On Sat, Nov 12, 2016 at 04:50:25PM +, gregor herrmann wrote:
> Source: libpoe-filter-ssl-perl
>* debian/copyright: change Copyright-Format 1.0 URL to HTTPS.
>* Use OpenSSL 1.0.2 for the time being. (Closes: #828408)
Don't close such bugs. You used a workaround, but the bug still
B0;115;0cOn Fri, Nov 04, 2016 at 10:03:02AM +0200, Christos Trochalakis wrote:
> On Wed, Nov 02, 2016 at 05:22:21PM +0100, Kurt Roeckx wrote:
> >On Wed, Nov 02, 2016 at 10:39:29AM +0100, Moritz Muehlenhoff wrote:
> >>
> >>The issue hasn't been diagnosed upstream, but t
On Tue, Aug 02, 2016 at 04:05:45AM +0200, Guillem Jover wrote:
> Source: openssl-blacklist
> Source-Version: 0.5-3
> Severity: important
> User: debian-d...@lists.debian.org
> Usertags: dpkg-obsolete-deb-data-tar-compressor
>
> Hi!
>
> This source package builds one or more binary packages using
B0;115;0cOn Fri, Nov 04, 2016 at 03:07:17AM +0100, ilf wrote:
> kpcyrd:
> >I think this project doesn't align with the debian goals and I
> >would welcome if it's getting removed from current and future
> >releases.
>
> Mozilla removed it from addons.mozilla.org:
>
On Wed, Nov 02, 2016 at 05:22:21PM +0100, Kurt Roeckx wrote:
> On Wed, Nov 02, 2016 at 10:39:29AM +0100, Moritz Muehlenhoff wrote:
> >
> > The issue hasn't been diagnosed upstream, but this will likely also affect
> > nginx
> > once rebuilt against openssl 1.1.
On Sat, Oct 29, 2016 at 12:53:54PM +0200, Kurt Roeckx wrote:
> On Sat, Oct 29, 2016 at 12:34:51PM +0300, Christos Trochalakis wrote:
> > On Sat, Oct 29, 2016 at 11:29:12AM +0200, Kurt Roeckx wrote:
> > > On Sat, Oct 29, 2016 at 11:04:33AM +0300, Christos Trochalakis wrote:
> > > >
> > > > I am
Package: tar
Version: 1.29b-1
Severity: grave
Tags: security
This has been assigned CVE-2016-6321:
https://sintonen.fi/advisories/tar-extract-pathname-bypass.txt
Cheers,
Moritz
On Thu, Oct 27, 2016 at 06:31:43AM -0400, Roberto C. Sánchez wrote:
> On Thu, Oct 27, 2016 at 08:54:39AM +0200, Moritz Muehlenhoff wrote:
> >
> > Salvatore mentioned that the same bug occurs when unstable has the security
> > patches merged (which hasn't happened so fa
On Wed, Oct 26, 2016 at 11:09:54PM -0400, Roberto C. Sánchez wrote:
> On Tue, Oct 25, 2016 at 09:54:01PM +0200, Salvatore Bonaccorso wrote:
> > Hi Roberto
> >
> > Could you double-check/confirm if you see the same
> > https://bugs.debian.org/840691 in wheezy? Note although the bug is
> > still
Hi,
On Wed, Oct 19, 2016 at 09:10:59AM +0200, Lars Tangvald wrote:
> So for Linux we consider this fixed in 5.5.52, but the complete fix
> was in 5.5.53.
Is https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837984
addressed in 5.5.53?
> Should I remove the CVE from the Debian changelog entry?
On Fri, Oct 14, 2016 at 08:23:04PM +0200, Sandro Knauß wrote:
> Hey,
>
> I now back ported the second part of the fix of the CVE. I updated the
> version
> deb8u1 from Scott. Should I create a deb8u2 for the additional patch?
>
> I attached the uptodate debdiff.
Thanks, please upload.
B0;115;0cOn Wed, Oct 12, 2016 at 02:56:06PM -0400, Scott Kitterman wrote:
> Proposed update attached. It is the exact upstream commit that resolved this
> issue upstream (relevant code is unchanged from stable) and I have the fix
> running locally. I do not have an example of the exploit to
Package: ht
Severity: grave
Tags: security
ht embeds a copy of libiberty, which was affected by several
vulneranbilities:
https://security-tracker.debian.org/tracker/CVE-2016-6131
https://security-tracker.debian.org/tracker/CVE-2016-4493
https://security-tracker.debian.org/tracker/CVE-2016-4492
Source: libtirpc
Severity: grave
Tags: security
libtirpc is affected by this vulnerability recently fixed in glibc:
https://security-tracker.debian.org/tracker/CVE-2016-4429
Cheers,
Moritz
On Wed, Sep 14, 2016 at 10:03:51PM -0700, Kees Cook wrote:
> On Thu, Sep 01, 2016 at 05:17:06PM +0200, Moritz Muehlenhoff wrote:
> > I think we should remove hardening-wrapper for the stretch release?
> > dpkg-buildflags/dh
> > are around for a long time now and we're dow
Source: nodejs
Severity: grave
Tags: security
Please see
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
Cheers,
Moritz
Package: git-hub
Severity: grave
Tags: security
This got assigned CVE-2016-7793 and CVE-2016-7794:
http://seclists.org/oss-sec/2016/q3/666
Cheers,
Moritz
Package: docker2aci
Severity: grave
Tags: security
This was assigned CVE-2016-7569:
http://seclists.org/oss-sec/2016/q3/634
Cheers,
Moritz
tags 836664 patch
thanks
On Sun, Sep 04, 2016 at 01:17:05PM +, Matthias Klose wrote:
> Package: wsjtx
> Version: 1.1.r3496-3
> Severity: important
> Tags: sid stretch
> User: debian-...@lists.debian.org
> Usertags: hardening-wrapper
>
> This package builds using the hardening-wrapper
Source: mysql-5.6
Severity: serious
As per previous discussion, don't include in stretch/blocker bug to
keep it out.
Cheers,
Moritz
On Mon, Sep 05, 2016 at 08:13:18PM -0400, Antoine Beaupré wrote:
> Control: tags -1 +pending +patch
> Hi,
>
> This is a fix for a "certificate fingerprint spoofing through crafted
> SASL messages" in Charybdis:
>
> https://security-tracker.debian.org/tracker/CVE-2016-7143
>
> I backported the
Source: openjfx
Severity: grave
Tags: security
CVE-2016-3498 from
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixJAVA
should affected openjfx.
Cheers,
Moritz
Package: kinit
Version: 5.22.0-1
Severity: grave
Tags: security
Hi,
please see
https://bugs.kde.org/show_bug.cgi?id=358593
https://bugs.kde.org/show_bug.cgi?id=363140
https://quickgit.kde.org/?p=kinit.git=commitdiff=dece8fd89979cd1a86c03bcaceef6e9221e8d8cd
Source: shiro
Severity: grave
Tags: security
The following was reported on oss-security. shiro doesn't seem to have
any rdeps in Debian.
Cheers,
Moritz
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
1.0.0-incubating - 1.2.4
Description:
A default cipher
Source: tika
Severity: grave
Tags: security
Hi,
please see http://seclists.org/oss-sec/2016/q2/413 for details.
Cheers,
Moritz
Source: jackson-dataformat-xml
Severity: grave
Tags: security
jackson-dataformat-xml is susceptible to XXE attacks, this was
assigned CVE-2016-3720. Fix is here:
https://github.com/FasterXML/jackson-dataformat-xml/commit/f0f19a4c924d9db9a1e2830434061c8640092cc0
Cheers,
Moritz
Source: qpid-cpp
Severity: serious
It hasn't seen an upload for more than two years, has unfixed open
security issues for more than 1.5 years and the version in sid
is totally outdated.
Please reassign this to ftp.debian.org for removal or update the package.
Cheers,
Moritz
Source: openjfx
Severity: grave
Tags: security
The four security issues from October's Java CPU are still unfixed, right?
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
Cheers,
Moritz
Source: xen
Severity: grave
Tags: security
Multiple vulnerabilities are unfixed in xen:
CVE-2015-5307:
http://xenbits.xen.org/xsa/advisory-156.html
CVE-2016-3960
http://xenbits.xen.org/xsa/advisory-173.html
CVE-2016-3159 / CVE-2016-3158
http://xenbits.xen.org/xsa/advisory-172.html
B0;115;0cOn Thu, Apr 21, 2016 at 06:58:18AM +0200, Salvatore Bonaccorso wrote:
> Hi,
>
> On Wed, Apr 20, 2016 at 11:01:29PM +0200, Sebastian Andrzej Siewior wrote:
> > On 2015-03-15 06:42:08 [+0100], Salvatore Bonaccorso wrote:
> > > On Tue, Feb 17, 2015 at 10:07:06AM +, Patrick Coleman
Source: tomcat7
Severity: serious
stretch should only provide one version of Tomcat.
Cheers,
Moritz
Source: ufraw
Severity: grave
Tags: security
CVE-2015-8366 in dcraw also affects ufraw. The dcraw upstream fix is
https://github.com/LibRaw/LibRaw/commit/89d065424f09b788f443734d44857289489ca9e2
Cheers,
Moritz
Source: openjpeg2
Severity: grave
Tags: security
Hi,
multiple security issues were found in openjpeg2:
1. Out-Of-Bounds Read in sycc422_to_rgb function (CVE-2016-3183)
http://www.openwall.com/lists/oss-security/2016/03/14/14
https://github.com/uclouvain/openjpeg/issues/726
2. Heap
On Fri, Feb 26, 2016 at 09:34:33PM -0800, Nathaniel Smith wrote:
> Package: emacs24
> Version: 24.5+1-6+b1
> Severity: serious
> Tags: security
> Justification: 5(b) of https://release.debian.org/testing/rc_policy.txt
>
> Debian's emacs builds are linked against gnutls:
>
> (gnutls-available-p)
Source: brotli
Severity: grave
Tags: security
Firefox fixed a buffer overflow in brotli:
https://www.mozilla.org/en-US/security/advisories/mfsa2016-30/
Please get in touch with upstream whether this also needs to be fixed
in the brotli source package in Debian.
Cheers,
Moritz
On Wed, Mar 02, 2016 at 10:09:47AM +0100, Yves-Alexis Perez wrote:
> Hi teams,
>
> [first of all, I'm writing this with my linux-grsec hat, not my Debian
> security team member hat, obviously]
>
> As you may know, src:linux-grsec was accepted in unstable earlier this year.
> As a quick summary,
Source: jasper
Severity: serious
jasper is long dead upstream, don't include it in stretch. (As
discussed with the maintainer).
Cheers,
Moritz
Source: asterisk
Severity: serious
asterisk hasn't seen a maintainer upload to unstable in 2015. It's
already excluded from testing due to an unrelated FTBFS bug. This
bug is used to ensure that it doesn't enter stretch unless maintenance
(especially for the lifetime of stable) is properly
Package: roarplaylistd-codechelper-gst
Severity: serious
gstreamer 0.10 is being removed from Debian, but
roarplaylistd-codechelper-gst still depends on gstreamer-tools (which is
for gst 0.10), please depend on gstreamer1.0-tools instead.
Cheers,
Moritz
Package: mp3cd
Severity: serious
gstreamer 0.10 is being removed from Debian, but mp3cd still depends
on gstreamer-tools (which is for gst 0.10), please depend on
gstreamer1.0-tools instead.
Cheers,
Moritz
Package: sugar-record-activity
Severity: serious
Should sugar-record-activity be removed? It depends on gstreamer,
which is scheduled for removal and there doesn't seem to be any
upstream activity to port it to modern gstreamer.
Please address the outstanding bugs or reassign this to
Package: turtleart
Version: 98-1.1
Severity: serious
Should turtleart be removed? It depends on gstreamer 0.10, which
is scheduled for removal and hasn't seen an upload in over five
years.
Please address the outstanding bugs or reassign this to
ftp.debian.org for removal.
Cheers,
Moritz
Package: ruby-rails-html-sanitizer
Severity: grave
Tags: security
Please see
https://marc.info/?l=oss-security=145375052028672=2
https://marc.info/?l=oss-security=145375059928688=2
https://marc.info/?l=oss-security=145375090928793=2
Cheers,
Moritz
Package: netsurf-gtk
Severity: grave
Tags: security
Justification: user security hole
Please see these:
CVE-2015-7508 [heap overflow]
http://source.netsurf-browser.org/libnsbmp.git/commit/?id=041df43bbe273b0829132b0b17d89a69da2927d4
CVE-2015-7507 [out-of-bounds read]
severity 809844 important
thanks
On Mon, Jan 04, 2016 at 05:28:27PM +0100, Louis Bouchard wrote:
> Package: sosreport
> Version: 3.2-2
> Severity: critical
> Tags: security
> Justification: root security hole
Debian uses fs.protected_symlinks by default (and we also mandate it for
custom-built
Package: advene
Severity: serious
Should advene be removed? It depends on gstreamer 0.10, which is
scheduled removal (plus, other legacy libs (python-rsvg and
python-goocanvas), this is unfixed upstream (last commit 15 months
ago) and popcon is marginal.
Please address the outstanding bugs or
Package: playitslowly
Severity: serious
Should playitslowly be removed? It depends on gstreamer 0.10 which is
scheduled for removal, but seems dead upstream. Popcon is marginal as
well.
Please address the outstanding bugs or reassign this to
ftp.debian.org for removal.
Cheers,
Moritz
Source: coherence
Severity: serious
Hi,
should coherence be removed (along with the depending upnp-inspector)?
It depends on gstreamer 0.10 (which will be removed from the archive),
but upstream seems inactive.
Cheers,
Moritz
Package: conduit
Severity: serious
Should conduit be removed?
- It depends on gstreamer 0.10, which is scheduled for removal
- It's dead upstream
- Popcon is marginal
- Unmaintained (last maintainer upload in 2010)
Cheers,
Moritz
2:53PM +0100, Moritz Mühlenhoff wrote:
> >> > On Sun, Oct 25, 2015 at 07:51:20PM +0100, Thibaut Girka wrote:
> >> > > On Sun, Oct 25, 2015 at 07:41:29PM +0100, Moritz Muehlenhoff
> >wrote:
> >> > > > Package: bluemindo
> >> >
reassign 805817 ftp.debian.org
retitle 805817 RM: instanbul - dead upstream, depends on gstreamer 0.10
thanks
On Sun, Nov 22, 2015 at 10:11:09PM +0100, Luca Bruno wrote:
> On Sunday 22 November 2015 20:30:14 Moritz Muehlenhoff wrote:
>
> > should instanbul be removed?
>
&g
Package: istanbul
Severity: serious
Hi,
should instanbul be removed?
- It's dead upstream (last release in 2007, last code change in git
(some i18n work later on) in 2010
- It depends on gstreamer 0.10, which is scheduled for removal
- Alternatives exist
Cheers,
Moritz
On Mon, Oct 19, 2015 at 07:23:45AM +, Mike Gabriel wrote:
> For the gstreamer issue, I currently think shipping freerdp without
> gstreamer support in unstable for a while (though this introduces a
> regression in functionality for some people, probably). I will
> prepare an upload during the
On Wed, May 20, 2015 at 04:03:06PM +0300, sl...@debian.org wrote:
> Source: morituri
> Severity: important
> User: sl...@debian.org
> Usertags: gstreamer0.10-removal
>
> Hi maintainer,
>
> your package morituri currently still depends on GStreamer 0.10.
>
> GStreamer 0.10 is no longer
reopen 785922
thanks
Hi,
> - switch to gstreamer1.0-plugins-base (Closes: #785922)
pychess still depends on python-gst0.10, reopening.
Cheers,
Moritz
On Sat, May 23, 2015 at 10:36:35AM +0200, Antonio Ospite wrote:
> Package: gnome-subtitles
> Version: 1.2-4
> Followup-For: Bug #785822
>
> Dear Maintainer,
>
> the upstream release 1.3 of gnome-subtitles[1] uses GStreamer-1.x, so
> just packaging that one will solve this issue.
>
>
Package: jenkins
Severity: grave
Tags: security
Justification: user security hole
Hi,
please see
https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli
Cheers,
Moritz
On Mon, Nov 09, 2015 at 09:25:20AM +0100, Emmanuel Bourg wrote:
> Hi Moritz,
>
> If I'm not mistaken this vulnerability is actually linked to a dangerous
> deserialization in commons-collections if the input isn't properly
> sanitized.
Indeed, I intended to file a separate bug for those (but I
Source: drawtk
Severity: serious
Should drawtk be removed?
- Last maintainer upload in 2012
- No reverse deps in the archive
- Depends on gstreamer 0.10 (scheduled for removal)
Please address the outstanding bugs or reassign this to
ftp.debian.org for removal.
Cheers,
Moritz
Source: elasticsearch
Severity: serious
See DSA 3389, upstream security policies are not compatible with
being in stable.
Cheers,
Moritz
On Thu, May 21, 2015 at 02:31:29PM +0300, Sebastian Dröge wrote:
> Hi Olly,
>
> On Do, 2015-05-21 at 01:24 +0100, Olly Betts wrote:
>
> > But there's an upstream ticket about switching to gstreamer 1.0 with a
> > recently added patch. I'd appreciate a quick review from someone who
> > has more
Source: sddm
Severity: grave
Tags: security
This was assigned CVE-2015-0856:
https://github.com/sddm/sddm/commit/4cfed6b0a625593
Cheers,
Moritz
Package: g2ipmsg
Severity: serious
- Dead upstream (last release from 2008)
- Unmaintained (last maintainer upload in 2009)
- Virtually unused in popcon
- Depends on legacy libs (gstreamer 0.10)
Cheers,
Moritz
Package: alarm-clock
Severity: serious
alarm-clock hasn't seen a maintainer upload since 2009, seems
dead upstream and depends on legacy libs scheduled for removal
from the archive (gstreamer 0.10).
Cheers,
Moritz
Source: numm
Severity: serious
- Dead upstream and relies on legacy libs scheduled for removal
(gstreamer 0.10)
- Virtually unused in popcon
Cheers,
Moritz
Package: bluemindo
Severity: serious
- Dead upstream (the current 0.3 release is from 2009)
- Relies on gstreamer 0.10 which is scheduled for removal
- Unmaintained (last maintainer upload in 2010)
- Low popcon and plenty of alternatives
Cheers,
Moritz
Source: gstreamer0.10
Severity: serious
gstreamer 0.10 is scheduled for removal, use this RC bug to keep it
out of testing (since removing it from unstable will take more time
than dropping it from stretch).
Cheers,
Moritz
Source: gst-plugins-bad0.10
Severity: serious
Remove gstreamer 0.10 in stretch
gstreamer 0.10 is scheduled for removal, use this RC bug to keep it
out of testing (since removing it from unstable will take more time
than dropping it from stretch).
Cheers,
Moritz
Source: gst-plugins-base0.10
Severity: serious
gstreamer 0.10 is scheduled for removal, use this RC bug to keep it
out of testing (since removing it from unstable will take more time
than dropping it from stretch).
Cheers,
Moritz
Source: gst-plugins-ugly0.10
Severity: serious
gstreamer 0.10 is scheduled for removal, use this RC bug to keep it
out of testing (since removing it from unstable will take more time
than dropping it from stretch).
Cheers,
Moritz
Source: gst-plugins-good0.10
Severity: serious
gstreamer 0.10 is scheduled for removal, use this RC bug to keep it
out of testing (since removing it from unstable will take more time
than dropping it from stretch).
Cheers,
Moritz
Source: gst0.10-python
Severity: serious
Remove gstreamer 0.10 in stretch
gstreamer 0.10 is scheduled for removal, use this RC bug to keep it
out of testing (since removing it from unstable will take more time
than dropping it from stretch).
Cheers,
Moritz
Package: audiopreview
Severity: serious
- It's dead upstream and depends on legacy libs scheduled
for removal (gstreamer 0.10)
- Virtually unused according to popcon
Cheers,
Moritz
Package: gnac
Severity: serious
The last maintainer upload was 3.5 years ago, the package
is dead upstream, depends on legacy libs scheduled for
removal (gstreamer 0.10), popcon is marginal and alternatives
exist.
Please address the outstanding bugs or reassign this to
ftp.debian.org for
Package: perroquet
Severity: serious
- It's dead upstream (the homepage is domain-squatted)
and it depends on legacy libs scheduled for removal
(gstreamer 0.10)
- The last upload was more than four years ago
- Usage per popcon virtually non-existant
Please address the outstanding bugs or
reassign 799191 ftp.debian.org
retitle 799191 RM: emesene -- obsolete, RC-buggy, unmaintained, unused
thanks
On Wed, Sep 16, 2015 at 07:49:07PM +0200, Moritz Muehlenhoff wrote:
> Package: emesene
> Severity: serious
>
> Upstream development has stalled with the shutdown of MS
On Wed, May 20, 2015 at 04:03:06PM +0300, sl...@debian.org wrote:
> Source: xfce4-volumed
> Severity: important
> User: sl...@debian.org
> Usertags: gstreamer0.10-removal
>
> Hi maintainer,
>
> your package xfce4-volumed currently still depends on GStreamer 0.10.
>
> GStreamer 0.10 is no longer
On Wed, May 20, 2015 at 09:38:58PM +0200, Yves-Alexis Perez wrote:
> Yeah, unfortunately someone has to do the work upstream, and not much
> people have expressed interest in that.
Can we drop xfce4-mixer from xfce4's Depends, so that it can be dropped
from testing (or even sid) until someone has
Package: longomatch
Severity: serious
The version is in the archive is totally oudated compared to
upstream and depends on gstreamer 0.10 legacy libs. popcon
usage is virtually non-existant.
Please update the package or reassign this bug to
ftp.debian.org for removal.
Cheers,
Moritz
Package: minirok
Severity: serious
Should minirok be removed? It hasn't seen an upload
since 2009, it's dead upstream (Debian maintainer is also
upstream), popcon usage is marginal and it relies on
obsolete gstreamer 0.10. Plus, there's plenty of alternatives
in the archive.
Please address the
On Wed, Sep 09, 2015 at 04:17:31PM +0200, Bernhard Schmidt wrote:
> On Wed, Sep 09, 2015 at 12:50:19AM +0200, Bernhard Schmidt wrote:
>
> Hi,
>
> > after my day-to-day XMPP client is now uninstallable in testing I have
> > attempted to fix this situation.
> >
> > I have looked through the
Source: signon-ui
Severity: serious
signon-ui build-depends on libgstreamer-plugins-base0.10-dev, but
gstreamer 0.10 is scheduled for removal:
https://lists.debian.org/debian-devel/2015/05/msg00335.html
Cheers,
Moritz
Source: mail-notification
Severity: serious
Hi,
mail-notification depends on gstreamer0.10-tools, which is scheduled
for removal: https://lists.debian.org/debian-devel/2015/05/msg00335.html
gstreamer1.0-tools can likely be used as a drop-in replacement.
Cheers,
Moritz
On Wed, May 20, 2015 at 07:08:43PM +0200, Sebastian Ramacher wrote:
> Version: 3.0.0~alpha1-1
>
> Hi Sebastian
>
> On 2015-05-20 16:03:06, sl...@debian.org wrote:
> > Source: soundconverter
> > Severity: important
> > User: sl...@debian.org
> > Usertags: gstreamer0.10-removal
> >
> > Hi
Package: sugar-record-activity
Severity: serious
Him
sugar-record-activity depends on gstreamer 0.10, which is scheduled
for remova. Please see
https://lists.debian.org/debian-devel/2015/05/msg00335.html for
further information.
Cheers,
Moritz
Package: squeak-vm
Severity: serious
squeak-vm build-depends on libgstreamer0.10-dev.
gstreamer 0.10 is scheduled for removal:
https://lists.debian.org/debian-devel/2015/05/msg00335.html
Cheers,
Moritz
Package: v4l2loopback-utils
Severity: serious
v4l2loopback-utils depends on gstreamer0.10-tools. gstreamer 0.10
is scheduled for removal, see here:
https://lists.debian.org/debian-devel/2015/05/msg00335.html
gstreamer1.0-tools can probably be used as a drop-in replacement.
Cheers,
On Sun, May 24, 2015 at 05:15:05PM +0300, Niko Tyni wrote:
> On Wed, May 20, 2015 at 04:03:06PM +0300, sl...@debian.org wrote:
> > Source: libgstreamer-perl
> > Severity: important
> > User: sl...@debian.org
> > Usertags: gstreamer0.10-removal
>
> > your package libgstreamer-perl currently still
Source: openjfx
Severity: serious
Hi,
openjfx build-depends on gstreamer 0.10, which scheduled
for removal from the archive. Please see
https://lists.debian.org/debian-devel/2015/05/msg00335.html
for details.
Cheers,
Moritz
Package: emesene
Severity: serious
Upstream development has stalled with the shutdown of MSN,
it uses deprecated libs (python-webkit, gstreamer 0.10,
modemmanager1), the former primary maintainer is MIA and
popcon is virtually non-existant.
Please address the outstanding bugs or reassign this to
On Wed, Sep 16, 2015 at 03:26:27PM -0300, Lisandro Damián Nicanor Pérez Meyer
wrote:
> On Wednesday 16 September 2015 15:25:06 Lisandro Damián Nicanor Pérez Meyer
> wrote:
> > On Wednesday 16 September 2015 20:08:37 Moritz Mühlenhoff wrote:
> > > On Wed, May 20, 2015 at 01:32:13PM -0300,
Package: mopidy-soundcloud
Severity: serious
mopidy-soundcloud depends on gstreamer0.10-plugins-ugly, but
gstreamer 0.10 will be removed for stretch, please see here
for details:
https://lists.debian.org/debian-devel/2015/05/msg00335.html
Cheers,
Moritz
Package: fso-sounds-yue-base
Severity: serious
mopidy-soundcloud depends on gstreamer0.10-plugins-base, but
gstreamer 0.10 will be removed for stretch, please see here
for details:
https://lists.debian.org/debian-devel/2015/05/msg00335.html
Cheers,
Moritz
Source: ipython
Severity: grave
Tags: security
Please see http://www.openwall.com/lists/oss-security/2015/09/02/3
Cheers,
Moritz
Package: icedtea-web
Severity: grave
Tags: security
Justification: user security hole
Hi,
please see the respective Red Hat bugs for details and links to patches:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5234
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5235
Cheers,
Package: ruby-devise-two-factor
Severity: grave
Tags: security
Justification: user security hole
Hi,
please see http://www.openwall.com/lists/oss-security/2015/09/06/2
for details.
Cheers,
Moritz
On Tue, Sep 08, 2015 at 03:01:29PM -0400, Robert Edmonds wrote:
> Moritz Mühlenhoff wrote:
> > reassign 796118 ftp.debian.org
> > retitle 796118 RM: djbdns
> > thanks
> >
> > On Wed, Aug 19, 2015 at 05:45:30PM +0200, Moritz Muehlenhoff wrote:
> > &
Source: starpu-contrib
Severity: serious
gcc 4.8 will not be shipped with stretch (765380) and starpu-contrib
currently Build-Depends on it (gcc-4.8, g++-4.8, gfortran-4.8,
gcc-4.8-plugin-dev)
Cheers,
Moritz
-- System Information:
Debian Release: stretch/sid
APT prefers
Package: berusky2
Severity: serious
gcc-4.8 will not be included in stretch (765380), but berusky2
uses it on mips and mipsel.
Please switch to the standard GCC, if the mips porters don't
get the toolchain fixed, I'd recommend to simply remove mipsen
support, it's just a game after all.
Cheers,
Source: sogo
Severity: grave
Tags: security
CVE-2015-5395:
http://www.openwall.com/lists/oss-security/2015/07/07/10
Cheers,
Moritz
501 - 600 of 2329 matches
Mail list logo