TTPS.
> +- Update copyright for new upstream release.
> +- Update copyright to mention Matteo's work.
> + * debian/desktop/dwm.desktop:
> +- Remove deprecated encoding key.
> +- Correct name entry.
> +- Correct comment entry.
> +- Correct type entry.
Hi Sebastian,
On Tue, Jun 29, 2021 at 09:57:57PM +0200, Sebastian Andrzej Siewior wrote:
> On 2019-10-07 08:41:51 [+0200], Hugo Lefeuvre wrote:
> > I have discovered this during my regression tests for the jessie update. My
> > main worry was to have broken something, I'm gl
nue to use it, installing from somewhere else,
effectively being at even higher risk than with the Debian
archive's (semi-) patched version.
Of course if we can't offer any support I guess it's still better
to get rid of it than giving a false impression of
support/security.
Best,
Hug
ree to tell me if I should cancel it.
Thank you very much for this NMU. I am completely overloaded with work
currently and could not find time to handle this. Feel free to upload to
unstable right away!
Best Regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360
Hi Lucas,
thanks a lot for this bug report. I will do my best to sort this out during
the week-end.
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
Hi,
thanks for your contribution, this should be in unstable by tonight.
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description
ns in there.
I have asked upstream regarding the licensing issue. For the rest, I think
we should wait for followups, or possibly a better patch.
Any comments/advice?
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A24
r findings?
>
> Ah yes; well-spotted. :)
Ack, same for stretch in the end. :)
BTW, there is a confusion in the jessie update, the changelog says it fixes
CVE-2019-17357 and the patch is called CVE-2019-17357.patch, but the
actual CVE being fixed is CVE-2019-17358, not CVE-2019-17357.
cheers,
H
ffected in stretch in the tracker.
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Hi Sebastian,
I see that your work migrated to testing, and wondered... are you still
intending to prepare updates for stretch and buster? Is there anything I
can do to help you?
thanks for your work!
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B
Hi,
On Fri, Nov 08, 2019 at 09:56:53PM +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
>
> On Fri, 2019-10-18 at 13:23 +0200, Hugo Lefeuvre wrote:
> > as discussed in #939553[0], no DSA will be issued by the security
> > team for CVE-2018-21010 and this vulne
a7
https://github.com/ImageMagick/ImageMagick6/commit/4cc316818e5b841ff5a9394a0730d5be6e8686ce
backporting them is sufficient to fix the issue.
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D3
ne
used in stretch).
This will be fixed in the next security update.
cheers,
Hugo
[0]
https://github.com/ImageMagick/ImageMagick/commit/4b85d29608d5bc0ab641f49e80b6cf8965928fb4
[1]
https://github.com/ImageMagick/ImageMagick6/commit/663e70e90257797f4634ea8dd4a31e0947d1f266
--
4 and 0227.
I'll try to ship a patch for this along with the next jessie update.
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
D
> thanks for your valuable work on this bug!
> Yes, I can prepare update on 30-31st of December.
that would be great, thanks! :-)
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B2
uld handle this update in unstable? I'd
love to help, but my Debian time is somewhat limited currently...
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC
11 in unstable: I have asked
upstream about his plans to release 3.18.1 but did not receive any answer
yet. I suppose that we should cherry pick the patch if we want a quick
fix.
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14
with the cherry picked
patch.
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Dear clamav maintainers,
are you planning to address this in stretch/buster via -updates? I can
provide some help if needed (and make sure this gets backported to
jessie-security).
thanks!
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27
should also be able to handle
stretch and buster. Anton, you know this package better than me, would you
be available to test the update?
thanks!
regards,
Hugo
[0] https://sourceforge.net/p/freeimage/svn/1825/
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3
tracker as well.
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
take a look at it.
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
once ftpmasters have accepted the package.
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
osing Bleachbit would be a significant source of annoyance for
many Debian users (popcon 2754 at the moment).
May I add the py2keep flag, until the Bleachbit Py3 migration completes?
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA
they seem to be working on
> it).
>
> It would be super nice to have this new version packaged from a user's
> perspective and, also, from an archive/distribution/removal perspective
> also.
thanks for the heads up. 3.0 will be in the archive asap, I'm working on it.
c
issues with bilevel images, unrelated to
this patch. I will try to take a look at them in the future.
I can provide additional explanations if there is anything unclear.
I'd like to get this patch peer-reviewed/merged upstream before shipping
it in a Debian release.
reg
rough 3.5.26 allows remote code execution
because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted
XML document with 'https://security-tracker.debian.org/tracker/CVE-2019-17626
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D
FTR: Dirk Lemstra confirmed that those four commits correspond to the fixes
for CVE-2019-17540.
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
addresses this issue, along with CVE-2018-20847.
This is almost the same debdiff as #942024[1] (for stretch-pu).
thanks!
cheers,
Hugo
[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939553
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942024
--
Hugo Lefeuvre (hle
and can't assess the severity
properly.
Could you provide some more information related to this vulnerability? an
isolated patch would be ideal.
thanks!
regards,
Hugo
[0] https://security-tracker.debian.org/tracker/CVE-2019-16729
--
Hugo Lefeuvre (hle)|www.owl.eu.co
he issue and appears to
confirm previous analysis.
Any comments?
cheers,
Hugo
[0]
https://github.com/Cacti/cacti/commit/cf73ae1a9f65b5a27d7f9d10c8e14835c3a76326
[1] https://github.com/Cacti/cacti/blob/develop/lib/rrd.php#L1179
[2] https://github.com/Cacti/cacti/blob/develop/graph_image.php#L132
--
Hi,
> I think that second occurrence of 2018-21010 might be incorrect. :-)
right, same typo twice. I meant CVE-2016-9112 of course :)
> Please go ahead.
uploaded, thanks!
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A24
't hesitate to open a bug report, I will
take a look at it.
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
th uploading. You can find (UNRELEASED) amd64 builds,
signed by myself on my Debian webpage:
https://people.debian.org/~hle/lts/clamav/
regards,
Hugo
[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=824042
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939553
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru openjpeg2-2.1.2/debian/changelog openjpeg2-2.1.2/debian/changelog
ut to upload 2.3.1 this week, so this should be just fine.
> Pay attention to 2.3.0-3 in your dch that's all I care really. I'll
> import in git after the upload since it is ready.
ack, thanks!
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096
seems that this vulnerability would allow significant
heap write overflow. Hard to exploit, but this is enough for a DLA, in my
opinion.
Regarding stretch and buster, I don't think this is worth a DSA, but we
could fix this via a point update later on.
cheers,
Hugo
--
Hugo Lef
atabase.
Ack, thanks for pointing that out, I forgot about the file size limit.
> So far I don't see anything wrong.
I have discovered this during my regression tests for the jessie update. My
main worry was to have broken something, I'm glad it's not the case.
Thanks for your time!
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
d: 43.75 MB (ratio 0.00:1)
Time: 66.032 sec (1 m 6 s)
This is reproducible with 0.101.4 in unstable (not a VM), stretch and
jessie (both VMs).
cheers,
Hugo
[0] https://www.bamsoftware.com/hacks/zipbomb/
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D
latest 389-ds-base update. Did you notice anything wrong
during your tests?
Thanks!
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Hi,
I have ported qreator to Python 3, you can find a debdiff in attachment.
I did not test everything, so there might still be some issues around. I did
not forward it to upstream, feel free to do it if you want.
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
val
would be a real loss for many users.
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Small update: I forgot to close the bug report (#932755) and did not mention
CVE-2019-5058 in debian/changelog. You can find an updated debdiff in
attachment.
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
Hi Fabian,
> Am Donnerstag, den 29.08.2019, 08:04 -0400 schrieb Hugo Lefeuvre:
> > Fabian (faad2 maintainer and upstream), do you want to handle this?
> > Otherwise I can NMU a second time with this patch.
>
> please go ahead with a second NMU. I am a bit short on time cu
at the same time, but for a number of reasons sdl-image1.2 was delayed)
This is essentially the same update as 1.2.12-5+deb9u2, see #936051.
thanks!
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_
of reasons sdl-image1.2 was delayed)
thanks!
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru sdl-image1.2-1.2.12/debian/changelog sdl
ttps://launchpad.net/ubuntu/+source/faad2/2.8.8-3.1ubuntu1
> I rebased it with the upstream version
Fabian (faad2 maintainer and upstream), do you want to handle this?
Otherwise I can NMU a second time with this patch.
cheers,
Hugo
--
Hugo Lefeuvre (hle)|
Hi Fabian,
> > Please let me know if you want me to change anything, otherwise I am
> > waiting for your ack to upload.
>
> Please go ahead!
OK, uploaded.
> Is the list of closed CVEs complete?
Yes, everything fixed in sid!
cheers,
Hugo
--
waiting
for your ack to upload.
regards,
Hugo
[0] https://github.com/knik0/faad2/pull/38
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru faad2-2.8.8/debian
ds)
> >
> > Thanks to David Fifield for reviewing the zip-bomb mitigation in
> > 0.101.3 and reporting the issue.
>
> https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html
Great! Is anybody working on 0.101.4 updates for stretch/buster? I plan to
ba
.
thanks for your work!
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
, the current patch is
incomplete (see upstream bug report). Upstream is actively working on a
more advanced patch.
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F
/ImageMagick6/commit/cb5ec7d98195aa74d5ed299b38eff2a68122f3fa
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
er now :)
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru libsdl2-image-2.0.4+dfsg1/debian/changelog libsdl2-image-2.0.4+dfsg1/debian/changelog
--- libsdl2-
than what he can
already do.
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
atch which addresses the remaining issue in
IMG_xcf.c.
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
the information. I will update the testing NMU to address these
issues as well and perform some triage in the tracker (CVE-2019-5058 is the
same as CVE-2018-3977 and CVE-2019-5057 looks familiar as well).
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B
ttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932755
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
your work.
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
gards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Dear SDL packages maintainers,
I have uploaded the jessie LTS update.
I will coordinate with the security team for stretch and buster fixes via
point release.
Concerning testing: can I upload the NMU?
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru libsdl2-image-2.0.1+dfsg/debian/changelog libsdl2-image-2.0.1+dfsg/debian/changelog
--- libsdl2-image-2.0.1+dfsg/debian/changelog
)
Attached is a debdiff addressing all of them for buster.
All of these patches are from upstream, I have removed whitespace changes
and non security related refactoring.
thanks!
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA
Hi,
Sorry for overlooking this issue. This should be fixed in the next pyzor
upload, in the next few days.
Thanks for reporting this.
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25
/share/doc/libsdl-image1.2-dev/examples/showimage.c
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru sdl-image1.2-1.2.12/debian/changelog sdl-image1.2-1.2.12
ry, or NMU.
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
a member of the
CVE-2019-12221 family, and is therefore fixed by [0].
cheers,
Hugo
[0] https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
for buster and
stretch.
For testing, I suggest to package the latest upstream release. If needed, I
can provide an update with targeted fixes.
regards,
Hugo
[0] https://security-tracker.debian.org/tracker/source-package/libsdl2-image
--
Hugo Lefeuvre (hle)|www.owl.eu.co
buster and
stretch.
For testing, I suggest to package the latest upstream release. If needed, I
can provide an update with targeted fixes.
regards,
Hugo
[0] https://security-tracker.debian.org/tracker/source-package/sdl-image1.2
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA
Source: python-slugify
Version: 3.0.2-1
Severity: grave
Hi,
autopkgtests are failing since 3.0.2-1. This is related to the
text-unidecode dependency not being satisfied (instead we use unidecode)
and might break other packages.
I'm working on it.
regards,
Hugo
--
Source: bleachbit
Version: 2.2-1
Severity: normal
Hi,
autopkgtests are failing since 2.2-1. Will be fixed in the next upload
asap.
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25
/debian-devel-announce/2019/07/msg2.html
Seems like I overlooked this. I'll prepare a small source only upload this
week so we get these changes into testing. If you want to add some more
changes from your side, just commit them on Salsa, I'll take a look at
them.
cheers,
Hugo
--
so I went along and uploaded it.
I'm not using it myself, so if you could test it a bit more in the next
days, that would be great. If there are other issues to fix I will have
time to take care of it during DebConf.
Thanks for your work.
cheers,
Hugo
--
Hi Juhani,
Thanks for working on this. I'll review your changes and upload asap.
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signatur
Hi Jonatan,
thanks for the reminder. 2.2 will be available on experimental soon.
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Hi,
241-5 reverted the patch for this issue, so I guess this bug report should
be reopened.
Salvatore: tracker should be updated as well, right?
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2
x27;t need to ask pre-approval for them, you can include them in the
> upload to unstable and send an updated debdiff.
Diff just landed in unstable.
thanks!
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed2
ag from this bug once the
> package is in unstable. If you want to add targeted fixes for the two other
> CVEs, you don't need to ask pre-approval for them, you can include them in the
> upload to unstable and send an updated debdiff.
Great, will do!
Thanks for your work.
cheers,
Hugo
://security-tracker.debian.org/tracker/CVE-2019-9215
[1] https://security-tracker.debian.org/tracker/CVE-2019-7314
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924655
unblock liblivemedia/2018.11.26-1.1
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27
Hi Salvatore,
> CVE-2016-10745 was assigned for this issue.
Thanks for the information.
I just noticed you added CVE-2016-10745 to the tracker. I am fairly
confused, do you know why this CVE was not referenced in the tracker?
Or did you just request it?
cheers,
Hugo
--
H
> This should help confirming vulnerability in other suites.
2.7.3-1 and all later releases affected. In addition, both 2.7.3-1 and
2.8-1 are affected by the previous str.format issue[0].
[0] https://palletsprojects.com/blog/jinja-281-released/
--
Hugo Lefeuvre (
p(dic) }}')
>>> t.render(dic={"x": User('joe')})
"{'SECRET_KEY': '12345'}"
Expected behaviour would be jinja2.exceptions.SecurityError.
Adapted from[0].
regards,
Hugo
[0] https://palletsprojects.com/blog/jinja-281-released/
--
aged). Those new release effectively only
> consists of the fixes for the recent CVEs. (Yes, I know that the freeze
> already started.)
Agree. I will look into it if I manage to find time for this.
thanks
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 36
Hi,
> Unless a CVE affects the client part of the library, I don't think it's
> worth it. The client part is the only part used by reverse dependencies.
What do you mean exactly with client part? The affected code is located
in liveMedia/RTSPServer.cpp.
regards,
Hugo
--
.
regards,
Hugo
[0] https://security-tracker.debian.org/tracker/CVE-2019-7314
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
experimental via new upstream
release 2019.02.27-1. This is a fairly severe issue so we should
probably backport the patch to Buster as well.
regards,
Hugo
[0] https://security-tracker.debian.org/tracker/CVE-2019-9215
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B
odule
Dependency of pysolfc.
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
ase/local/include/python$py_version_short$abiflags/$dist_name'
and
'$base/include/python$py_version_short$abiflags/$dist_name'
Matthias: should we open a python3-stdlib-extensions bug ? Do you think
this issue can be fixed in time for Buster or should we upload a temporary
fix for
checking
using assert(). If these assert() calls are standard ansi ones, then their
failure would stop the whole qemu process which is not exactly what we
want right?
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
(we did not get it back in time for the soft freeze).
There is definitely no reason why bleachbit wouldn't be included in
Buster: this issue appears to affect the stretch version, not the one
from unstable.
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_
right now. Not good during the freeze. :/
Of course I would be glad to maintain this package under the Debian Science
Team umbrella. Feel free to upload.
Thanks a lot for taking care of this issue.
Best Regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B
seem to be very actively maintained and that the user
base is quite small, it is maybe better to mark this no-dsa in stretch and
jessie.
Cheers,
Hugo
[0] https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg03570.html
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_
Hi,
upstream patch contains unrelated code refactoring (deduplication of the
_TargaInfo structure). I have trimmed it down so it contains only necessary
changes, you can find the modified patch in attachement (it's only a few
lines long).
cheers,
Hugo
--
Hugo Lefeuvre
Package: wnpp
Severity: wishlist
* Package name: libodpi-c
Version : 2.4.2
Upstream Author : Oracle
* URL : https://github.com/oracle/odpi/
* License : UPL + Apache
Programming Lang: C
Dependency of python-cx-oracle.
signature.asc
Description: PGP signature
-daemon/commit/37507752fba785364b292c31e09293a33db1c983
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
< 9.0, jetty9 has <= 9.2.24).
FTR FileSessionDataStore was introduced in
fa8232d3c81608c25d9e8c66cdfe8ab7a66c892b and the vulnerable code in
54a56314627f0a2c33ca67d813e3396f6bc03274.
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B
1 - 100 of 267 matches
Mail list logo