora
wrote:
Hello,
I've been investigating with your calendar file using libical3 on
korganizer and I've found out that libical3.10 and libical3.12 are
correctly importing your file, when libical3.11 doesn't, so I'm guessing
your problem
:07.0 -0500
@@ -1,3 +1,10 @@
+libssh2 (1.9.0-2+deb11u1) bullseye; urgency=medium
+
+ * Fix CVE-2020-22218: missing check in _libssh2_packet_add() allows
+attackers to access out of bounds memory.
+
+ -- Nicolas Mora Wed, 29 Nov 2023 07:00:07 -0500
+
libssh2 (1.9.0-2) unstable; urgency
Hello,
Le 2023-12-19 à 15 h 13, Salvatore Bonaccorso a écrit :
I'll prepare a fix for unstable then, thanks!
Looking from the commit activity in the upstream repository and last
commits touching the release notes I guess upstream is finalizing a
new release? If so it might be worth to just
Hello,
Le 2023-12-19 à 14 h 32, Salvatore Bonaccorso a écrit :
It's not the same version :).
bookworm has 0.10.0 based version, whereas in testing and bove we have
1.11.0 based one. For bookworm and older there is no haCha20-Poly1305
and CBC-EtM support, which was only introduced after the
Hello, thanks for the notification!
Le 2023-12-19 à 03 h 26, Salvatore Bonaccorso a écrit :
Source: libssh2
Version: 1.11.0-3
Severity: important
Tags: security upstream
Forwarded: https://github.com/libssh2/libssh2/issues/1290
X-Debbugs-Cc: car...@debian.org, Debian Security Team
I've
Hello Bernhard,
On Thu, 28 Apr 2022 14:59:20 +0200 =?UTF-8?Q?Bernhard_=c3=9cbelacker?=
wrote:
Dear Maintainer,
this crash looks like it happens with a raspberry pi 2 or 3,
running some official 32-Bit raspios image, at least the referenced
libavcodec58 version seems to from here [1].
I
) bullseye; urgency=medium
+
+ * d/patches: Fix CVE-2020-22218
+
+ -- Nicolas Mora Wed, 29 Nov 2023 07:00:07 -0500
+
libssh2 (1.9.0-2) unstable; urgency=medium
* d/control: Fix VCS URIs
diff -Nru libssh2-1.9.0/debian/patches/CVE-2020-22218.patch
libssh2-1.9.0/debian/patches/CVE-2020-22218.patch
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libs...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:libssh2
[ Reason ]
Fix CVE-2020-22218
: Fix CVE-2023-49208:
+ possible buffer overflow during FIDO2 signature validation
+ in webauthn registration
+
+ -- Nicolas Mora Fri, 24 Nov 2023 08:15:30 -0500
+
glewlwyd (2.5.2-2+deb11u2) bullseye; urgency=medium
* d/patches: Fix possible privilege escalation (Closes: #1001849)
diff
registration
+
+ -- Nicolas Mora Fri, 24 Nov 2023 08:15:30 -0500
+
glewlwyd (2.5.2-2+deb11u2) bullseye; urgency=medium
* d/patches: Fix possible privilege escalation (Closes: #1001849)
diff -Nru glewlwyd-2.5.2/debian/control glewlwyd-2.5.2/debian/control
--- glewlwyd-2.5.2/debian/control
Le 2023-11-26 à 12 h 05, Samuel Thibault a écrit :
Once glibc 2.38 enters testing, that makes sense indeed. But don't hold
your breath :)
That's ok, I can hold my breath for a long time, I'm half-frog! ;)
/CVE-2023-49208.patch 1969-12-31 19:00:00.0 -0500
+++ glewlwyd-2.7.5/debian/patches/CVE-2023-49208.patch 2023-11-23 17:12:13.0 -0500
@@ -0,0 +1,21 @@
+Description: Fix CVE-2023-49208 for bookworm
+Author: Nicolas Mora
+Forwarded: not-needed
+--- a/src/scheme/webauthn.c
b/src
Hello,
Thanks for the patch!
However, I'm wondering if the fix is required when the package will be
re-uploaded to unstable, because the Build-Depends to libc6-dev was
added to check the build against glibc 2.38 (#1043108)
When glibc 2.38 will be uploded to unstable, I expect do the same
Hello,
I've forwarded the bug upstream [1] and they made a patch [2].
Can you test their patch on your package, to check if the problem is
fixed on your CI?
Also, if this works, I suggest to apply their patch rather than yours to
make the code more consistent with upstream, do you agree?
Le 2023-11-23 à 11 h 20, Steve McIntyre a écrit :
AFAICS in a non-interactive environment, USER isn't required to be set
but LOGNAME is; see
https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html
Alternatively, the tets should probably be calling get(e)uid and
getpwent()
Le 2023-11-23 à 09 h 46, Steve McIntyre a écrit :
Ah, apologies - that version is bogus, it's just the version on the
bullseye machine I ran reportbug from.
The tests are failing on current unstable source.
OK, makes more sense then.
Nevertheless I'm wondering about the seriousness of the
Hello,
On Tue, 21 Nov 2023 13:30:31 + Steve McIntyre wrote:
Source: libssh2
Version: 1.9.0-2
Severity: serious
Tags: ftbfs patch
Hi!
Building libssh2 using debuild in a clean local chroot, I get test
failures and even a core dump!
Thanks for reporting the bug, although I have concerns
Hello,
On Mon, 4 Sep 2023 13:55:51 -0400 Nicolas Mora
wrote:
> Is this problem still relevant for libgdbm as we have a trap divide
> error that should not happen no matter what? Or should I open a ticket
> at libpam-shield so the problem (and the solution) is document
Le 2023-09-08 à 02 h 51, Samuel Thibault a écrit :
is the only exposure, and that file is not installed, so there is no way
for another package to produce a reference to it. I did check on the
archive in the amd64 case, no package does.
Thanks, that's indeed not possible to use.
That being
Hello,
Le 2023-09-07 12:05, Shengjing Zhu a écrit :
I don't understand why it's safe to drop this symbol.
I think the bug is same as https://bugs.debian.org/1023284, which needs
workaround to keep the exported symbol with new glibc.
According to libevent's source code, the function
Hello Christopher,
Le 2023-09-04 à 04 h 09, Christopher Voglstätter a écrit :
PAM-shield uses a database file that I migrated from debian 10 to debian
12 in one big double upgrade.
For testing purposes I deleted that database file, created an empty file
instead and the trap divide error
Hello,
On Fri, 01 Sep 2023 11:13:22 +0200 Schnitzi
wrote:
Journal-Output:
Aug 31 18:02:34 xyz dovecot[2451]: auth: Error: auth-worker: Aborted PASSV
request for x...@xyz.xyz: Worker process died unexpectedly
Aug 31 18:02:34 xyz dovecot[2451]: auth-worker: Fatal: master:
Hello,
On Fri, 4 Aug 2023 15:59:00 +0200 Marc Schaefer
wrote:
Package: libgdbm6
Version: 1.19-2
Severity: important
[...]
I just migrated from buster to bullseye and it no longer works at all. The
script never complete opening of the DBMs, and uses insanely huge amount of
memory (not only
; urgency=medium
+
+ * Install config.json as config-2.7.json (Closes: #1035503)
+ * d/glewlwyd-debian.conf.properties: disable user_middleware_module_path
+
+ -- Nicolas Mora Thu, 04 May 2023 07:21:27 -0400
+
glewlwyd (2.7.5-2) unstable; urgency=medium
* d/control: add adduser as glewlwyd
+
+ -- Nicolas Mora Thu, 04 May 2023 07:21:27 -0400
+
glewlwyd (2.7.5-2) unstable; urgency=medium
* d/control: add adduser as glewlwyd package dependency, fix piuparts issue
diff -Nru glewlwyd-2.7.5/debian/glewlwyd-common.install
glewlwyd-2.7.5/debian/glewlwyd-common.install
--- glewlwyd-2.7.5
Hello,
Le 2023-05-06 à 06 h 31, Thorsten Alteholz a écrit :
Maybe introducing a new filename and adding an entry to the news file
could be an option.
Indeed, config.json is installed by glewlwyd-common [1], and since
bullseye, the file has changed to add new properties.
I guess a better
Hello,
I'm having a hard-time fixing this issue.
I've read [1] and related documentation, and I still make anything work.
For some reason, the commands I add in the glewlwyd-common package seems
not to be executed when I upgrade from bullseye to bookworm and I can't
figure out why...
- I've
Hello,
I recently took over maintenance for the package motion in Debian.
This bug is quite old and related to old version of motion. Since it
hasn't got any update since 2013, I have the sensation it can be closed.
I'll wait a little bit for a feedback before closing it.
/Nicolas
Hello,
I recently took over maintenance for the package motion in Debian.
This bug is quite old and related to old version of motion. Since it
hasn't got any update since 2012, I have the sensation it can be closed.
I'll wait a little bit for a feedback before closing it.
/Nicolas
Hello,
I recently took over maintenance for the package motion in Debian.
This bug is quite old and related to old version of motion. Since it
hasn't got any update since 2010, I have the sensation it can be closed.
I'll wait a little bit for a feedback before closing it.
/Nicolas
Hello,
I recently took over maintenance for the package motion in Debian.
This bug is quite old and related to old version of motion and libav.
Since it hasn't got any update since 2009, I have the sensation it can
be closed.
I'll wait a little bit for a feedback before closing it.
+implemtation of arc4random, thanks z...@debian.org!
+(Closes: #1023284)
+ * d/control: upgrade Standards-Version to 4.6.2
+ * d/copyright: update year to 2023
+
+ -- Nicolas Mora Wed, 04 Jan 2023 15:28:26 -0500
+
+libevent (2.1.12-stable-7) experimental; urgency=medium
+
+ * d/control
Hello,
The patch was submitted upstream for their feedback [1], and was finally
agreed. So I will upload a new package very soon then.
/Nicolas
[1] https://github.com/libevent/libevent/issues/1393#issuecomment-1453924054
On Mon, 30 Jan 2023 23:26:09 -0700 MrDave wrote:
Package: wnpp
Severity: wishlist
* Package name: Motion
Version : 4.3.2
Upstream Author : MrDave
* URL :https://motion-project.github.io/
* License : GPL
Programming Lang: C
Description : Security
Hello,
I opened an issue upstream [1] to ask for feedbacks. Azat suggest to
change the function signature from
void evutil_secure_rng_add_bytes(const char *buf, size_t n);
to:
int evutil_secure_rng_add_bytes(const char *buf, size_t n)
and make evutil_secure_rng_add_bytes to return -1, to
Hello all,
I'm forwarding my questions and thoughts about this patch.
Le 2023-01-04 à 11 h 39, Shengjing Zhu a écrit :
So Just make evutil_secure_rng_add_bytes noop with glibc's implemtation of
arc4random. Please see following patch.
In the libevent repo, azat mentions that nooping
Hello,
Le 2022-11-17 à 04 h 15, Benjamin Drung a écrit :
We did a library transition in Ubuntu to remove this symbol:
https://launchpad.net/bugs/1990941
Attached the patch we applied.
Thanks, I've made a new package based on your patch lately,
libevent_2.1.12-stable-7 is in NEW for now [1].
Le 2022-11-11 à 14 h 41, Slavko a écrit :
Yes, with current libical3 (in testing) the problem is solved, can be
closed.
Thanks, closing it then
Hello,
If I understand correctly, removing the symbols evutil_secure_rng_add_bytes
from the symbols files is enough to fix this bug? If no objection, I'll upload
the fixed package tomorrow.
Hello,
On Sun, 23 Oct 2022 11:54:52 +0200 Yves-Alexis Perez
wrote:
for some reason your reports never reached us so I've just seen this bug and
your investigation. My feeling is that this is actually
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021698 so it might be
interesting to
According to this issue [1], the bug has been fixed in 3.0.16.
I'll upload the new version in unstable today so hopefully you'll be
able to upgrade soon.
/Nicolas
[1] https://github.com/libical/libical/issues/610
Hello,
Le 2022-10-13 à 04 h 42, Konstantinos a écrit :
Came to work todat after upgrading from 3.0.14-1+b1 to 3.0.15-2 and could not
see my calendar. Evolution would neither parse calendar.ics nor tasks.ics.
After downgrading to 3.0.14-1+b1 everything works again. I know this is
debian/testing
Hello,
Since libssh2 is a Debian system library, I don't think it's a good idea to
upgrade it to a specific commit.
I'd rather wait for a new release when the libssh2 project think it's ready, to
avoid adding new functionalities that may not have been fully tested, validated
upstream or
10 juill. 2022 10 h 45 min 13 s Yadd :
> Source: glewlwyd
> Version: 2.7.1-1
> Severity: important
>
> Hi,
>
> node-react is going to be split into multiple packages. Please add build
> dependency to node-react-dom to fix test.
> This can be done right now since current node-react provides
>
/patches/aesgcm.patch: Fix aesgcm buffer overflow
+
+ -- Nicolas Mora Sun, 26 Jun 2022 17:27:39 -0400
+
rhonabwy (0.9.13-3+deb11u1) bullseye; urgency=medium
* d/patches/bugfixes: apply upstream bugfixes
diff -Nru rhonabwy-0.9.13/debian/patches/aesgcm.patch
rhonabwy-0.9.13/debian/patches
Control: tags -1 - moreinfo
Can you please review the last debdiff?
Package: node-react-audio-player
Version: 0.17.0-2
Severity: normal
X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org
I intent to remove node-react-audio-player from the Debian archive, it has
originally been added to Debian to help build a bigger package.
But considering the amount of
+ static_compressed_inmemory_website_callback.c in Glewlwyd
+ through 2.6.2 allows directory traversal
+ * d/glewlwyd-common.install: copy bootstrap, jquery, fork-awesome
+instead of linking it
+
+ -- Nicolas Mora Thu, 17 Mar 2022 21:13:09 -0400
+
glewlwyd (2.5.2-2+deb11u2) bullseye; urgency=medium
* d
Hello,
Is it possible to review the patch, so the package in bullseye can be in
p-u?
Thanks!
He Andreas, thanks for the feedback!
Le 2022-04-17 à 10 h 42, Andreas Metzler a écrit :
Yes, a rebuild will get a binary which works against the new
library, however (partial) upgrades from bookworm won't work.
BTW, the symbol file seems to be wrong:
| h_execute_query_sqlite@Base 1.4.15
the
Hello,
Le 2022-04-17 à 01 h 32, Andreas Metzler a écrit :
i.e. the symbol h_exec_query_sqlite was dropped from the library ABI.
This breaks all reverse dependencies built against 1.4.18, e.g. glewlwyd
is now broken:
(sid)ametzler@argenau:/dev/shm/GLEWY$ ldd -r /usr/bin/glewlwyd | tail -n1
Hello,
On Tue, 12 Apr 2022 20:41:02 +0200 Lucas Nussbaum wrote:
During a rebuild of all packages in sid, your package failed to build
on amd64.
This has been fixed in iddawc-1.1.2-2, thanks!
/Nicolas
during webauthn signature assertion
+
+ -- Nicolas Mora Thu, 17 Mar 2022 21:13:09 -0400
+
glewlwyd (2.5.2-2+deb11u2) bullseye; urgency=medium
* d/patches: Fix possible privilege escalation (Closes: #1001849)
diff -Nru glewlwyd-2.5.2/debian/patches/series
glewlwyd-2.5.2/debian/patches/series
The CVE ID is CVE-2022-27240
as fixed in unstable
[ Changes ]
Check the length of the signature before verifying it
[ Other info ]
CVE ID request pending
Description: Fix buffer overflow
Author: Nicolas Mora
Forwarded: not-needed
--- a/src/scheme/webauthn.c
+++ b/src/scheme/webauthn.c
@@ -2336,12 +2336,24 @@
break
Hello, thanks for the bug report!
Le 2022-02-24 à 11 h 10, Paul Gevers a écrit :
Your package has an autopkgtest, great. However, recently it started
failing in testing.
I don't see the problem when I build on my computer, and I don't know
precisely how to fix it, but the problem comes
Hello Ayoyimika,
I've updated the webpack patch for webpack 5. Now the build goes
further, but it fails anyway:
make[1]: Entering directory '/<>'
webpack -p
internal/modules/cjs/loader.js:818
throw err;
^
Error: Cannot find module 'import-local'
Require stack:
-
Also, the bug is only for 2.x versions.
The package glewlwyd 1.4.9-1 in oldstable isn't vulnerable
Hello,
On Fri, 24 Dec 2021 14:39:14 -0500 Nicolas Mora
wrote:
Hello Salvatore,
Le 2021-12-24 à 14 h 36, Salvatore Bonaccorso a écrit :
>
> Any news on the CVE assignment? Did MITRE respond?
>
The CVE has been attributed for this bug: CVE-2021-45379
Hello,
Le 2021-12-30 à 06 h 22, Ayoyimika Ajibade a écrit :
We are starting to build against webpack5 in experimental and the
package needed for local build is webpack and node-webpack-source from
experimental.
During a test rebuild, node-react-audio-player was found to fail to
build in
Hello Salvatore,
Le 2021-12-24 à 14 h 36, Salvatore Bonaccorso a écrit :
Any news on the CVE assignment? Did MITRE respond?
Not yet, still waiting for the submission to be reviewed according to
the mitre...
/Nicolas
) bullseye; urgency=medium
+
+ * d/patches: Fix possible privilege escalation (Closes: #1001849)
+
+ -- Nicolas Mora Fri, 17 Dec 2021 07:51:46 -0500
+
glewlwyd (2.5.2-2+deb11u1) bullseye; urgency=medium
* d/patches: Fix CVE-2021-40818
diff -Nru glewlwyd-2.5.2/debian/patches/auth.patch
glewlwyd
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
A bug has been fixed in Glewlwyd 2.6.1 to avoid possible possible privilege
escalation
[ Impact ]
Users accounts might be compromised
[ Changes ]
Remove a misplaced
: Nicolas Mora
Forwarded: not-needed
--- a/src/webservice.c
+++ b/src/webservice.c
@@ -259,10 +259,6 @@
if (check_result_value(j_result, G_ERROR_UNAUTHORIZED)) {
y_log_message(Y_LOG_LEVEL_WARNING, "Security - Authorization
invalid for username %s at IP Addre
Hello,
I've been investigating with your calendar file using libical3 on
korganizer and I've found out that libical3.10 and libical3.12 are
correctly importing your file, when libical3.11 doesn't, so I'm guessing
your problem is fixed with the last package.
Can you test with package
+deb11u2) bullseye; urgency=medium
+
+ * d/patches: Uses o_malloc instead of malloc (Closes: #1001384)
+
+ -- Nicolas Mora Thu, 09 Dec 2021 08:06:15 -0500
+
ulfius (2.7.1-1+deb11u1) bullseye; urgency=medium
* d/patches: Fix CVE-2021-40540 (Closes: #994763)
diff -Nru ulfius-2.7.1/debian
That's ok, I will fill a bug for the stable package and upload it in the
proposed-updates queue.
The bug #1001384 has been filed to fix the malloc bug in stable
This is the backport of the patch for the bug #1001328 fixed in unstable
Source: ulfius
Version: 2.7.1-1+deb11u1
Severity: important
Tags: patch
-- System Information:
Debian Release: 11.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign
Hello,
Le 2021-12-09 à 05 h 13, Harald Welte a écrit :
> Thanks a lot for the very fast response in tagging 2.7.7 and hence
fixing the problem
> for unstable.
>
> However, I am not sure if this bug should be closed yet as 'stable'
> (debian 11 / bullseye) also must be fixed. As bullseye
Source: libcbor
Version: 0.8.0-1
Severity: normal
Dear maintainer,
Please upload a source-only package for libcbor in unstable, so the package can
migrate to testing and allow dependencies to migrate as well.
Thanks in advance!
/Nicolas
Hello,
Le 2021-11-23 à 15 h 20, peter green a écrit :
Package: glewlwyd
Version: 2.5.2-3
Severity: serious
Tags: ftbfs
Unfortunately it seems that even after the cross-fetch fix, glewlwyd
still FTBFS as a
result of changes in iddawc/rhonabwy.
Thanks, that's because the dependencies were
Hello,
The package node-cross-fetch is in the NEW queue [1].
When it will be accepted in unstable, a quick change in the package
i18next-http-backend will fix glewlwyd's ftbfs.
/Nicolas
[1] https://ftp-master.debian.org/new/node-cross-fetch_3.1.4%2Bds.1-1.html
Package: wnpp
Severity: wishlist
Owner: Nicolas Mora
X-Debbugs-CC: debian-de...@lists.debian.org
* Package name: node-jose
Version : 4.3.7
Upstream Author : Filip Skokan
* URL : https://github.com/panva/jose
* License : Expat
Programming Lang: JavaScript
Hi Andrius,
Le 2021-11-06 à 15 h 15, Andrius Merkys a écrit :
In one of my packages I managed to drop-in replace cross-fetch with
node-fetch [1], and it seems to work, just FYI. But since you have
packaged cross-fetch, I will probably switch back to it. Thanks!
Yes, I saw that too and
Package: wnpp
Severity: wishlist
Owner: Nicolas Mora
X-Debbugs-CC: debian-de...@lists.debian.org
* Package name: node-cross-fetch
Version : 3.1.4
Upstream Author : Leonardo Quixada
* URL : https://github.com/lquixada/cross-fetch
* License : Expat
Package: wnpp
Severity: wishlist
Owner: Nicolas Mora
X-Debbugs-CC: debian-de...@lists.debian.org
* Package name: node-whatwg-fetch
Version : 3.6.2
Upstream Author : GitHub, Inc.
* URL : https://github.com/github/fetch#readme
* License : Expat
Programming
The package libssh2 1.10.0-2 has successfully migrated to testing so I
believe this bug is fixed now
On Thu, 14 Oct 2021 16:02:07 +0200 Kevin Funk wrote:
The Debian maintainer removed those in:
https://salsa.debian.org/debian/libical3/-/commit/51ff45c7
... without documenting the change.
My bad, I must have removed these files without noticing it.
I'm uploading a new package to fix
2021-09-20 08:15:27.0 -0400
@@ -1,3 +1,9 @@
+ulfius (2.5.2-4+deb10u1) buster; urgency=medium
+
+ * d/patches: Fix CVE-2021-40540
+
+ -- Nicolas Mora Mon, 20 Sep 2021 08:15:27 -0400
+
ulfius (2.5.2-4) unstable; urgency=medium
* debian/rules: remove override_dh_auto_test since now
/changelog 2021-09-22 08:42:59.0 -0400
@@ -1,3 +1,11 @@
+glewlwyd (2.5.2-2+deb11u1) bullseye; urgency=medium
+
+ * d/patches: Fix CVE-2021-40818
+ possible buffer overflow during FIDO2 signature validation
+ in webauthn registration
+
+ -- Nicolas Mora Wed, 22 Sep 2021 08:42
07:29:46.0 -0400
@@ -1,3 +1,11 @@
+rhonabwy (0.9.13-3+deb11u1) bullseye; urgency=medium
+
+ * d/patches/bugfixes: apply upstream bugfixes
+ jwe cbc tag computation error
+ jws alg:none signature verification issue
+
+ -- Nicolas Mora Wed, 22 Sep 2021 07:29:46 -0400
+
rhonabwy
--- ulfius-2.7.1/debian/changelog 2021-01-03 09:03:05.0 -0500
+++ ulfius-2.7.1/debian/changelog 2021-09-19 15:39:39.0 -0400
@@ -1,3 +1,9 @@
+ulfius (2.7.1-1+deb11u1) bullseye; urgency=medium
+
+ * d/patches: Fix CVE-2021-40540 (Closes: #994763)
+
+ -- Nicolas Mora Sun
Hello,
Friendly ping request for this bug.
If you need help, I'll be happy to help you with this upgrade.
/Nicolas
merge 993851 994763
5.10.0-8-amd64 (SMP w/4 CPU threads)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE not
set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Description: Fix CVE-2021-40540
Author: Nicolas Mora
Forwarded: not-needed
--- a/src/ulfius.c
+++ b/src
Hello,
Le 2021-08-28 à 07 h 54, Helmut Grohne a écrit :
libssh2 fails to build from source. A build ends as follows:
I can reproduce that too, not sure why it fails now...
libssh2 version 1.10 builds successfully though, and I'm currently
working on packaging libssh2 1.10 with openssl 3.0.
Le 2021-09-07 à 15 h 03, Salvatore Bonaccorso a écrit :
Embarassing, I can assure you I did check the git repo.
That's ok, the commit message wasn't about the buffer overflow and it
was a few weeks ago, so no worries :)
/Nicolas
1 - 100 of 166 matches
Mail list logo