On Wed, Sep 16, 2015 at 11:10:12AM +0200, Alexandre Rossi wrote:
> Hi,
>
> >> > > For the next Debian release GStreamer 0.10 is planned to be
> >> > > removed,
> >> > > and if your package is not updated it might not be included in the
> >> > > release. Please update your package to use the new ve
On Mon, Sep 21, 2015 at 01:42:13PM -0700, Vincent Cheng wrote:
> On Mon, Sep 21, 2015 at 1:31 PM, Moritz Muehlenhoff wrote:
> > Source: kivy
> > Severity: normal
> >
> > Hi,
> > kivy is using gstreamer 1.0, but still has alternate build-deps/deps
> > on gstreamer 0.10:
> >
> > libgstreamer0.10-dev
On Mon, Aug 10, 2015 at 07:16:59AM +, Gianfranco Costamagna wrote:
> Yes, otherwise the points remains:
>
> 1) leave the oracle with CVEs in stable releases
>
> or
>
> 2) have an exception from Security Team and/or Release Team
>
> or
>
> 3) wait and hope Oracle will change the model or ma
reassign 794323 ftp.debian.org
retitle 794323 RM: xmail
thanks
On Sat, Aug 01, 2015 at 01:31:37PM +0200, Moritz Muehlenhoff wrote:
> Package: xmail
> Severity: serious
>
> The last upstream release in was 2010, that's also when the last
> maintainer upload occured. It has longstanding RC bugs and
On Wed, Jul 08, 2015 at 11:32:14AM +0200, Fabian Greffrath wrote:
> Package: flashplugin-nonfree
> Version: 1:3.6.1
> Severity: wishlist
>
> Hi there,
>
> while trying to keep track if the critical security holes that are
> discovered in Flashplayer regularly, it would help if this package
> prov
On Tue, Aug 18, 2015 at 08:08:01PM +0200, Andreas Cadhalpun wrote:
> Hi Moritz,
>
> On 16.08.2015 14:27, Moritz Muehlenhoff wrote:
> > It was decided to switch to ffmpeg for stretch and it's now in
> > testing.
> >
> > Please remove libav from testing (or rather from unstable unless
> > someone w
On Wed, Aug 19, 2015 at 09:36:14AM -0500, Kiall Mac Innes wrote:
> Hey - Upstream Designate maintainer here.
>
> Icehouse - aka 2014.1 - is partially affected by CVE-2015-5695, failure to
> enforce recordset quotas.
Thanks.
I'm more worried about CVE-2015-5694, is icehouse by that one?
Cheers,
On Wed, Aug 19, 2015 at 05:00:53PM +0200, Guido Günther wrote:
> Hi,
> On Wed, Aug 19, 2015 at 04:53:46PM +0200, Moritz Muehlenhoff wrote:
> > Source: libvirt
> > Severity: normal
> > Tags: security
> >
> > This was assigned CVE-2015-5160:
> > https://www.redhat.com/archives/libvir-list/2011-Novem
On Wed, Aug 19, 2015 at 06:24:39PM +0100, Graham Hayes wrote:
> Ice house was not vulnerable to CVE-2015-5694 , as the affected designate
> component didn't exist during icehouse.
Thanks, I've updated the Debian security tracker.
Cheers,
Moritz
On Sat, May 16, 2015 at 06:31:39PM -0400, David Prévot wrote:
> Package: php-zend-xml
> Version: 1.0.0-1
> Severity: serious
> Tags: sid stretch
>
> [Filled as RC by the maintainer to see it autoremoved from testing if
> nobody disagrees. Please, do downgrade it with an explanation if you
> disa
reassign 796140 ftp.debian.org
retitle 796140 RM: estic - obsolete, unmaintained
thanks
On Wed, Aug 19, 2015 at 09:28:40PM +0200, Moritz Muehlenhoff wrote:
> Package: estic
> Severity: serious
>
> It's one of the last packages blocking the removal of gcc-4.6 (747980)
> without reply for more than
On Mon, Oct 31, 2016 at 12:27:13PM +0100, Sandro Knauß wrote:
> Hey,
>
> I don't know if you heard about QtWebEngine - it is a Web browser engine for
> Qt applications. And is using a patched chromium (49.0.2623.111)( inside src/
> 3rdparty/chromium) as webengine. Qt itself depecated QWebKit and
>
> The latest security upload of mysql-5.5 breaks akonadi-backend-mysql in
> stable,
> this is due to a change in the compiled-in configuration values that are
> incompatible with the ones shipped in the akonadi backend *.
>
> In the bug #843520 [1] the mysql maintainers requested this to be fi
On Thu, Nov 10, 2016 at 11:29:09AM +0100, Bernhard Schmidt wrote:
> On Fri, Feb 26, 2016 at 10:31:43PM +0100, Moritz Muehlenhoff wrote:
>
> Hi Moritz,
>
> > Source: asterisk
> > Severity: serious
> >
0;115;0c> > asterisk hasn't seen a maintainer upload to unstable in 2015. It's
> > already exclu
On Thu, May 11, 2017 at 11:00:30AM +0100, Ian Jackson wrote:
> I think such a change is buster material. For now, I suggest that I
> continue to build security updates for jessie on i386 as I am able to
> conveniently test that.
I agree.
Cheers,
Moritz
On Thu, May 11, 2017 at 05:20:55PM +0300, Adrian Bunk wrote:
> On Thu, Feb 09, 2017 at 11:38:29AM -0300, dequis wrote:
> > Package: bitlbee
> > Version: 3.4.2-1.1
> > Severity: grave
> > Tags: upstream security patch fixed-upstream
> >
> > Hi,
> >
> > I'm opening this bug since #853282, which was
On Thu, May 11, 2017 at 11:48:47PM +0200, Marcos Fouces wrote:
> Hi Adrian,
>
> i agree to prepare a package for the next Jessie point release. I think
> these issues are not grave enough for a DSA.
>
> That is my opinon, but i would appreciate feedback.
Agreed, please fix this via the jessie 8.
On Tue, Mar 21, 2017 at 09:12:28PM +0100, Hans-Christoph Steiner wrote:
>
> Almost all of the Android CVEs are for the Android OS, not the Android
> SDK. The tricky part is that they are built from the same source tree.
> Another thing to note is that some of the Android SDK libs used in the
> SD
On Fri, Mar 03, 2017 at 08:40:37AM +0100, Mattia Rizzolo wrote:
> On Fri, Mar 03, 2017 at 06:43:03AM +0100, Salvatore Bonaccorso wrote:
> > in the above list.
>
> aheam, what a list.
> Anyway, you (Moritz) opened this bug as RC, but is it fine to downgrade
> to important if I deem the issues not g
retitle 858177 CVE-2016-3921 CVE-2016-3885
thanks
On Sun, Mar 19, 2017 at 01:38:15PM +0100, Moritz Muehlenhoff wrote:
> Source: android-platform-system-core
> Severity: grave
> Tags: security
>
> Please see
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3921
Also:
http://cve.mitre.org
retitle 858177 CVE-2016-3921 CVE-2016-3885 CVE-2016-3861
thanks
> On Sun, Mar 19, 2017 at 01:38:15PM +0100, Moritz Muehlenhoff wrote:
> > Source: android-platform-system-core
> > Severity: grave
> > Tags: security
> >
> > Please see
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-392
On Mon, Feb 13, 2017 at 11:06:17PM +0100, Moritz Mühlenhoff wrote:
> On Wed, Nov 09, 2016 at 05:38:46PM +0100, Bálint Réczey wrote:
> > clone 842498 -1
> > retitle 842498 kde-runtime: Command displayed by kdesu truncated by unicode
> > string terminator (CVE-2016-7787)
&g
On Wed, Feb 01, 2017 at 12:43:02PM +0100, Martin Pitt wrote:
> Hello Salvatore,
>
> Salvatore Bonaccorso [2017-01-31 17:15 +0100]:
> > This has been assigned CVE-2016-10187, in
>
> Want me to upload the previously sent patch to the queue (with adding the CVE
> to the patch/changelog)?
Yes, could
On Fri, Feb 17, 2017 at 09:02:59AM +0100, Andreas Tille wrote:
> tags 855340 pending
> thanks
>
> Hi Torbjørn,
>
> thanks for the quick and helpful response. I've updated the packaging
> in Git but see no urgent need for an upload with this change and would
> rather wait for a new upstream relea
On Fri, Feb 10, 2017 at 11:07:22AM +1300, Chris Lamb wrote:
> tags 854723 + pending
> thanks
>
> > diffoscope may write to arbitrary locations on disk depending on the
> > contents
> > of an untrusted archive
Please use CVE-2017-0359
Cheers,
Moritz
On Sun, Feb 12, 2017 at 09:38:31PM +0100, Markus Koschany wrote:
> Hi,
>
> a bug was reported against tomcat8 and tomcat7 in Jessie and it seems
> the issue is related to our latest security updates. We would like to
> address this regression as soon as possible because this one can be
> triggered
On Wed, Nov 09, 2016 at 05:38:46PM +0100, Bálint Réczey wrote:
> clone 842498 -1
> retitle 842498 kde-runtime: Command displayed by kdesu truncated by unicode
> string terminator (CVE-2016-7787)
> reassign -1 kdesudo 3.4.2.4-2
> thanks
Dear KDE maintainers,
the bug meta data suggest CVE-2016-7787
On Thu, Mar 17, 2016 at 11:06:05PM +0100, Moritz Muehlenhoff wrote:
> Package: release.debian.org
> Severity: normal
> Tags: jessie
> User: release.debian@packages.debian.org
> Usertags: pu
>
> Hi,
> I'd like to update icedtea-web in jessie to 1.5.3 in the next
> jessie point release. This fix
Hi,
adding t...@security.debian.org to CC and quoting in full below to solicit
further comments.
I think Drake's proposal makes perfect sense, the current behaviour is mostly
historic, it
was around before I joined the security team ten years ago.
And maybe let's add something like:
"If you wan
On Mon, May 23, 2016 at 09:48:30PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + moreinfo jessie
>
> On Mon, 2016-05-23 at 22:33 +0200, Moritz Muehlenhoff wrote:
> > please remove mediawiki in the upcoming jessie point release. Security
> > support for it was limited for a year as mentioned i
On Tue, May 24, 2016 at 09:34:49PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
>
> On Thu, 2016-03-17 at 23:06 +0100, Moritz Muehlenhoff wrote:
> > I'd like to update icedtea-web in jessie to 1.5.3 in the next
> > jessie point release. This fixes two security issues (CVE-2015-5234
On Mon, Nov 30, 2015 at 02:42:07PM +0100, Olivier Aubert wrote:
> I am the upstream maintainer of Advene. The project is not abandoned,
> but the port to gtk3 + gstreamer 1.0 is not simply trivial, and needs
> more time than I can invest right now. It is still in my todo list, but
> it will not be
On Fri, Dec 04, 2015 at 05:35:32PM +0100, treb...@tuxfamily.org wrote:
> Hi all,
> I'd say that I'd like Debian to keep it in since I'm using it.
> Just my 2 cents.
> Olivier
We won't be able to keep it unless it's get ported/maintained.
Cheers,
Moritz
reassign 806586 ftp.debian.org
retitle 806586 RM: playitslowly - dead upstream, depends on legacy libs
severity 806586 normal
thanks
On Sun, Nov 29, 2015 at 11:40:24AM +0100, Moritz Muehlenhoff wrote:
> Package: playitslowly
> Severity: serious
>
> Should playitslowly be removed? It depends on gs
severity 701655 serious
thanks
On Mon, Feb 25, 2013 at 02:46:50PM -0500, Michael Terry wrote:
> Package: imagemagick
> Version: 8:6.7.7.10-5
> Severity: normal
> Tags: patch
> User: ubuntu-de...@lists.ubuntu.com
> Usertags: origin-ubuntu raring ubuntu-patch
>
> Dear Maintainer,
>
> In Ubuntu, th
On Mon, Aug 18, 2014 at 06:10:52PM +0200, Markus Koschany wrote:
> Control: tags -1 patch
>
> I am not absolutely sure how libdevilc2 ended up with a dependency on
> liblcms1 again because it already depends on liblcms2-dev but the most
> probable explanation might be that liblcms1-dev was still i
reopen 743596
thanks
> adding the liblcms2-dev build dependency is not enough to have gimp
> build with it; libmng-dev has liblcms-dev as dependency, and
> configure checks for lcms1 first when no specific version is
> specified.
>
> Thus, the additional fix needed is to pass --with-lcms=lcms2 as
On Thu, Aug 07, 2014 at 11:37:30AM +0200, Ondřej Surý wrote:
> Package: release.debian.org
> Severity: normal
> Tags: wheezy
> User: release.debian@packages.debian.org
> Usertags: pu
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Dear release team,
>
> as discussed on #debian-rele
On Tue, Aug 19, 2014 at 11:47:24PM +0200, Markus Koschany wrote:
> On 19.08.2014 22:45, Moritz Mühlenhoff wrote:
> [...]
> > Thanks for the additional investigation, shall I sponsor the upload for
> > you or do you have a regular sponsor?
> >
>
> Hi Moritz,
>
&
On Wed, Aug 20, 2014 at 12:07:03PM +0200, Ondřej Surý wrote:
> On Wed, Aug 20, 2014, at 11:53, Moritz Mühlenhoff wrote:
> > On Thu, Aug 07, 2014 at 11:37:30AM +0200, Ondřej Surý wrote:
> > > Package: release.debian.org
> > > Severity: normal
> > > Tag
On Sat, May 23, 2015 at 03:14:31PM +, Damyan Ivanov wrote:
> -=| Axel Beckert, 23.05.2015 16:48:43 +0200 |=-
> > Hi,
> >
> > the Debian Perl Team intents to file a removal bug for libogre-perl as
> >
> > * it no more builds against libogre 1.9 (#732725);
> > * its upstream seems inactive sinc
On Sat, May 28, 2016 at 08:32:04PM +0200, Salvatore Bonaccorso wrote:
> Hi all,
>
> On Sat, Nov 01, 2014 at 08:50:05PM +0100, Moritz Mühlenhoff wrote:
> > On Sat, Nov 01, 2014 at 02:30:02PM -0400, Michael Gilbert wrote:
> > > On Sat, Nov 1, 2014 at 11:46 AM, Sa
On Sat, Jun 04, 2016 at 01:51:15PM +0200, Santiago Vila wrote:
> Version: 0.12~pre6-11
>
> This seems fixed, but I didn't find anything in the changelog about it.
>
> I'm closing with this version because I have a successful build log for that
> version.
I'm pretty sure that was fixed by the mo
On Fri, Mar 25, 2016 at 06:14:35PM +0100, Emmanuel Bourg wrote:
> Le 25/03/2016 18:07, Moritz Muehlenhoff a écrit :
>
> > stretch should only provide one version of Tomcat.
>
> I agree, however like tomcat6 we'll keep the src:tomcat7 package to
> build the Servlet API only (libservlet3.0-java). I
On Sun, Feb 07, 2016 at 02:28:04PM -0400, David Prévot wrote:
> Package: php-tcpdf
> Version: 6.0.093+dfsg-1
> Severity: serious
> Tags: security upstream
>
> According to their changelog [1], upstream fixed a security issue over a
> year ago:
>
> 6.2.0 (2014-12-10)
> - Bug #1005 "Security
On Tue, Mar 29, 2016 at 05:13:51PM +0200, Santiago Ruano Rincón wrote:
> Source: debian-security-support
> Version: 2015.04.04
> Severity: serious
> Tags: -1 + patch
> Justification: Fails to build from source
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> Dear Maintainer,
>
> A jessi
On Sun, Feb 07, 2016 at 11:55:39PM +, D Haley wrote:
> Hi,
>
> I claim that this bug is blocked by mathgl, as mathgl has enabled c++11
> support. I'm not a maintainer on that package anymore.
>
> Mathgl's C++11 support has been re-enabled in HEAD after closing 800460 by
> disabling C++11 supp
On Fri, Aug 21, 2015 at 10:17:19PM +0100, Chris West (Faux) wrote:
> Source: rapidsvn
> Version: 0.12.1dfsg-3
> Severity: serious
> Justification: fails to build from source
> Tags: sid
> User: reproducible-bui...@lists.alioth.debian.org
> Usertags: ftbfs
> X-Debbugs-CC: reproducible-bui...@lists.a
On Sat, Apr 02, 2016 at 01:23:59PM +, Mattia Rizzolo wrote:
> On Sat, Apr 02, 2016 at 04:04:35PM +0300, Dimitrios Eftaxiopoulos wrote:
> > Στις Σάββατο, 2 Απριλίου 2016 11:24:15 Π.Μ. EEST Moritz Mühlenhoff έγραψε:
> > > On Sun, Feb 07, 2016 at 11:55:39PM +, D Haley
On Fri, Feb 26, 2016 at 11:38:03AM +0100, Vincent Danjean wrote:
> Package: dotclear
> Version: 2.8.0+dfsg-1
> Severity: serious
> Tags: security
> Justification: security
>
> Hi,
>
> I'm using Debian packages of dotclear (a php blogs engine) for a few years.
> For 6 months, the package do no
On Wed, May 04, 2016 at 12:57:13AM +0200, Adam Borowski wrote:
> Package: ftp.debian.org
> Severity: normal
>
>
> Hi!
> While this package technically still has a maintainer, he's for all purposes
> gone: last pgp action 2011, all his known mail addresses either bounce or
> get no response (pinge
On Sun, Feb 21, 2016 at 12:20:52AM +, Julien Cristau wrote:
> Control: clone -1 -2 -3 -4 -5 -6 -7 -8
> Control: reassign -2 cups 2.1.3-1
> Control: retitle -2 cups: build-depends on libslp-dev
> Control: reassign -3 kde-runtime 4:15.08.3-1
> Control: retitle -3 kde-runtime: build-depends on lib
reassign 718309 ftp.debian.org
retitle 718309 RM: python-irclib: Obsolete
severity 718309 normal
thanks
On Thu, Aug 08, 2013 at 03:40:03PM +0200, Margarita Manterola wrote:
> Hi,
>
> On Tue, Jul 30, 2013 at 12:27 AM, Oxan van Leeuwen
> wrote:
> > This package is an old version of the python-irc
On Mon, Apr 25, 2016 at 07:16:02PM +0200, Pino Toscano wrote:
> Package: release.debian.org
> Severity: normal
> Tags: jessie
> User: release.debian@packages.debian.org
> Usertags: pu
>
> Hi,
>
> simple jessie-pu for poppler, just fixed in unstable, which fixes
> CVE-2015-8868; attached debdi
On Wed, Nov 19, 2014 at 11:45:02PM +0100, Moritz Muehlenhoff wrote:
> Source: xen
> Severity: grave
> Tags: security
>
> Hi,
> the following security issues apply to Xen in jessie:
>
> CVE-2014-5146,CVE-2014-5149:
> https://marc.info/?l=oss-security&m=140784877111813&w=2
>
> CVE-2014-8594:
> htt
On Thu, Jun 04, 2015 at 09:27:53PM +0200, Salvatore Bonaccorso wrote:
> Source: dolibarr
> Version: 3.5.5+dfsg1-1
> Severity: important
> Tags: security upstream fixed-upstream
>
> Hi,
>
> the following vulnerability was published for dolibarr.
>
> CVE-2015-3935[0]:
> HTML Injection
>
> If you
On Wed, Jul 22, 2015 at 03:24:45PM +0200, Emmanuel Bourg wrote:
> The fix has been confirmed by an upstream developer:
>
> http://mail-archives.apache.org/mod_mbox/activemq-dev/201507.mbox/%3CCAKChZ-TruL3Sm3GW9B3Nr1L3fsxDH_X95rGhm85rfXh9_zVJfg%40mail.gmail.com%3E
Could you prepare updated package
On Wed, Jul 09, 2014 at 10:16:07PM +0200, Moritz Muehlenhoff wrote:
> Source: kde-workspace
> Severity: wishlist
> Tags: patch
>
> activation of the service
> -
>
> After installation of the updated package the service isn't enabled
> by default. You'll need to run "system
On Wed, Apr 23, 2014 at 01:03:04PM +0200, Moritz Muehlenhoff wrote:
> Package: openjdk-6
> Severity: normal
> Tags: patch
>
> 6b30-1.13.2-1 introduced the following check:
>
> | * debian/rules: disable system lcms2 for releases that don't have lcms2 2.5
> | or higher.
>
> Debian wheezy uses lc
On Tue, Apr 22, 2014 at 05:48:51PM +0200, Moritz Muehlenhoff wrote:
> Package: ghostscript
> Version: 9.05~dfsg-8.1
> Severity: important
>
> As pre-announced in
> https://lists.debian.org/debian-devel/2013/12/msg00570.html
> it is planned to remove lcms1 for jessie.
>
> According to the changel
On Tue, May 19, 2015 at 09:36:45AM +, Gianfranco Costamagna wrote:
> Hi Debian security team, can we please followup with the two uploads then?
>
> I'm attaching the two debdiffs,
Ok, please upload. Jessie needs to be build with "-sa" since virtualbox is
new in jessie-security.
I'll take car
On Mon, May 25, 2015 at 11:21:26AM -0700, Andrew Ayer wrote:
> On Wed, 20 May 2015 06:39:06 +
> ow...@bugs.debian.org (Debian Bug Tracking System) wrote:
>
> > On Wed, May 20, 2015 at 05:58:55PM +1200, VeNoMouS wrote:
> > >
> > >
> > > Seriously, how long do we have to wait on this to be fi
On Mon, Apr 13, 2015 at 04:25:24PM +0200, Daniele Tricoli wrote:
> On Saturday 11 April 2015 14:50:19 Luke Faraone wrote:
> > However, the package is vulnerable to the other issue:
> >
> > - If the secretKey was expected to be a RSA public key, but the attacker
> > changed the header to indicate a
On Sun, Jun 21, 2015 at 02:56:36PM +0200, Hilko Bengen wrote:
> * Salvatore Bonaccorso:
>
> > Did you had a chance to get more details on it?
>
> ,[ http://seclists.org/bugtraq/2015/Jun/53 ]
> | Elasticsearch versions 1.0.0 - 1.5.2 are vulnerable to an engineered
> | attack on other applicati
On Wed, Jun 24, 2015 at 10:29:20PM +0200, Salvatore Bonaccorso wrote:
> Source: ipython
> Version: 2.1.0-1
> Severity: important
> Tags: security upstream fixed-upstream
>
> Hi,
>
> the following vulnerability was published for ipython.
>
> CVE-2015-4707[0]:
> IPython XSS in JSON error responses
reassign 792442 ftp.debian.org
retitle 792442 RM: RoM: unused, dead upstream
severity 792442 normal
thanks
On Wed, Jul 15, 2015 at 09:27:01AM +0900, Charles Plessy wrote:
> Le Tue, Jul 14, 2015 at 09:44:47PM +0200, Moritz Muehlenhoff a écrit :
> >
> > There's just a single upload, which was appar
On Mon, May 04, 2015 at 07:38:24AM -0400, Scott Kitterman wrote:
> On Sunday, May 03, 2015 11:25:39 AM you wrote:
> > Package: ftp.debian.org
> > Severity: normal
> >
> > Hi,
> > please remove squid. It has been replaced by squid3 (672156)
> > and is already not part of jessie, so let's also remov
On Wed, Jun 03, 2015 at 10:03:42AM +0200, Werner Koch wrote:
> On Wed, 3 Jun 2015 08:05, gni...@fsij.org said:
>
> > Thank you. I think it makes sense.
>
> I don't think so. GnuPG uses a locking mechanism to avoid that several
> instances of gpg and friends start gpg-agent. Thus watching the
On Fri, Jun 05, 2015 at 03:58:23AM +0200, Daniele Tricoli wrote:
> Hello,
>
> On Sunday 31 May 2015 12:00:17 Moritz Mühlenhoff wrote:
> > What's the status?
>
> Sorry for the delay! I cherry picked and adapted the patch for pyjwt
> version in Jessie. I w
On Wed, Jun 10, 2015 at 09:41:48AM +0100, Edmund Grimley Evans wrote:
> Source: elinks
> Version: 0.12~pre6-8
> Tags: patch
>
> It failed to build on arm64:
>
> https://buildd.debian.org/status/package.php?p=elinks&suite=sid
>
> Mysteriously, I couldn't reproduce the build failure in my chroot.
On Wed, Jun 10, 2015 at 10:22:03AM +0100, Edmund Grimley Evans wrote:
> > Your patch seems to have been made against the debian/rules file
> > from jessie, but it has been migrated to dh in 0.12~pre6-7.
>
> I wonder how that happened. Perhaps I'm using a tardy mirror.
>
> Well, referring to
> htt
On Wed, Jun 10, 2015 at 05:00:27PM +0200, Thomas Goirand wrote:
> On 06/10/2015 12:23 PM, László Böszörményi (GCS) wrote:
> > On Wed, Jun 10, 2015 at 10:42 AM, Salvatore Bonaccorso
> > wrote:
> >> On Wed, Jun 10, 2015 at 09:10:56AM +0200, László Böszörményi (GCS) wrote:
> >>> Just checked. The Wh
On Tue, Jun 09, 2015 at 12:48:58AM +0200, Andreas Beckmann wrote:
> Package: elinks
> Version: 0.12~pre6-7
> Severity: serious
> User: debian...@lists.debian.org
> Usertags: piuparts
>
> Hi,
>
> an upgrade test with piuparts revealed that your package installs files
> over existing symlinks and p
On Thu, Jun 11, 2015 at 01:01:35AM +0200, Thomas Goirand wrote:
> Could you please allow me to upload the package to the security FTP,
> even without a DSA? Dealing with the release team to update software for
> security is often frustrating because it takes too long (because they
> are busy, and t
On Wed, Jan 14, 2015 at 03:13:04PM +0100, Moritz Muehlenhoff wrote:
> Package: chicken
> Severity: important
> Tags: security
>
> Hi,
> please see http://www.openwall.com/lists/oss-security/2015/01/12/3
> for details.
This has been assigned CVE-2014-9651.
What's the status?
Cheers,
Mori
On Sat, Feb 14, 2015 at 10:09:09PM +, Colin Watson wrote:
> On Sat, Feb 14, 2015 at 03:40:31PM +0100, Luciano Bello wrote:
> > The security team received a report from the CERT Coordination Center that
> > the
> > Henry Spencer regular expressions (regex) library contains a heap overflow
> >
On Fri, Feb 13, 2015 at 12:28:28AM +0100, Markus Koschany wrote:
> Control: tags -1 moreinfo
>
> On Thu, 12. Feb 23:13 Moritz Muehlenhoff wrote:
> > Package: byzanz
> > Severity: important
> > Tags: security
> >
> > Hi,
> > this was reported by Red Hat:
> > https://bugzilla.redhat.com/show_bug.cg
On Mon, Feb 16, 2015 at 12:12:02AM +0100, László Böszörményi (GCS) wrote:
> Hi all,
>
> On Thu, Feb 12, 2015 at 4:50 PM, wrote:
> > It would be great if you (or any co-maintainer) would initially
> > take care of the open icu security issues in jessie/sid (with
> > a minimal upload to sid + unbl
On Sat, Feb 14, 2015 at 03:41:21PM +0100, Luciano Bello wrote:
> Package: nvi
> Severity: important
> Tags: security patch
>
> The security team received a report from the CERT Coordination Center that
> the
> Henry Spencer regular expressions (regex) library contains a heap overflow
> vulnerab
On Fri, Nov 21, 2014 at 08:30:37PM +0100, Niels Thykier wrote:
> On 2014-11-21 14:56, Salvatore Bonaccorso wrote:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian@packages.debian.org
> > Usertags: unblock
> >
> > Hi Release Team,
> >
> > Please unblock package dhc
On Fri, May 16, 2014 at 11:17:32AM +1000, Luke Yelavich wrote:
> On Fri, Apr 25, 2014 at 10:06:04PM EST, Moritz Muehlenhoff wrote:
> > Hi,
> > the details are a bit scarce, can you contact upstream whether the Chrome
> > developers have contacted them?
> >
> > http://cve.mitre.org/cgi-bin/cvename.
severity serious
thanks
> This package forks a local copy of the Iceweasel Javascript engine which is
> no longer supported with security updates (currently only the ESR24 series
> is maintained)
>
> What's the strategy here? Do you plan to backport/triage all Javascript
> related
> security iss
On Thu, Jan 10, 2013 at 04:47:35PM -0600, Gunnar Wolf wrote:
> > FWIW the exploit-db webpage points at three different problems, two
> > XSS and one CSRF. The XSS are not present in collabtive 0.7.6, but the
> > CSRF is.
> >
> > I'm getting in touch with the authors right now. Thanks!
>
> http://
On Sat, Nov 15, 2014 at 08:25:41AM +0100, Salvatore Bonaccorso wrote:
> Source: kde-runtime
> Version: 4:4.8.4-2
> Severity: normal
> Tags: security upstream patch fixed-upstream
>
> Hi,
>
> the following vulnerability was published for kde-runtime.
>
> CVE-2014-8600[0]:
> Insufficient Input Val
On Tue, Dec 30, 2014 at 12:29:35PM +0100, Matthias Klose wrote:
> forgot to mention that there are no regression in the binutils testsuite on
> all
> release architectures, and that there are no regression in the gcc-4.8 and
> gcc-4.9 testsuites on all release architectures.
Did someone from the
On Mon, Dec 22, 2014 at 10:33:50PM +0100, Kilian Krause wrote:
> Package: fex
> Version: 20140917-1
> Severity: serious
> Tags: security patch upstream pending confirmed jessie
>
>
> As upstream has released a new version of the fex package which closes a
> security issue and there is no CVE ass
On Wed, Jan 07, 2015 at 02:25:49PM +0100, Noël Köthe wrote:
> tags 774769 + upstream
> forwarded 774769 https://github.com/lavv17/lftp/issues/116
> thanks
>
> Hello Marcin,
>
> Am Mittwoch, den 07.01.2015, 12:39 +0100 schrieb Marcin Szewczyk:
>
> > From the src/SSH_Access.cc file:
> > 47: const
On Fri, Jan 09, 2015 at 10:57:13PM +0100, Christian Hofstaedtler wrote:
> AFAICT there is no publicly available patch, and upstream is more or
> less "dead".
>
> Redmine's patched redcloth3 looks very different from the current
> redcloth 4.x sources, so I have my doubts if forward porting this
>
On Tue, Jan 20, 2015 at 09:47:26PM +0100, Yves-Alexis Perez wrote:
> * The potential invalid writes in modules/services_discovery/sap.c and
> modules/access/ftp.c were not fixed as I did not provide a
> trigger. Note, that the code looks very similar to the confirmed bug
> in rtp_packetize_xi
On Fri, Jan 23, 2015 at 02:26:06PM +0100, Raphael Hertzog wrote:
> On Wed, 21 Jan 2015, Raphael Hertzog wrote:
> > Some notes:
> > - the final upload will include the bug closure of #775375
> > - there's a small tweak of a Suggests dependency, it was not intended for
> > jessie but I don't see ho
On Sun, Jan 18, 2015 at 10:24:30AM +, Ben Hutchings wrote:
> Source: oss4
> Version: 4.2-build2006-2
> Severity: critical
> Tags: security
>
> In kernel/drv/oss_usb/oss_usb.c:
OSS maintainers,
did you forward this upstream?
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-bugs-di
On Mon, Jan 26, 2015 at 01:41:54PM +0100, Kilian Krause wrote:
> Hi Moritz,
>
> On Mon, Jan 26, 2015 at 12:28:00PM +0100, Moritz Mühlenhoff wrote:
> > On Mon, Dec 22, 2014 at 10:33:50PM +0100, Kilian Krause wrote:
> > > Package: fex
> > > Version: 20140917-1
&
On Mon, Jan 26, 2015 at 09:07:19PM +0530, Ritesh Raj Sarraf wrote:
> On 01/21/2015 01:23 PM, Moritz Muehlenhoff wrote:
> > In the past someone from upstream posted the upstream commits to the
> > bug log, maybe you can contact them for more information so that we
> > can merge the isolated fixes in
On Wed, Jan 14, 2015 at 05:25:02AM +0100, Holger Levsen wrote:
> control: severity -1 important
>
> Hi Alexander,
>
> On Dienstag, 13. Januar 2015, Alexander Cherepanov wrote:
> > pxz sets the mode of an output file to be the same as the one of an
> > input file but does it only after compression
On Mon, Jan 05, 2015 at 01:47:40AM +1100, Russell Sim wrote:
> Moritz Muehlenhoff writes:
>
> > Source: libgit2
> > Severity: important
> > Tags: security
> >
> > libgit2 is also affected by the recent git vulnerability:
> > http://openwall.com/lists/oss-security/2014/12/18/21
>
> Thanks for the
On Sat, Dec 27, 2014 at 02:27:29PM +0100, Laurent Bigonville wrote:
> On Sat, 20 Dec 2014 08:18:29 +0100 Salvatore Bonaccorso
> wrote:
>
> > Hi,
>
> Hello,
>
> > the following vulnerability was published for libssh.
> >
> > CVE-2014-8132[0]:
> > Possible double free on a dangling pointer with
On Tue, Jan 27, 2015 at 09:53:45AM +, Gianfranco Costamagna wrote:
> Hi Moritz, please read carefully this thread :)
>
>
> >Could you please check back with upstream on CVE-2015-0377 and CVE-2015-0418?
>
> jessie is not affected, and wheezy has already the patch on this thread
>
> the two C
On Mon, Jan 26, 2015 at 09:14:55PM +0530, Ritesh Raj Sarraf wrote:
> On 01/26/2015 09:07 PM, Ritesh Raj Sarraf wrote:
> > On 01/21/2015 01:23 PM, Moritz Muehlenhoff wrote:
> >> In the past someone from upstream posted the upstream commits to the
> >> bug log, maybe you can contact them for more inf
On Sun, Jan 05, 2014 at 06:34:55PM +, Dominic Hargreaves wrote:
> Source: movabletype-opensource
> Version: 5.2.7+dfsg-1
> Severity: serious
> Justification: maintainer
>
> Support of MTOS by upstream (at least in the English speaking community)
> is now very sketchy. The security update annou
On Thu, Jan 22, 2015 at 06:00:54PM +0100, Christoph Berg wrote:
> Re: To Debian Bug Tracking System 2015-01-22
> <20150122161925.ga23...@msg.df7cb.de>
> > Source: xymon
> > Version: 4.3.17-1
> > Severity: grave
> > Tags: security patch pending
> >
> > web/acknowledge.c uses a string twice in a fo
401 - 500 of 2536 matches
Mail list logo