Bug#882274: stretch-pu: package nova/2:14.0.0-4 - using uwsgi-plugin-python for nova-placement-api

2017-12-09 Thread Sébastien Delafond
On Dec/09, Adam D. Barratt wrote: > For the record, reviewing the diff of the -security upload, I notice > that the change actually adds *two* runtime dependencies - the second, > which was not mentioned in this pre-approval request, nor included in > the proposed diff, being python-pastescript.

Bug#882808: construct: construct 2.8 is not compatible with 2.5.

2017-11-29 Thread Sébastien Delafond
Hi Jonathan, I have just uploaded construct/2.8.16-0.2, closing #882808, to DELAYED/10. Don't hesitate to cancel or reschedule it if you need to. Cheers, --Seb

Bug#882808: construct: construct 2.8 is not compatible with 2.5.

2017-11-27 Thread Sébastien Delafond
On Nov/26, Hilko Bengen wrote: > The plaso and dfvfs packages are maintained by me and are affected by > the API breakage. > [...] > I think I am going to package construct-legacy, based upon > . This makes the most sense: I don't think it's

Bug#879718: aptly: Aptly can't handle deb packages built using dpkg 1.19.0+

2017-11-13 Thread Sébastien Delafond
On Nov/13, Boyuan Yang wrote: > Pushing changes only into backports repository might not be enough > since the backports repository is not enabled by default. Users of > Debian Stable will still encounter this bug with default installation. > > Could you please consider pushing the changes into

Bug#879718: aptly: Aptly can't handle deb packages built using dpkg 1.19.0+

2017-11-12 Thread Sébastien Delafond
On Nov/11, Boyuan Yang wrote: > However, aptly in Stretch and Jessie are still left unfixed. Will you > backport the patch and provide stable updates later? It's already in stretch-backports, but I don't plan on doing jessie-backports. Cheers, --Seb

Bug#849634: #849634 python3-construct: New upstream version 2.8 available

2017-11-09 Thread Sébastien Delafond
Hi Jonathan, I have just uploaded construct/2.8.16-0.1 (only the new upstream version, without any changes to the packaging) to DELAYED/10. Don't hesitate to cancel or reschedule it if you need to. Cheers, --Seb

Bug#861163: 861163

2017-11-02 Thread Sébastien Delafond
Sorry, never got around to actually looking into that. At this point the best I can do is provide 1.1.1 in stretch-backports I guess...

Bug#879718: aptly: Aptly can't handle deb packages built using dpkg 1.19.0+

2017-11-02 Thread Sébastien Delafond
On Nov/02, Boyuan Yang wrote: > Control: severity -1 grave > Control: tags -1 + fixed-upstream > > Upstream now has a fix in trunk code. Just cherry-picked the fix and > confirmed that everything works well. I'm looking forward to seeing a > fixed version into Debian testing/unstable and

Bug#873088: git-annex security issue backports

2017-10-26 Thread Sébastien Delafond
On Oct/26, Antoine Beaupré wrote: > Right, how does that look then? > > https://gitlab.com/anarcat/git-annex/commit/b21ccd25ecd4cad0efcc8f4f0c94ad99ce32cd04 Nah, +deb8u1 ;) > Then I can just upload this to security-master? Yep. Cheers, --Seb

Bug#873088: git-annex security issue backports

2017-10-26 Thread Sébastien Delafond
On Oct/26, Antoine Beaupré wrote: > I have also backported joey's patch to jessie. It was simpler than > wheezy because the code is much more similar. The resulting patch is > available here: > > https://gitlab.com/anarcat/git-annex/commit/58daf6cbe4c1ea1cf71f3a538a0e27b5075c7265 > > As

Bug#878258: OVAL title field improvement

2017-10-16 Thread Sébastien Delafond
On Oct/11, Philippe Thierry wrote: > The current Debian OVAL files title field contains the reference id, > making it redundant with the reference ref_id field. As a consequence, > the resulting report doesn't show the affected software. is it > possible to show the software name in the title

Bug#872078: confirmed

2017-08-14 Thread Sébastien Delafond
Control: tag -1 confirmed Indeed, the new libconfuse in sid (3.2+dfsg-1) causes i3status to first generate this statement: internal error in cfg_init_defaults(order) After that, it will fail to parse whatever follows, for instance: * no such option 'general' Downgrading libconfuse* to

Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection

2017-08-12 Thread Sébastien Delafond
On Aug/12, Thorsten Glaser wrote: > I’m attaching one for stretch, and if it pleases you, I’ll do them in > the same vain for jessie and wheezy and upload them. (As I said, they > will all look identical, the code has not changed in quite a while… > the file in question did not change *at all*,

Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection

2017-08-11 Thread Sébastien Delafond
On Aug/11, Thorsten Glaser wrote: > For {,{,old}old}stable-security, this should suffice: > [...] Would you be able to produce debdiffs for jessie and stretch, so we can review them and give you the go-ahead to upload to security-master ? Cheers, --Seb

Bug#871568: Debian OVAL Files Improvement

2017-08-09 Thread Sébastien Delafond
On Aug/09, Moritz Muehlenhoff wrote: > > I wanted to ask if it would be possible for the XML files that the > > script you run will include the rating of the DSA > > advisory? > > DSA advisories intentionally don't have a severity rating and we're > not planning to add one (since the severity

Bug#864728: binary package information

2017-07-25 Thread Sébastien Delafond
Hello, have you been able to explore either of those ways ? I'd be interested in looking at what you were able to implement :) Cheers, --Seb

Bug#849634: 2.8.12

2017-07-25 Thread Sébastien Delafond
For what it's worth, a plain uscan called produced a working 2.8.12 (most recent upstream version available) package for me this morning :) Cheers, --Seb

Bug#867421: python3-certifi: missing python3 dependency

2017-07-06 Thread Sébastien Delafond
Ah, thanks a lot, I'll fix it tomorrow ! Cheers, --Seb On Jul/06, Adrian Bunk wrote: > Package: python3-certifi > Version: 2016.2.28-1 > Severity: serious > Tags: patch > > Due to a cut'n'paste error the python3 dependency is missing. > > Fix: > > --- debian/control.old2017-07-06

Bug#867278: mitmproxy: DistributionNotFound: The 'typing==3.5.2.2' distribution was not found and is required by mitmproxy

2017-07-05 Thread Sébastien Delafond
I'm in the process of packaging the latest mitmproxy and its dependencies, and this unfortunately can't quite be done atomically. In the meantime, the failing/missing dependencies in sid can be gotten from jessie; I know it's a sub-par solution, but at this point there isn't much else I can do.

Bug#867250: 867250

2017-07-05 Thread Sébastien Delafond
I'm in the process of packaging the latest mitmproxy and its dependencies, and this unfortunately can't quite be done atomically. In the meantime, the missing dependencies in sid can be gotten from jessie; I know it's a sub-par solution, but at this point there isn't much else I can do. Cheers,

Bug#725408: Debian bug #725408

2017-06-29 Thread Sébastien Delafond
On Jun/28, Nicholas D Steeves wrote: > This bug hasn't seen any activity for some time, so I thought I'd > update it for 8.2.10-1 (jessie) with emacs24-common-non-dfsg > installed. The command "info org" shows the manual for Org version > 8.2.10; however, the Emacs info mode (C-h i m org) shows

Bug#826943: patch

2017-06-22 Thread Sébastien Delafond
tag -1 + patch thanks Hello Pierre, any plans to integrate this change ? Cheers, --Seb

Bug#838561: 503 on lw07

2017-06-20 Thread Sébastien Delafond
Following up on this, the problem seems to be varnish-related; on lw07, with a curl client eventually receiving a 503, the corresponding varnishlog conversation with its apache backend looks like this: * << BeReq>> 2818775 - Begin bereq 2818774

Bug#864728: OVAL & binary packages

2017-06-20 Thread Sébastien Delafond
No real preferences, but at first glance I'd be worried about performance. The OVAL files are generated several times a day, and fetching *all* the associated informations about binary packages for each vulnerability could potentially take time. I'd be willing to see a proof-of-concept, though,

Bug#864761: OVAL

2017-06-20 Thread Sébastien Delafond
Hello, thanks a lot for the patch. So, two things here: 1. the move away from minidom, which is undoubtedly a good thing. 2. switching to per-release instead of per-year, which is not as clear-cut IMO. We can do #1 right away, if you split the patch, but for #2 I'd like to hear more

Bug#862556: CVE-2017-9058

2017-05-18 Thread Sébastien Delafond
This was assigned CVE-2017-9058.

Bug#857343: #857343: logback deserialization vulnerability

2017-03-28 Thread Sébastien Delafond
On Mar/28, Markus Koschany wrote: > apparently logback < 1.2.0 is vulnerable to a deserialization issue. > They announced it on February 8th 2017 but it appears no CVE has been > assigned yet. [1] Fixing commit is at [2] The bug reporter claims it is > the same issue as CVE-2015-6420 but I cannot

Bug#856539: updating sitesummary in stable+oldtable due to regression introduced with apache update (Re: Bug#856539: jessie-pu: package sitesummary/0.1.17+deb8u2)

2017-03-19 Thread Sébastien Delafond
On Mar/18, Holger Levsen wrote: > I've done all this now. > > Will you write and send the DSA? I guess the text should basically > just be something like what we wrote in debian/changelog: > > * Adjust sitesummary-upload to use CRLF (\r\n) line endings to be compliant > with apache 2.4.25

Bug#856539: updating sitesummary in stable+oldtable due to regression introduced with apache update (Re: Bug#856539: jessie-pu: package sitesummary/0.1.17+deb8u2)

2017-03-16 Thread Sébastien Delafond
On Mar/10, Sébastien Delafond wrote: > I meant a debdiff specifically targetting jessie-security. Please > change jessie to jessie-security, set severity to high, and upload to > security-master (no source-only upload). Hi Petter, are you still planning to upload this ? Cheers, --Seb

Bug#856539: updating sitesummary in stable+oldtable due to regression introduced with apache update (Re: Bug#856539: jessie-pu: package sitesummary/0.1.17+deb8u2)

2017-03-09 Thread Sébastien Delafond
On Mar/10, Petter Reinholdtsen wrote: > The debdiff for jessie is in bts already. I meant a debdiff specifically targetting jessie-security. Please change jessie to jessie-security, set severity to high, and upload to security-master (no source-only upload). Cheers, --Seb

Bug#856539: updating sitesummary in stable+oldtable due to regression introduced with apache update (Re: Bug#856539: jessie-pu: package sitesummary/0.1.17+deb8u2)

2017-03-09 Thread Sébastien Delafond
On Mar/09, Holger Levsen wrote: > Dear security team, > > On Thu, Mar 09, 2017 at 07:20:40PM +, Adam D. Barratt wrote: > > On Thu, 2017-03-02 at 09:50 +, Holger Levsen wrote: > > > On Thu, Mar 02, 2017 at 09:12:34AM +0100, Petter Reinholdtsen wrote: > > > > Usertags: pu > > > > > > > >

Bug#856117: tnef update in unstable

2017-02-28 Thread Sébastien Delafond
Hi Kevin, those 4 security issues were fixed via DSA-3798-1 in jessie-security, by backporting the appropriate upstream changes (thanks to Thorsten for doing that). I've verified 1.4.13 only contains those security fixes, and no new major evolution or feature, so could you please prepare and

Bug#774055: tmuxp

2017-02-18 Thread Sébastien Delafond
I'll take care of packaging this. Cheers, --Seb

Bug#855142: security bug closed without fix

2017-02-15 Thread Sébastien Delafond
On Feb/16, Henri Salo wrote: > Shouldn't this be closed AFTER the fix is available? Especially since this is > a > security issue. Yes. Bastien, can you please reopen this ? Cheers, --Seb

Bug#855216: unblock: singularity-container/2.2-2

2017-02-15 Thread Sébastien Delafond
Dear Release Managers, the Security Team has reviewed the diff related to this security problem, and we support the unblock request. Cheers, --Seb

Bug#853082: dfvfs

2017-02-03 Thread Sébastien Delafond
Hello, I think this should be tracked as an upstream wishlist bug in dfvfs, so it supports construct >= 2.8.8. Do you want to file that upstream ? As for the freeze, I definitely agree python-construct 2.8.8 shouldn't enter stretch. Cheers, --Seb

Bug#852095: icicles: please migrate to emacs25 soon

2017-01-22 Thread Sébastien Delafond
On Jan/21, Rob Browning wrote: > We'd like to remove emacs24 from the archive, so please try to upgrade > to emacs25, or add optional support for emacs25 as soon as you can. > > For example, assuming the package works with emacs25, a dependency like > > emacs25-nox | emacs25 | emacs24 | ... >

Bug#851927: 851927

2017-01-19 Thread Sébastien Delafond
I see the same problem, even with -enable-rmeote-extensions (which seems to be about *installing* remote extensions, not enabling already-installed ones). However, my local extensions are still present (see ~/.config/chromium/Default/Extensions/*), and downgading to the version in stretch

Bug#850176: Regression

2017-01-13 Thread Sébastien Delafond
The Security Team will issue a DSA regression update shortly. Cheers, --Seb

Bug#849849: CVE-2016-9877 / #849849 fix for Jessie

2017-01-10 Thread Sébastien Delafond
On Jan/11, Thomas Goirand wrote: > Debdiff is attached (and also available from there). Please allow me > to upload. Thanks for your contribution, please upload. Cheers, --Seb

Bug#850611: src:org-mode: Please document elpa-like snapshot date in changelog

2017-01-08 Thread Sébastien Delafond
On Jan/08, Olivier Berger wrote: > It seems that upstream's elpa or melpa provide versions of the > packages, and there, versioning is like 20161224. However there's > nothing in /usr/share/doc/org-mode/ that indicates a corresponding > date. For this, you can hit something like

Bug#849531: Possible security problem, new logwatch sends mails with charset UTF-8

2017-01-02 Thread Sébastien Delafond
On Dec/31, Willi Mann wrote: > I would like to get your input on bug #849531 [1]. > [...] > So my question is: Is it a security issue if a script sends e-mails > with encoding=utf-8, but potentially containing invalid utf-8 strings? > If yes, what would be the (minimum) requirements to address

Bug#849648: mitmproxy: Unnecessary Build-Depends on python-cffi (and broken Vcs-Git field)

2016-12-30 Thread Sébastien Delafond
On Dec/31, Carlos Maddela wrote: > Sorry, this part was my fault. Don't sweat it, your previous patches helped tremendously. > > Patches attached. I had already fixed the issue in my git tree, and am currently waiting on an extra dependency to be uploaded for sid, so that I can package

Bug#846366: ITP: bcc -- Command line tools for BPF Compiler Collection (BCC)

2016-12-30 Thread Sébastien Delafond
On Dec/29, Ritesh Raj Sarraf wrote: > I've just pushed my changes to the git repo. Could you please review > it once ? I'd like you to have your comments/feedback before we > decide on uploading it. > > Apart from the main file name change, there are other minor changes. It all looks good to

Bug#846366: ITP: bcc -- Command line tools for BPF Compiler Collection (BCC)

2016-12-29 Thread Sébastien Delafond
On Dec/29, Ritesh Raj Sarraf wrote: > I think we should stick with this proposal of appending the type along > with the name. > > 1. On autocompletions, it'd autocomplete to "execsnoop-", which is an > invalid name either way. This will expect the user to pay attention > and fire the correct

Bug#848609: python-jsbeautifier: please provide a jsbeautifier binary (using python3?)

2016-12-19 Thread Sébastien Delafond
On Dec/18, Mattia Rizzolo wrote: > common way to package python application that also ship a module would > be to put the /usr/bin/foo in a 'foo' binary, and the python module > /usr/lib/python2.7/dist-packages/foo in a 'python-foo' binary. I > believe you're also getting lintian tags for this,

Bug#846850: mitmproxy uninstallable in current Sid and soon Stretch Testing (again)

2016-12-16 Thread Sébastien Delafond
On Dec/15, Maximilian Hils wrote: > (2) mitmproxy may still be installable, but it potentially just > breaks due to backwards-incompatible changes within the dependency. > If I understand things correctly, there's no automated testing that > would alert someone in either case, so (2) may be

Bug#846850: mitmproxy uninstallable in current Sid and soon Stretch Testing (again)

2016-12-15 Thread Sébastien Delafond
On Dec/14, Maximilian Hils wrote: > Upstream here. If there's anything we can do to make your life easier, > please let us know! > > We only list known compatible versions in setup.py as we'd like to > avoid running around with the fire extinguisher every time one of our > dependencies publishes

Bug#846850: mitmproxy uninstallable in current Sid and soon Stretch Testing (again)

2016-12-14 Thread Sébastien Delafond
On Dec/13, Bob Proulx wrote: > Therefore I don't have a good idea of what to do here. I only know > that it is an impossible system. I feel certain this can't be > necessary. While I appreciate your concern, and am also pained by seeing so many versioned conflicts, what you *feel* is

Bug#831857: Security update for libupnp (CVE-2016-6255, CVE-2016-8863)

2016-12-13 Thread Sébastien Delafond
On Dec/13, Uwe Kleine-König wrote: > I had the impression that the 2nd might be bad, too. There is no > public exploit available, but AFAIK writing to unallocated memory is > dangerous? Yes, it is, you're right. But the first one is such an obvious flaw, that it doesn't require any sort of

Bug#831857: Security update for libupnp (CVE-2016-6255, CVE-2016-8863)

2016-12-13 Thread Sébastien Delafond
On Dec/13, Uwe Kleine-König wrote: > Do you consider CVE-2016-6255 and CVE-2016-8863 bad enough to make a > security update for it? If so, I suggest the following debdiff. Yes, the first one is bad, so let's fix both via a DSA. Could you please provide a debdiff with

Bug#812388: Man page

2016-12-12 Thread Sébastien Delafond
On Dec/12, Carlos Maddela wrote: > I think it would still be worth it maintaining man pages. It's much > more convenient to quickly look something up in man pages than > elsewhere, so I've taken the time to create markdown files of the > documentation, which can be converted into man pages with

Bug#846850: mitmproxy uninstallable in current Sid and soon Stretch Testing (again)

2016-12-05 Thread Sébastien Delafond
On Dec/03, Bob Proulx wrote: > By my count there are 23 "<<" dependencies in use with mitmproxy! > Wow! That is a lot of very fragile and breakage prone packages. It > is doomed to have repeated breakages in Sid and Testing as those > modules get uploaded. It isn't a good way to do things.

Bug#846366: ITP: bcc -- Command line tools for BPF Compiler Collection (BCC)

2016-11-30 Thread Sébastien Delafond
Hi Ritesh, I agree with you, there is no reason we can't coexist :) However, perf-tools-unstable doesn't seem to be much more updated these days, and it sorta worries me, especially since Brendan Gregg mentions on his blog that bcc seems to be the future: in that light, do you still see a need

Bug#845059: python-fuse: Please provide a debug package

2016-11-22 Thread Sébastien Delafond
As I was looking into adding an explicit python-fuse-dbg package, I recalled that with recent versions of dh, -dbgsym packages are automatically provided on debug.mirrors.debian.org. See: https://wiki.debian.org/AutomaticDebugPackages

Bug#843687: mitmproxy: FTBFS: AttributeError: 'module' object has no attribute 'SSL_ST_INIT'

2016-11-09 Thread Sébastien Delafond
On Nov/09, Chris Lamb wrote: > > mitmproxy builds fine in an up-to-date sid amd64 chroot here. How can I > > reproduce your problem ? > > How up-to-date? :) I've just updated mine (again) and it fails with the same > error. tag 843687 + confirmed You're right, I just tried it this morning, and

Bug#843687: mitmproxy: FTBFS: AttributeError: 'module' object has no attribute 'SSL_ST_INIT'

2016-11-09 Thread Sébastien Delafond
Hi, mitmproxy builds fine in an up-to-date sid amd64 chroot here. How can I reproduce your problem ? Cheers, --Seb On Nov/08, Chris Lamb wrote: > Source: mitmproxy > Version: 0.18.1-2 > Severity: serious > Justification: fails to build from source > User:

Bug#842016: brotli: New version available upstream

2016-10-26 Thread Sébastien Delafond
On Oct/25, Tomasz Buchert wrote: > Hmm, where did you find the version 0.6.0? I see only 0.5.2 which I've > just uploaded and which should be good enough for you. Let me know if > you have problems. I see 0.6.0 here: https://pypi.python.org/pypi/brotlipy/0.6.0. But 0.5.2 will do just fine indeed

Bug#835725: #835725

2016-09-29 Thread Sébastien Delafond
python-netlib is now part of the mitmproxy source, and will disappear from unstable once a newer mitmproxy is packaged and uploaded. Cheers, --Seb

Bug#832908:

2016-08-02 Thread Sébastien Delafond
FWIW, the vendor has closed https://jira.mongodb.org/browse/SERVER-25335 with "Works as Designed". If someone wants to follow up on explaining to mongodb upstream why umask shouldn't prevent them from applying proper permissions where needed, they're welcome to do so. ssh-keygen(1) would be a

Bug#829288: org-mode & dh_elpa

2016-07-13 Thread Sébastien Delafond
tag 829288 - pending thanks As this is not as straightforward as it originally looked, I'm removing the pending tag: the packaging of org-mode in Debian doesn't use the version in ELPA, but instead uses an upstream tarball that doesn't include the non-DFSG-compatible documentation. The package

Bug#829588: org-mode: freemind exporter not activated/installed

2016-07-04 Thread Sébastien Delafond
On Jul/04, Arnaud Legrand wrote: > the /usr/share/org-mode/lisp/ox-freemind.el exporter shipped with > org-mode is not installed in /usr/share/emacs24/site-lisp/org-mode. As > a consequence a (require 'ox-freemind) fails and does not allow to > easily benefit from this exporter. Once a symbolic

Bug#738199: Progress

2016-07-04 Thread Sébastien Delafond
A quick note to report progress on this issue. I'm having a hard time working with CVS after such a long time, so I've setup a git repository for the oval generator: https://github.com/sdelafond/debian-oval I started with Nicholas' parseJSON2Oval.py, and am making progress toward aggregating

Bug#829288: please convert org-mode to use dh_elpa

2016-07-01 Thread Sébastien Delafond
tags + 829288 confirmed pending thanks Excellent suggestion, thanks: I'll convert it this week. Cheers, --Seb On Jul/02, Sean Whitton wrote: > Source: org-mode > Severity: wishlist > Version: 8.3.4-1 > > Dear maintainer, > > It would be great if you could convert org-mode to use the new

Bug#806635: Man page

2016-07-01 Thread Sébastien Delafond
Upstream doesn't provide a manpage, and is not interested in one; as I don't have the bandwidth to maintain it on my own, I think it should just be dropped from the Debian package: it's worse to have a non accurate manpage than none at all. Unless someone strongly disagrees, I'll do this next

Bug#823353: mitmproxy: Does not work with netlib 0.15

2016-05-09 Thread Sébastien Delafond
Hi Mathias, any chance you can your full list of dependencies like I asked in the previous message ? Otherwise I'll close this bug, as I really cannot reproduce it. Cheers, --Seb

Bug#823353: mitmproxy: Does not work with netlib 0.15

2016-05-04 Thread Sébastien Delafond
tag 823353 + moreinfo It certainly works fine here, with the following list of dependencies (provided by reportbug): Versions of packages mitmproxy depends on: ii python-blinker 1.3.dfsg2-1 ii python-click 6.2-2 ii python-configargparse 0.10.0-2 ii

Bug#819496: #819496

2016-04-04 Thread Sébastien Delafond
By default ~/.local seems to be 700, so I don't think you're correct in assuming anyone can read ~/.local/share/clipit/history. Am I missing something ? Cheers, --Seb

Bug#815402: org-mode: * [[shell:cat ~/tmp | grep "asdf :: "]] does not work.

2016-02-21 Thread Sébastien Delafond
Hi Josef, thanks for your report. As this seems to be a pure upstream problem, could you please follow up on it using the org-mode mailing list[0] ? Once that's done, feel free to add a link to your post in the Debian BTS. Cheers, --Seb

Bug#815406: org-mode: "No link found" for after <2016-02-21 Sun>

2016-02-21 Thread Sébastien Delafond
Hi Josef, thanks for your report. As this seems to be a pure upstream problem, could you please follow up on it using the org-mode mailing list[0] ? Once that's done, feel free to add a link to your post in the Debian BTS. Cheers, --Seb

Bug#801413: wheezy: update for polarssl's CVE-2015-5291

2016-02-06 Thread Sébastien Delafond
On Feb/06, Guido Günther wrote: > > A few things on the debdiff you just posted: > > - The attachment came though in ISO-8859-1 instead of UTF-8 and > >   lintian didn't like it. Hopefully the file is ok on your machine > >   though. > > - I think the ssl-server-test needs an 'isolation-container'

Bug#801413: wheezy: update for polarssl's CVE-2015-5291

2016-02-06 Thread Sébastien Delafond
On Feb/06, Guido Günther wrote: > Attached. I've trimmed the CC: list a little to reduce the noise. Feel > free to readd lists as you see fit. All good, please upload. Cheers, --Seb

Bug#801413: wheezy: update for polarssl's CVE-2015-5291

2016-02-01 Thread Sébastien Delafond
On Jan/31, Guido Günther wrote: > Uploaded now. Thanks! Hi Guido, have you looked into fixing the jessie version (1.3.9-2.1) as well ? If not, I'll need to look into it later this week, so that a DSA for CVE-2015-5291 fixes both wheezy and jessie. Cheers, --Seb

Bug#801413: wheezy: update for polarssl's CVE-2015-5291

2016-01-31 Thread Sébastien Delafond
On Jan/29, Sébastien Delafond wrote: > thanks for the debdiff. It looks OK, so feel free to upload it. Once > that's done, I'll release the DSA. Hi Guido, are you still willing to upload polarssl to security-master ? :) Cheers, --Seb

Bug#812410: 812410

2016-01-30 Thread Sébastien Delafond
I think we'd want to make tracker_server aware of the not-affected status, but I'll wait for a second opinion... Cheers, --Seb

Bug#801413: wheezy: update for polarssl's CVE-2015-5291

2016-01-29 Thread Sébastien Delafond
Hi Guido, thanks for the debdiff. It looks OK, so feel free to upload it. Once that's done, I'll release the DSA. Cheers, --Seb On Jan/23, Guido Günther wrote: > Hi, > I've forward ported Thorsten's fix fow squeeze to wheezy and added some > autopkgtest (debdiff attached). Please find the

Bug#809844: sosreport: Please backport CVE-2015-7529 to the stable release

2016-01-05 Thread Sébastien Delafond
On Jan/05, Louis Bouchard wrote: > I'm fine with backporting the fix; matter of fact, I was preparing an > email to the security team with the debdiff so the backport is ready. > > Now how do I know about the release managers being OK for inclusion ? Sorry, I should have included that

Bug#809844: sosreport: Please backport CVE-2015-7529 to the stable release

2016-01-05 Thread Sébastien Delafond
On Jan/04, Louis Bouchard wrote: > Package: sosreport > Version: 3.2-2 > Severity: critical > Tags: security > Justification: root security hole This issue is marked "no-dsa" in the security tracker[1] (because it is mitigated by the use of fs.protected_symlinks). It could, however, possibly be

Bug#738199: 738199 - Working Solution

2015-11-27 Thread Sébastien Delafond
Hi Nicholas, sorry for the long delay in getting back to you on this topic. I finally set aside the time to go through your work, and it's quite impressive. I'll need to do a bit more testing, but we should be able to integrate your contribution into the security repository, and use that to

Bug#803943: libhtml-scrubber-perl: CVE-2015-5667: cross-site scripting vulnerability in comments

2015-11-03 Thread Sébastien Delafond
On Nov/03, Niko Tyni wrote: > Security team: could you please add this bug number to the tracker? done. > I assume this is to be handled via stable updates rather than DSAs? I don't think this warrants a DSA, so I'll mark it no-dsa as well in the tracker. If some other team member disagrees,

Bug#801837: ITP: yank -- interactively select and yank terminal output to stdout or xsel

2015-10-16 Thread Sébastien Delafond
On Oct/15, Jakub Wilk wrote: > Please talk to upstream (or maybe to both upstreams) before renaming > anything. > [...] > Eeek... https://lists.debian.org/20070428095345.ga9...@kunpuu.plessy.org The package is already in NEW, and contains /usr/bin/yank-cli. I'll add a note to README.Debian about

Bug#801837: ITP: yank -- interactively select and yank terminal output to stdout or xsel

2015-10-15 Thread Sébastien Delafond
On Oct/15, Jakub Wilk wrote: > Sounds very cool, but apt-file tells me this name is already taken: > > emboss: /usr/bin/yank I think I'll keep the package name, but I'll install the binary itself under some other name, maybe something like /usr/bin/yank-cli ? Cheers, --Seb

Bug#801371: mitmproxy broken: netlib 0.12 is required

2015-10-09 Thread Sébastien Delafond
Hello, no clue how this happened, as I do have an upload marker for it: ../build-area/python-netlib_0.12.1-1_amd64.ftp-master.upload Anyway, I've re-uploaded it, so this should be fixed soon. Cheers, --Seb On Oct/09, Dominique Dumont wrote: > Package: mitmproxy > Version: 0.12.1-1 >

Bug#801371: mitmproxy broken: netlib 0.12 is required

2015-10-09 Thread Sébastien Delafond
On Oct/09, Dominique Dumont wrote: > > Anyway, I've re-uploaded it, so this should be fixed soon. > > Hum, yes. But I should not have been able to install mitmproxy in the > first plase. > > You should express this dependency in the control file. Yes, this was taken care of this morning in

Bug#800760: ITP: python-certifi -- collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts

2015-10-03 Thread Sébastien Delafond
On Oct/03, peter green wrote: > If you do that please be sure to make it clear in the package > description what the Debian version of the package returns (the > proposed description in the ITP suggests that the package will return > the list of certs from python-certifi upstream). I described

Bug#800607: mitmproxy: Upstream version is 0.13

2015-10-01 Thread Sébastien Delafond
block 800607 by 789783 thanks Hi Gianfranco, your need for 0.13 was duly noted the first time, however there is unfortunately a good reason I only uploaded 0.12: I'll have to patch the 0.13 source before I can get it into unstable. All the gritty details can be found in #789783[1]. Cheers,

Bug#738199: 738199

2015-09-29 Thread Sébastien Delafond
The clean solution these days seems to be about querying the tracker via the JSON entrypoint. It exposes that info, and avoids relying directly on {CVE,DSA}/list. Modifying the DSA format itself is a bit involved, and could have potentially far reaching consequences. After researching information

Bug#796684: aptly: command 'repo import' doesn't work

2015-08-31 Thread Sébastien Delafond
tag 796684 + moreinfo thanks Hi Thomas, could you please describe the exact set of commands you tried, and what they did or did not do with regard to the results you were expecting ? Cheers, --Seb On Aug/23, Thomas Schlegel wrote: > Package: aptly > Version: 0.9.5-2 > Severity: normal > > >

Bug#789783: New dependency for 0.13.1

2015-08-28 Thread Sébastien Delafond
retitle 789783 Upstream version is 0.13.1 thanks It appears python-netlib 0.13.1 now depend on certifi[1]. Debian already ships up-to-date root certs, so I'm not sure this is a good idea to package this. OTOH, I'm not really looking forward to maintaining a patched version of python-netlib that'd

Bug#796108: [PKG-Openstack-devel] Bug#796108: CVE-2015-5694 CVE-2015-5695

2015-08-25 Thread Sébastien Delafond
On Aug/21, Thomas Goirand wrote: Should I prepare a security upload for Jessie, or do it through the release team oversight? Hi Thomas, CVE-2015-5695 is not that severe, so this should go through a PU request. I'll mark the issue as no-dsa in the tracker. Cheers, --Seb

Bug#789782: Good progresses for mitmproxy!

2015-08-11 Thread Sébastien Delafond
On Aug/11, Gianfranco Costamagna wrote: I don't think the blocking of 789782 by 794752 is correct: Aldo Cortesi confirmed that 1.6.1 would do the job fine, so the only thing left to get updated in sid is python-urwid (#789767). Please note that I will need at least 0.13 version if

Bug#789782: Good progresses for mitmproxy!

2015-08-10 Thread Sébastien Delafond
On Aug/06, Gianfranco Costamagna wrote: I opened an issue about python-passlib, since it is good to update it anyway. I don't think the blocking of 789782 by 794752 is correct: Aldo Cortesi confirmed that 1.6.1 would do the job fine, so the only thing left to get updated in sid is python-urwid

Bug#738199: 738199

2015-08-10 Thread Sébastien Delafond
On Aug/04, Nicholas Luedtke wrote: Is this still an ongoing issue? As I am looking at bringing the MITRE Oval Interpreter (ovaldi) up to speed for Debian (by modifying and packaging) I am noticing that there have been no OVAL Definitions from Debian for quite some time. I can put forth some

Bug#789713: [PKG-Openstack-devel] Bug#789713: neutron: CVE-2015-3221: L2 agent DoS through incorrect allowed address pairs

2015-06-24 Thread Sébastien Delafond
On Jun/24, Thomas Goirand wrote: I have prepared an update for Neutron in Jessie over here: http://sid.gplhost.com/jessie-proposed-updates/neutron/ https://security-tracker.debian.org/tracker/CVE-2015-3221 indicates neutron in jessie is not vulnerable, since the ipset code was introduced

Bug#789782: Acknowledgement (mitmproxy: Upstream version is 0.12.1)

2015-06-24 Thread Sébastien Delafond
- python-hpack Not in Debian yet, see See #789781. --Seb -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#787100: [Pkg-javascript-devel] Bug#787100: libjs-jquery-ui: Security patch CVE-2010-5312 breaks ui dialog

2015-06-01 Thread Sébastien Delafond
Thanks for the report. It will be fixed this week. Cheers, --Seb On May/28, Antonino Murador wrote: Package: libjs-jquery-ui Version: 1.8.ooops.21+dfsg-2+deb7u1 Severity: grave Tags: patch Dear Maintainer, After upgrading from version 1.8.ooops.21+dfsg-2 to

Bug#784317: Bug#787319: ITP: configargparse -- replacement for argparse with config files and environment variables support

2015-06-01 Thread Sébastien Delafond
On Jun/01, Francois Marier wrote: I've already submitted my package [1] to NEW and so given the amount of time it takes these days to go through that, I would suggest keeping it there. However, if Sebastien wants to take it over from me after it's accepted (and even replace it with his own

Bug#783237: CVE-2014-9462

2015-05-06 Thread Sébastien Delafond
On May/06, Javi Merino wrote: I've prepared an upload for wheezy-security, find the diff below. Can I upload it to security-master? It looks fine to me. This one will need -sa as well. Cheers, --Seb -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of

Bug#784303: mitmproxy: missing dependencies on python-configargparse, python-tornado = 4.0.2, python-netlib = 0.11.2

2015-05-06 Thread Sébastien Delafond
tag 784303 + confirmed block 784303 779035 thanks Ouch. I've ITP'ed python-configargparse, and will follow up on the python-tornado front. In the meantime, the version in testing is the best fallback option. Cheers, --Seb On May/04, Vagrant Cascadian wrote: Package: mitmproxy Version:

Bug#758086: CVE-2014-3577: Apache HttpComponents hostname verification bypass

2015-04-15 Thread Sébastien Delafond
On Apr/15, Markus Koschany wrote: I have prepared a patch for CVE-2014-3577 (commons-httpclient). [1] The patch is identical to the Jessie / Sid fix. Do you consider this vulnerability important enough for a DSA or do you prefer a point release update? Hi Markus, this issue was marked no-dsa

  1   2   >