Source: aboot
Severity: serious
sgmltools-lite is scheduled for removal and aboot is the last package
build depending on it.
There hasn't been any aboot upload since 2013 and it's RC-buggy for a
long time, should we simply remove it?
Cheers,
Moritz
On Thu, Jan 23, 2020 at 04:37:15PM +, Holger Levsen wrote:
> Hi Salvatore,
>
> On Sun, Jan 05, 2020 at 09:02:20PM +0100, Salvatore Bonaccorso wrote:
> > Any news on this issue? AFAICT, the issue is fixed as well in 1.16.3,
> > so the smaller jump should be possible. Once fixed in unstable, can
Source: rust-spin
Severity: serious
https://rustsec.org/advisories/RUSTSEC-2019-0031.html was issued to flag that
rust-spin development stop. I suppose that means it should not enter bullseye
/ get removed.
Cheers,
Moritz
On Wed, Dec 11, 2019 at 09:52:15AM +0100, Thibaut Paumard wrote:
> Le 10/12/2019 à 19:59, Moritz Mühlenhoff a écrit :
> > On Mon, Oct 07, 2019 at 04:51:09PM +0200, Thibaut Paumard wrote:
> >> Dear Jeremy,
> >>
> >> Thanks, I have warned upstream that spydr will be removed if not updated
> >> to Pyt
Source: fusionforge
Severity: serious
There hasn't been an upload since two years and fusionforge missed the last two
stable releases and has gathered five RC bugs at this point. Should it be
removed?
Cheers,
Moritz
Package: bugs-everywhere
Severity: serious
Hi Antoine,
monotone is getting removed from Debian, can you please drop the build dep
on monotone in bugs-everywhere?
(It seems unused anyway, as test_usage.sh doesn't cover it).
Cheers,
Moritz
Package: parl-desktop
Severity: serious
volti is scheduled for removal from the archive, the dependency needs to be
removed.
Source: smart
Severity: serious
Should smart be removed? It depends on Python 2 and pygtk, which are going away,
and it's dead upstream (last release from 2011).
Cheers,
Moritz
Source: cvc3
Severity: serious
Should cvc3 be removed? It's unmaintained (last maintainer upload is from 2014
and the maintainer is also
one of the authors) and FTBFSes since 1.5 years.
Cheers,
Moritz
Package: ndisgtk
Severity: serious
Should ndisgtk be removed?
It's dead upstream (no release for 10 years) and depends on outdated stacks
scheduled for removal
(python 2, pygtk).
Cheers,
Moritz
On Wed, Oct 23, 2019 at 10:20:04PM +0300, Niko Tyni wrote:
> Control: reassign -1 src:perl
> Control: found -1 5.20.2-3
>
> On Tue, Oct 22, 2019 at 12:36:14PM +0200, Vincent Lefevre wrote:
> > Package: perl-modules-5.30
> > Version: 5.30.0-8
> > Severity: grave
> > Tags: security
> > Justification
Source: libidn2
Severity: grave
Tags: security
This was assigned CVE-2019-18224:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12420
Patch:
https://github.com/libidn/libidn2/commit/e4d1558aa2c1c04a05066ee8600f37603890ba8c
Cheers,
Moritz
Package: file
Severity: grave
Tags: security
This was assigned CVE-2019-18218:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16780
https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84
Cheers,
Moritz
Source: proftpd-dfsg
Severity: grave
Tags: security
This was assigned CVE-2019-18217:
https://github.com/proftpd/proftpd/commit/13fe9462787b9a551152162f46f1641d65fe4df4
https://github.com/proftpd/proftpd/issues/846
Cheers,
Moritz
On Wed, Oct 16, 2019 at 11:59:07PM +0200, Romain Francoise wrote:
> On Wed, Oct 16, 2019 at 9:48 PM Salvatore Bonaccorso
> wrote:
> > Ideally given the issues are denial of service issues, this would have
> > been okay via a point release. But we discussed this coincidentally in
> > the team conc
Source: tasksel
Severity: grave
task-spanish depends on manpages-es, which has been removed from the archive.
Cheers,
Moritz
Source: hachoir-metadata
Severity: serious
hachoir-metadata build-depends on python-qt4, which is being removed from the
archive along with Qt4 soon.
Cheers,
Moritz
Package: libapache2-mod-auth-openidc
Severity: grave
Tags: security
Please see: https://groups.google.com/forum/#!topic/mod_auth_openidc/boy1Ba3Gdk4
https://github.com/zmartzone/mod_auth_openidc/commit/5c15dfb08106c2451c2c44ce7ace6813c216ba75
https://github.com/zmartzone/mod_auth_openidc/commit/c
Source: matplotlib
Severity: serious
matplotlib build-depends on python3-pyqt4 (build from src:python-qt4), which is
being
removed along with Qt4 itself now.
Given that matplotlib only has a run-time Suggests: on python3-pyqt4, this is
probably
optional and simply be disabled.
Cheers,
Source: monotone
Severity: serious
Should monotone be removed? Dead upstream, last upload three years ago
and removed from testing since 1.5 years.
Cheers,
Moritz
On Wed, Sep 25, 2019 at 07:57:47AM +0200, Andreas Tille wrote:
> Hi,
>
> On Tue, Sep 24, 2019 at 10:48:24PM +0200, Moritz Mühlenhoff wrote:
> > On Tue, Sep 17, 2019 at 12:05:17PM -0300, Lisandro Damián Nicanor Pérez
> > Meyer wrote:
> > > Hi! It seems there is no activity on this bug, should we f
Control: tag -1 pending
Hello,
Bug #875195 in stretchplayer reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/multimedia-team/stretchplayer/commit/3e9e49170009755
On Wed, Sep 18, 2019 at 02:44:49PM -0300, Lisandro Damián Nicanor Pérez Meyer
wrote:
> Hi!
>
> El mié., 18 sep. 2019 13:18, Reiner Herrmann escribió:
>
> > Control: tags -1 + patch
> >
> > Dear maintainers,
> >
> > porting stretchplayer to Qt5 was straightforward.
> > You can find a merge reque
On Fri, Aug 16, 2019 at 09:10:50AM +0200, Moritz Muehlenhoff wrote:
> > Many thanks, I'll be submitting a buster-pu bug accordingly. I wouldn't
> > mind an extra confirmation after it's been published in a point release
> > (peace of mind and all that).
>
&
Control: tag -1 pending
Hello,
Bug #899241 in mustang-plug reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/multimedia-team/mustang-plug/commit/986103d6b54147b87
On Mon, Sep 02, 2019 at 11:14:38PM +0300, Povilas Kanapickas wrote:
> Thanks a lot!
>
> I was waiting for my usual sponsors to sponsor a new version of
> cppreference-doc [1] that contains this fix too, but they haven't
> replied yet.
Ah, sorry. I wasn't aware of the package on mentors.debian.net
Source: rust-memoffset
Severity: grave
Tags: security
Please see https://rustsec.org/advisories/RUSTSEC-2019-0011.html
Cheers,
Moritz
Package: kde-sc-dev-latest
Severity: serious
All reverse dependencies of automoc have been dropped, but kde-sc-dev-latest
still
depends on it, blocking it's removal.
Cheers,
Moritz
Source: hgview
Severity: serious
Should hgview be removed?
- Last maintainer upload in 2015
- Current upstream releases still depend on Python Qt4, which is scheduled
for removal
- Dropped from testing since almost two years, three RC bugs at this point
Cheers,
Moritz
Package: docbook2odf
Severity: serious
Should docbook2odf be removed?
It's unmaintained (last maintainer upload in 2007), last upload in 2010
and has been dropped from testing for three years now.
Cheers,
Moritz
Source: trafficserver
Severity: grave
Tags: security
ATS is affected by three of the recently announced HTTP2 issues:
https://raw.githubusercontent.com/apache/trafficserver/8.0.x/CHANGELOG-8.0.4
Cheers,
Moritz
Source: h2o
Severity: grave
Tags: security
h2o is affected by three of the recently announced HTTP2 issues:
https://github.com/h2o/h2o/issues/2090
Cheers,
Moritz
Package: nodejs
Severity: grave
Tags: security
nodejs is affected by some of the recently announced HTTP2 issues:
https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
Cheers,
Mori
On Thu, Aug 15, 2019 at 04:25:53PM +0200, Cyril Brulebois wrote:
> Hi,
>
> Moritz Muehlenhoff (2019-07-17):
> > On Fri, Jul 12, 2019 at 09:07:45AM +, Cyril Brulebois wrote:
> > > apt-setup (1:0.151) unstable; urgency=medium
> > > .
> > >[ Mori
Source: icedtea-web
Severity: grave
Tags: security
Please see https://www.openwall.com/lists/oss-security/2019/07/31/2
Cheers,
Moritz
Package: manpages-es
Severity: serious
The last release of manpages-es was in 2005 and the last upload in 2011.
As already pointed out in #860177, the translations are consequentially
very outdated, I did some random sampling and e.g
- For a basic command like mkdir(1) in Spanish only documents
On Thu, Aug 08, 2019 at 02:16:29PM +0100, Chris Lamb wrote:
> Hi Moritz,
>
> > > > > Security team (added to CC), would you be interested in uploads for
> > > > > buster (currently 1:1.11.22-1~deb10u1) and stretch (currently
> > > > > 1:1.10.7-2+deb9u5)?
> […]
> > I just realised that there's a 1.
On Thu, Aug 08, 2019 at 11:02:48AM +0100, Chris Lamb wrote:
> Hi Sébastien,
>
> > > Security team (added to CC), would you be interested in uploads for
> > > buster (currently 1:1.11.22-1~deb10u1) and stretch (currently
> > > 1:1.10.7-2+deb9u5)?
> […]
> > yes, thank you. Can you email us debdiffs
On Thu, Aug 08, 2019 at 11:22:37AM +0100, Chris Lamb wrote:
> Moritz Muehlenhoff wrote:
>
> > > I mention it specifically as I'm not 100% confident this is correct
> > > and Lintian somewhat-correctly complained about a "missing" version
> > &
On Thu, Aug 08, 2019 at 11:02:48AM +0100, Chris Lamb wrote:
> Hi Sébastien,
>
> > > Security team (added to CC), would you be interested in uploads for
> > > buster (currently 1:1.11.22-1~deb10u1) and stretch (currently
> > > 1:1.10.7-2+deb9u5)?
> […]
> > yes, thank you. Can you email us debdiffs
Source: zope2.13
Severity: serious
Should zope2.13 be removed?
- Unmaintained (last upload in 2014)
- FTBFS for a long time, missed two stable releases
Cheers,
Moritz
Source: percona-xtrabackup
Severity: serious
Should percona-xtrabackup be removed?
- Unmaintained (last maintainer upload in 2014)
- FTBFS with GCC 6 and later (#811896) and #917583
- Missed two stable releases because of that
- Broken with current Mariadb (#903043)
- Replacement exists (mariabac
Source: dmtcp
Severity: serious
The last upload was in 2014 and it's RC-buggy for a long time, it missed two
stable releases already.
Cheers,
Moritz
On Fri, Jul 12, 2019 at 09:07:45AM +, Cyril Brulebois wrote:
> apt-setup (1:0.151) unstable; urgency=medium
> .
>[ Moritz Mühlenhoff ]
>* When preseeding a local repository via apt-setup/localX/repository,
> the repository key for Secure Apt needs to be configured with
> apt
Package: ruby-mini-magick
Severity: grave
Tags: security
Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13574
Cheers,
Moritz
On Wed, Jul 10, 2019 at 10:52:11AM -0300, Chris Lamb wrote:
> [Adding t...@security.debian.org to CC]
>
> Hi,
>
> > redis: CVE-2019-10192 CVE-2019-10193
>
> These has been fixed everywhere apart from stretch and buster. Would
> you like uploads for these distributions?
Yes, please, we should fi
On Tue, Jul 02, 2019 at 01:25:43PM +0200, Salvatore Bonaccorso wrote:
> p.s.: Question is if we should do a split as well for the other types of
> files which are supported (DSA, TDSA, ...) while at it.
We can axe out DTSA/* while we're at it.
For DSA/list (and DLA/list) we can initially ke
On Tue, Jun 18, 2019 at 05:35:55PM +1000, Dmitry Smirnov wrote:
> I would reclassify those vulnerabilities with lesser severity to avoid
> removal from Buster.
That's certainly possible, but there's still the bigger issue that the
projects seems unmaintained. None of the developers even acknowled
On Mon, Jun 17, 2019 at 12:52:54AM +0200, wf...@niif.hu wrote:
> Dear Security Team,
>
> I'm ready to upload libqb-1.0.1-1+deb9u1 with the following debdiff:
>
> diff -Nru libqb-1.0.1/debian/changelog libqb-1.0.1/debian/changelog
> --- libqb-1.0.1/debian/changelog 2016-12-07 14:55:45.000
Source: parso
Severity: grave
Tags: security
Please see https://bugzilla.redhat.com/show_bug.cgi?id=1718212
Patch is at https://gist.github.com/dhondta/f71ae7e5c4234f8edfd2f12503a5dcc7
Cheers,
Moritz
Source: freeimage
Severity: grave
Tags: security
Please see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12211
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12212
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12213
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-
On Tue, May 21, 2019 at 12:08:45PM -0400, Boyuan Yang wrote:
> On Fri, 30 Nov 2018 19:51:20 +0100 Moritz Muehlenhoff wrote:
> > Source: swftools
> > Severity: serious
> >
> > swftools is orphaned for a year, dead upstream and has frequent security
> > issues. A
On Tue, May 21, 2019 at 10:01:55AM +0200, Aljoscha Lautenbach wrote:
> Hi,
>
> On Mon, 20 May 2019 at 23:11, Moritz Mühlenhoff wrote:
> > What's considered needed is that someone should actually look through
> > https://security-tracker.debian.org/tracker/source-package/libsass and
> > triage/fix
Package: qemu-system-x86
Severity: grave
Tags: security
These are not upstreamed due to the embargo period, but I'm attaching
the 3.1 patches from Ubuntu 19.04.
Cheers,
Moritz
>From a57fa50701c6a0fbe5ac7dbcc314c3c970bff899 Mon Sep 17 00:00:00 2001
From: Paolo Bonzini
Date: Fri, 1 Mar 201
Source: libheif
Severity: grave
Tags: security
This was assigned CVE-2019-11471:
https://github.com/strukturag/libheif/issues/123
Patch:
https://github.com/strukturag/libheif/commit/995a4283d8ed2d0d2c1ceb1a577b993df2f0e014
Cheers,
Moritz
Package: modsecurity-crs
Severity: grave
Tags: security
These are still being assessed upstream ATM:
CVE-2019-11391
https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1357
CVE-2019-11390
https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1358
CVE-2019-11389
https://github.com/Sp
Source: snapd
Severity: grave
Tags: security
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11502
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11503
Cheers,
Moritz
Source: sox
Severity: grave
Tags: security
Please see these links for descriptions and patches:
https://security-tracker.debian.org/tracker/CVE-2019-8354
https://security-tracker.debian.org/tracker/CVE-2019-8355
https://security-tracker.debian.org/tracker/CVE-2019-8356
https://security-tracker.deb
Source: pacemaker
Severity: grave
Tags: security
Please see https://www.openwall.com/lists/oss-security/2019/04/17/1
Cheers,
Moritz
Package: telegram-desktop
Severity: grave
Tags: security
This was assigned CVE-2019-10044 and is claimed to be fixed in 1.5.12:
https://github.com/blazeinfosec/advisories/blob/master/telegram-advisory.txt
Cheers,
Moritz
Source: mercurial
Version: 4.8.2-1
Severity: grave
Tags: security
See https://www.mercurial-scm.org/wiki/WhatsNew from 4.9:
This was assigned CVE-2019-3902:
It was possible to use symlinks and subrepositories to defeat Mercurial's
path-checking
logic and write files outside a repository. This ha
Package: node-ws
Severity: grave
Tags: security
Please see
https://nodesecurity.io/advisories/120
https://github.com/nodejs/node/issues/7388
Cheers,
Moritz
On Tue, Apr 09, 2019 at 06:49:16PM +0200, Ivo De Decker wrote:
> Hi Salvatore,
>
> On 4/8/19 10:59 PM, Salvatore Bonaccorso wrote:
> > Control: reassign -1 src:kdepim
> > On Mon, Apr 08, 2019 at 11:36:10AM +0200, Ivo De Decker wrote:
> > > Hi,
> > >
> > > On Sat, May 19, 2018 at 07:18:06PM +0200,
Source: node-xterm
Severity: grave
Tags: security
Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0542
Cheers,
Moritz
On Tue, Apr 02, 2019 at 06:28:39PM -0300, Lisandro Damián Nicanor Pérez Meyer
wrote:
> El martes, 2 de abril de 2019 17:48:26 -03 Moritz Mühlenhoff escribió:
> [snip]
> > > Truth is we can't even agree inside the team. Some of us think we should
> > > just remove it alongside whatever hasn't been
Source: guacamole-client
Severity: serious
Should guacamole-client be removed?
guacamole-client hasn't been updated since 2016, is removed from testing
since 1.5 years and has four RC bugs at this point
Cheers,
Moritz
Package: guacamole
Severity: serious
guacamole depends on tomcat8, which is to be removed (#925454).
Cheers,
Moritz
Package: cloud-init
Severity: grave
Tags: security
This was assigned CVE-2019-0816:
https://code.launchpad.net/~jasonzio/cloud-init/+git/cloud-init/+merge/363445
https://support.microsoft.com/en-us/help/4491476/extraneous-ssh-public-keys-added-to-authorized-keys-file-on-linux-vm
Is this something
Package: jruby
Severity: grave
Tags: security
jruby embeds a version of rubygems, so it's affected by
https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems
Cheers,
Moritz
Package: jruby
Severity: grave
Tags: security
CVE-2018-173 is not fixed in the rubygems bundled in jruby,
https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/
https://github.com/rubygems/rubygems/commit/1b931fc03b819b9a0214be3eaca844ef534175e2
The other 2018 ruby
On Thu, Mar 28, 2019 at 07:29:07PM -0400, Sandro Tosi wrote:
> Hello Moritz,
> could you please reply to the points made below? thanks!
Sorry, missed your reply.
> > what kind of security support do Debian provide to the mysql server
> > packages?
None at all, they're only in unstable for that
Source: jquery-jplayer
Severity: serious
Should jquery-jplayer be removed? It's the last package blocking the
removal of swftools, it hasn't seen a maintainer upload since 2014 and
is thus outdated compared to current upstream and there are no reverse
dep in the archive (aside from some theme pack
Source: evolution
Severity: grave
Tags: security
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15587:
https://bugzilla.gnome.org/show_bug.cgi?id=796424
https://gitlab.gnome.org/GNOME/evolution/commit/9c55a311325f5905d8b8403b96607e46cf343f21
https://gitlab.gnome.org/GNOME/evolution/commi
Source: edk2
Severity: grave
Tags: security
Please see
https://security-tracker.debian.org/tracker/CVE-2018-12178
https://security-tracker.debian.org/tracker/CVE-2018-12180
https://security-tracker.debian.org/tracker/CVE-2018-12181
Cheers,
Moritz
Source: gnulib
Severity: grave
Tags: security
Please see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5155
Patch:
http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=5513b40999149090987a0341c018d05d3eea1272
Cheers,
Moritz
Source: libsdl2
Severity: grave
Tags: security
Hi,
a number of security issues were found in SDL, please see the following
links for references.
https://security-tracker.debian.org/tracker/CVE-2019-7638
https://security-tracker.debian.org/tracker/CVE-2019-7637
https://security-tracker.debian.org/
Source: libsdl1.2
Severity: grave
Tags: security
Hi,
a number of security issues were found in SDL, please see the following
links for references.
https://security-tracker.debian.org/tracker/CVE-2019-7638
https://security-tracker.debian.org/tracker/CVE-2019-7637
https://security-tracker.debian.or
Package: rsync
Version: 3.1.3-5
Severity: grave
Tags: security
rsync ships a local copy of zlib, which misses the security fixes for
CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843.
I've attached the respective upstream patches.
Also, let's revisit using the shared zlib copy for bullseye
Package: mupdf
Version: 1.14.0+ds1-3
Severity: grave
Tags: security
CVE-2018-16648:
https://bugs.ghostscript.com/show_bug.cgi?id=699685
http://www.ghostscript.com/cgi-bin/findgit.cgi?38f883fe129a5e89306252a4676eaaf4bc968824
CVE-2018-16647:
https://bugs.ghostscript.com/show_bug.cgi?id=699686
http:
Package: tintin++
Severity: grave
Tags: security
Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7629
Cheers,
Moritz
Source: mysql-connector-python
Severity: serious
mysql-connector-python is affected by Oracle's policy of not disclosing
what security fixes they fix.
CVE-2019-2435 is labeled with a CVSS 8.1/10 score and only fixed in
8.x, while the version in stretch (2.1.x) is marked as vulnerable,
but no 2.1.
On Sun, Feb 24, 2019 at 02:53:41PM +0100, Magnus Holmgren wrote:
> Perhaps wanting to run imapd via remote shell is so rare that there's no need
> to write a NEWS.Debian entry?
I agree, I don't think this needs a NEWS.Debian.
Cheers,
Moritz
Source: etcd
Severity: grave
Tags: security
Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16886 and
https://security-tracker.debian.org/tracker/CVE-2018-16886
Cheers,
Moritz
Source: qt4-x11
Severity: grave
Tags: security
Three security issues fixed in QT5 also affect qt4-x11:
https://blog.qt.io/blog/2018/12/04/qt-5-11-3-released-important-security-updates/
CVE-2018-19873:
https://github.com/qt/qtbase/commit/621ab8ab59901cc3f9bd98be709929c9eac997a8
CVE-2018-19871:
ht
On Thu, Feb 21, 2019 at 11:37:02PM +0100, Sebastian Andrzej Siewior wrote:
> On 2019-02-21 23:18:33 [+0100], Moritz Muehlenhoff wrote:
> > On Thu, Feb 21, 2019 at 08:56:14PM +0100, Sebastian Andrzej Siewior wrote:
> > > Its popcon is dropping. It will not be part of Buste
On Thu, Feb 21, 2019 at 08:56:14PM +0100, Sebastian Andrzej Siewior wrote:
> Its popcon is dropping. It will not be part of Buster. So either RM it
> or
I have no use it for, I was just looking at it because it's one of the
five packages blocking the removal of src:openssl1.0, from my PoV it can
b
On Wed, Feb 20, 2019 at 12:28:48AM +0100, Sebastian Andrzej Siewior wrote:
> On 2017-10-12 23:44:37 [+0200], To 859...@bugs.debian.org wrote:
> > this is a remainder about the openssl transition [0]. We really want to
> > remove libssl1.0-dev from unstable for Buster. I will raise the severity
> >
Source: zoneminder
Severity: grave
Tags: security
Please see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8429
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8428
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8427
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-20
On Mon, Feb 18, 2019 at 11:15:56PM +, Luca Boccassi wrote:
> On Mon, 2019-02-18 at 22:57 +0100, Moritz Mühlenhoff wrote:
> > On Mon, Nov 12, 2018 at 02:36:23PM +, Luca Boccassi wrote:
> > > On Mon, 2018-11-12 at 13:47 +0100, Andreas Beckmann wrote:
> > > > On 2018-11-11 13:54, Luca Boccassi
Source: qemu
Severity: grave
Tags: security
When rdma was enabled in -3, this also made a fix for CVE-2018-20124 necessary:
https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg02822.html
https://git.qemu.org/?p=qemu.git;a=commit;h=0e68373cc2b3a063ce067bc0cc3edaf370752890
Cheers,
Mor
Source: gpac
Severity: grave
Tags: security
CVE-2018-20760:
https://github.com/gpac/gpac/commit/4c1360818fc8948e9307059fba4dc47ba8ad255d
https://github.com/gpac/gpac/issues/1177
CVE-2018-20761:
https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658
https://github.com/gpac/gp
Source: libsass
Severity: serious
None of the security bugs filed in the BTS has seen any maintainer followup
(dating back to 2017 in some cases), and that's just the tip of the iceberg,
the security tracker lists many more.
Unless someone steps forward and commits to properly maintain it during
Package: jabref
Severity: grave
Tags: security
This was assigned CVE-2018-1000652:
https://github.com/JabRef/jabref/issues/4229
https://github.com/JabRef/jabref/commit/89f855d76713b4cd25ac0830c719cd61c511851e
Cheers,
Moritz
Source: passenger
Severity: grave
Tags: security
This was assigned CVE-2018-12029:
https://blog.phusion.nl/2018/06/12/passenger-5-3-2-various-security-fixes/
https://github.com/phusion/passenger/commit/207870f5b7f5cc240587ab0977d6046782ae1d86
Cheers,
Moritz
Package: libwt40
Severity: serious
Should witty be removed from the archive?
- No maintainer upload since 2016
- Remove from testing since 16 months
- Multiple RC bugs (3) and other legacy issues (QT4)
- Marginal popcon
Cheers,
Moritz
Package: pdf2htmlex
Severity: serious
Should pdf2htmlex be removed? It's RC-buggy for over a year and upstream
development seems to have stopped:
http://pdf2htmlex.blogspot.de/2016/12/looking-for-new-maintainer.html
Cheers,
Moritz
Package: yum-utils
Severity: grave
Tags: security
This was assigned CVE-2018-10897:
https://bugzilla.redhat.com/show_bug.cgi?id=1600221
https://github.com/rpm-software-management/yum-utils/commit/7554c0133eb830a71dc01846037cc047d0acbc2c
https://github.com/rpm-software-management/yum-utils/commit/6
Package: python2.7
Version: 2.7.15-5
Severity: grave
Tags: security
CVE-2018-14647 as fixed in DSA-4306-1 needs to be fixed in testing as well:
https://bugs.python.org/issue34623
https://github.com/python/cpython/commit/18b20bad75b4ff0486940fba4ec680e96e70f3a2
Cheers,
Moritz
Source: mysql-connector-net
Severity: serious
Last upload three years ago and removed from testing for a year.
Cheers,
Moritz
Package: fsgateway
Severity: serious
Should fsgateway be removed? Already missed stretch, seems dead upstream,
dropped from testing since two years and last upload was in 2015.
Cheers,
Moritz
201 - 300 of 2355 matches
Mail list logo
