Control: forcemerge 699316 699342
Hi
On Wed, Jan 30, 2013 at 02:04:53PM +0100, Eric Valette wrote:
Package: libupnp6
Version: 1:1.6.17-1.1
Severity: grave
Tags: security
Justification: user security hole
Dear Maintainer,
-2012-5965. (Closes: #699316)
+(LP: #1110273)
+
+ -- Salvatore Bonaccorso car...@debian.org Wed, 30 Jan 2013 23:48:11 +0100
+
libupnp (1:1.6.17-1.1) unstable; urgency=high
* Non-maintainer upload.
diff -Nru
libupnp-1.6.17/debian/patches/19-699316-Fix-buffer-overflows
Control: merge 698737 699441
Hi John
On Thu, Jan 31, 2013 at 07:25:38AM -0600, John Goerzen wrote:
Package: owncloud
Version: 4.0.4debian2-3.2
Severity: grave
Tags: security
Justification: user security hole
The version of owncloud in both testing and unstable contains security
holes.
Hey John
On Thu, Jan 31, 2013 at 08:39:42AM -0600, John Goerzen wrote:
Ah, sorry for the noise. 698737 did not show up on
bugs.debian.org/owncloud and I didn't think to check the src:.
No problem. I'm unsure if I should have reported this against
owncloude instead src:owncloud. But
Hi Christine
I noticed you already uploaded 1.31 fixing #699625 which is great,
thanks for working on this issue and fixing it already.
There is however one unfortunate thing:
91 files changed, 28516 insertions(+), 2085 deletions(-)
This is a problem as the fix needs to go to testing too, but
Hi
On Tue, Feb 05, 2013 at 08:26:53AM +, Chrissie Caulfield wrote:
On 04/02/13 22:14, Salvatore Bonaccorso wrote:
Hi Christine
I noticed you already uploaded 1.31 fixing #699625 which is great,
thanks for working on this issue and fixing it already.
There is however one unfortunate
Hi Anibal
On Mon, Jan 21, 2013 at 02:50:43PM +0100, Salvatore Bonaccorso wrote:
Reverting the patch 03-627217-netio.patch let it work in a mixed
squeeze, wheezy environment. If 627217 can be fixed, it should probably
without breaking the protocol. After reverting the patch the requests
give
Package: keystone
Severity: grave
Tags: security
Justification: user security hole
Hi,
the following vulnerability was published for keystone.
CVE-2013-0247[0]:
Keystone denial of service through invalid token requests
Patches should be available via [1].
If you fix the vulnerability please
Hi
One further follow up: The Security Team marked the issue as no-dsa in
the Security-Tracker[1]. So an update for Squeeze might go trough a p-u
upload.
[1] https://security-tracker.debian.org/tracker/CVE-2013-0251
Thanks for fixing this issue quickly!
Regards,
Salvatore
--
To
Source: ruby-rack
Severity: grave
Tags: security
Hi,
the following vulnerabilities were published for ruby-rack.
CVE-2013-0262[0]:
Path sanitization information disclosure
CVE-2013-0263[1]:
Timing attack in cookie sessions
If you fix the vulnerabilities please also make sure to include the
...@ubuntu.com (Closes: #700098) (LP: #1104425)
+
+ -- Salvatore Bonaccorso car...@debian.org Sat, 09 Feb 2013 18:38:28 +0100
+
cfingerd (1.4.3-3) unstable; urgency=low
* Approve NMU
diff -u cfingerd-1.4.3/src/rfc1413.c cfingerd-1.4.3/src/rfc1413.c
--- cfingerd-1.4.3/src/rfc1413.c
+++ cfingerd-1.4.3/src
)
+
+ -- Salvatore Bonaccorso car...@debian.org Sat, 09 Feb 2013 18:38:28 +0100
+
cfingerd (1.4.3-3) unstable; urgency=low
* Approve NMU
diff -u cfingerd-1.4.3/src/rfc1413.c cfingerd-1.4.3/src/rfc1413.c
--- cfingerd-1.4.3/src/rfc1413.c
+++ cfingerd-1.4.3/src/rfc1413.c
@@ -25,7 +25,9 @@
* the implementation
Control: clone -1 -2
Control: retitle -1 ruby-rack: CVE-2013-0262: Path sanitization information
disclosure
Control: retitle -2 ruby-rack: CVE-2013-0263: Timing attack in cookie sessions
Hi
On Sun, Feb 10, 2013 at 11:14:50AM +0900, Satoru KURASHIKI wrote:
hi,
For further information see:
Hi Jonas, Hi Martin
On Mon, Feb 04, 2013 at 04:12:00AM +0100, Cyril Brulebois wrote:
Package: radicale
Version: 0.7-1
Severity: serious
Tags: patch
Justification: dependency issue
Hi,
radicale depends on python-radicale, without a version. Partial upgrades
from squeeze can leave
Hi James
Disclaimer: Only did a quick check.
On Sun, Feb 10, 2013 at 10:25:27AM -0500, James McCoy wrote:
Control: tag -1 patch
On Sun, Jan 27, 2013 at 05:43:13PM +0100, Salvatore Bonaccorso wrote:
Some additional information: In most usual cases where zoneminder is
set up, there should
Hi Jonas
On Mon, Feb 11, 2013 at 05:37:06AM +0100, Jonas Smedegaard wrote:
Quoting Salvatore Bonaccorso (2013-02-10 21:26:46)
Hi Jonas, Hi Martin
On Mon, Feb 04, 2013 at 04:12:00AM +0100, Cyril Brulebois wrote:
Package: radicale
Version: 0.7-1
Severity: serious
Tags: patch
On Mon, Feb 11, 2013 at 12:42:10PM +0100, Jonas Smedegaard wrote:
Quoting Salvatore Bonaccorso (2013-02-11 07:38:44)
Hi Jonas
On Mon, Feb 11, 2013 at 05:37:06AM +0100, Jonas Smedegaard wrote:
Quoting Salvatore Bonaccorso (2013-02-10 21:26:46)
Hi Jonas, Hi Martin
On Mon, Feb
Hi
On Sun, Feb 10, 2013 at 10:25:27AM -0500, James McCoy wrote:
On Sun, Jan 27, 2013 at 05:43:13PM +0100, Salvatore Bonaccorso wrote:
Some additional information: In most usual cases where zoneminder is
set up, there should be authentication first. So this limits somehow
the vulnerability
Control: retitle 700234 transmission-daemon: CVE-2012-6129: Transmission can be
made to crash remotely
Hi
On Sun, Feb 10, 2013 at 01:22:28PM +0100, Yves-Alexis Perez wrote:
On dim., 2013-02-10 at 11:50 +0100, Josselin Mouette wrote:
Package: transmission-daemon
Version: 2.52-3
Severity:
Control: tags -1 + unreproducible moreinfo
Hi
On Thu, Feb 14, 2013 at 10:43:45AM +0200, debuser1978 wrote:
Package: padre
Version: 0.63.ds1-1
Severity: grave
Justification: renders package unusable
Installed padre 0.63.ds1-1 (stable) from Synaptic.
When starting from command line:
Hi Timo
On Thu, Feb 07, 2013 at 12:51:59AM +0200, Timo Aaltonen wrote:
On 03.02.2013 23:59, Moritz Mühlenhoff wrote:
On Sun, Jan 27, 2013 at 11:45:06AM +0200, Timo Aaltonen wrote:
On 26.01.2013 23:06, Salvatore Bonaccorso wrote:
Hi Timo
On Thu, Jan 24, 2013 at 08:46:43PM +0200, Timo
Hi
(Hmm, strange I have not recieved this followup)
On Thu, Feb 14, 2013 at 11:35:31AM -0800, Vagrant Cascadian wrote:
Which allowed a shell accessible via netcat on port 1337 with the version
present in squeeze (1.24.2-8).
With a package built with the patch applied, I was not able to
Package: pyrad
Version: 2.0-1
Severity: grave
Tags: security
Control: found -1 1.2-1
Hi,
the following vulnerabilities were published for pyrad.
CVE-2013-0294[0]:
potentially predictable password hashing
CVE-2013-0295[1]:
CreateID() creates serialized packet IDs for RADIUS
Note: it's currently
Control: retitle -1 CVE-2013-0296: pigz creates temp files with too wide
permissions
Hi
On Fri, Feb 15, 2013 at 12:30:09PM +0400, Michael Tokarev wrote:
When asked to compress a file with restricted permissions (like
mode 0600), the .gz file pigz creates while doing this has
usual mode
Control: retitle -1 pyrad: CVE-2013-0294: potentially predictable password
hashing
Hi
CVE-2013-0295 was rejected and only CVE-2013-0294 to be used for both
issues.
http://marc.info/?l=oss-securitym=136099660015589w=2
Regards,
Salvatore
--
To UNSUBSCRIBE, email to
Hi Jeremy
Thanks for already fixing the issue for pyrad in unstable. As the
debdiff between 1.2-1 and 2.0-2 looks quite big, it cannot be a
candidate for a unblock per se to testing.
Could you prepare also a package targetting wheezy (versioned as
1.2-1+deb7u1) only containing the changes to fix
Hi all
On Sun, Feb 17, 2013 at 12:19:00AM +, Jonathan Wiltshire wrote:
On Sun, Feb 17, 2013 at 12:16:32AM +0100, Jeremy Lainé wrote:
Dear release team,
Yesterday the following security vulnerability in the pyrad
package was brought to my attention by Salvatore Bonaccorso:
https
Hi Jeremy
On Sun, Feb 17, 2013 at 12:09:32AM +0100, Jeremy Lainé wrote:
I have just uploaded the requested version to
testing-proposed-updates and will get in touch with the release team
to allow it into wheezy.
Thank you, have seen the mail.
For squeeze, the package will be exactly the
Hi Luciano and Moritz
On Sat, Feb 02, 2013 at 01:54:32PM +0100, Luciano Bello wrote:
Package: corosync
Severity: important
Tags: security patch
Justification: user security hole
Hi there,
Please, take a look to this thread:
http://seclists.org/oss-sec/2013/q1/212
The patch is
Hi Jeremy
On Sun, Feb 17, 2013 at 12:09:32AM +0100, Jeremy Lainé wrote:
For squeeze, the package will be exactly the same (squeeze / wheezy
both have pyrad 1.2-1), but what should the version number be?
This issue was now classified as 'no-dsa'[1]. Could you prepare an
upload targeting stable
Hi Luigi
squid3 in stable is still affected by #696187: cachemgr.cgi denial of
service.
Could you prepare an upload for CVE-2012-5643 and subsequent
CVE-2013-0189 targeting stable-security for a DSA?
Note that the initial patch was incomplete and the full fix is at [1].
[1]:
Package: zoneminder
Version: 1.24.2-8
Severity: grave
Tags: security patch
Justification: user security hole
Control: fixed -1 1.25.0-1
Hi
In zoneminder forum there is the following security patch announce:
http://www.zoneminder.com/forums/viewtopic.php?f=1t=17979
1.24.2-8 is affected by this
Hi Thomas
This is to notify you about a problem in the CVEs used: There was a
small unclear situation on assigning the CVEs for these issues
aparently, see [1].
[1]: http://marc.info/?l=oss-securitym=136129931825949w=2
In short: CVE-2013-0278, CVE-2013-0279 and CVE-2013-0280 where
rejected and
Package: isync
Version: 1.0.4-2.1
Severity: grave
Tags: security patch
Hi,
the following vulnerability was published for isync.
CVE-2013-0289[0]:
missing SSL subject verification
A patch is available in upstream's git repository[1].
If you fix the vulnerability please also make sure to
Hi
The following CVE's where assigned now to it[1]. Could you please
include the CVE identifiers when fixing the package.
[1]: http://marc.info/?l=oss-securitym=136142857313675w=2
CVE-2013-0327
CVE-2013-0328
CVE-2013-0329
CVE-2013-0330
CVE-2013-0331
Control: retitle -1 zoneminder: CVE-2013-0332: local file inclusion
vulnerability
Hi
A CVE was assigned now to this issue: CVE-2013-0332.
Regards,
Salvatore
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact
Package: owncloud
Severity: grave
Tags: security
Hi
Another owncloud advisory announcing multiple XSS vulnerabilities in
owncloud was released. See [1] for more details.
[1]: http://owncloud.org/about/security/advisories/oC-SA-2013-003/
Assigned CVE's are:
CVE-2013-0297, CVE-2013-0307 (4.0
Control: retitle -1 owncloud: multiple vulnerabilities (oC-SA-2013-003,
oC-SA-2013-004, oC-SA-2013-006)
Hi
I have missed some more advisories:
oC-SA-2013-003: http://owncloud.org/about/security/advisories/oC-SA-2013-003/
- CVE-2013-0297, CVE-2013-0307 (affecting 4.0.x series)
oC-SA-2013-004:
Control: found -1 1.99.9-1
Hi all
I had a look at the version in experimental:
On Mon, Feb 18, 2013 at 09:23:20PM +0100, Martin Gerhard Loschwitz wrote:
I don't think we have Corosync 2.0 anywhere (we have 1.99 in experimental, I
don't know if that specific version is affected or not just
Package: nagios-nrpe
Severity: grave
Tags: security
Hi
On bugtraq mailinglist it was reported publicly[1]. If support for
command argument in the daemon are enabled then it would be possible
to pass $() and possibly executing shell commands when run unter bash.
Upstream has released 2.14
On Sat, Feb 23, 2013 at 08:33:20AM +0100, Salvatore Bonaccorso wrote:
In the debian package we have explicitly --enable-command-args so the
Debian packages looks affected.
But needs to be explicitly enabled in /etc/nagios/nrpe.cfg, should be
added to the above.
Regards,
Salvatore
Hi Alex, Hi Thijs
I was looking trough the bugs for nagios-nrpe, and noticed #547092
where there was an upload to address it, but the bug was not closed.
I wondered if this was intentional, als the original issue is only
addressed by making clear in the documentation where the issues are.
Hi Alex
On Sat, Feb 23, 2013 at 01:17:03PM +0100, Alexander Wirt wrote:
On Sat, 23 Feb 2013, Salvatore Bonaccorso wrote:
Hi Alex, Hi Thijs
I was looking trough the bugs for nagios-nrpe, and noticed #547092
where there was an upload to address it, but the bug was not closed.
I
Ciao Luigi
On Sat, Feb 23, 2013 at 04:41:51PM +0100, Luigi Gangitano wrote:
Ciao Salvatore,
Thanks a lot for your NMU. I really appreciate your help.
Thank you for your feedback! I now also would have the package ready
targeting stable-security.
Regards,
Salvatore
--
To UNSUBSCRIBE,
/changelog
@@ -1,3 +1,12 @@
+isync (1.0.4-2.2) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Apply upstream patch for CVE-2013-0289.
+Fix incorrect server's SSL x509.v3 certificate validation when
+performing IMAP synchronization. (Closes: #701052)
+
+ -- Salvatore Bonaccorso car
Hi
On Sun, Feb 24, 2013 at 06:09:45PM +, Jonathan Wiltshire wrote:
On Sat, Feb 23, 2013 at 01:33:58PM +, Adam D. Barratt wrote:
On Sun, 2013-02-17 at 13:59 +, Jonathan Wiltshire wrote:
On Sun, Feb 17, 2013 at 08:06:36AM +0100, Salvatore Bonaccorso wrote:
Assuming
Hi Vagrant and Peter
On Thu, Feb 14, 2013 at 11:35:31AM -0800, Vagrant Cascadian wrote:
Anything more needed for the security team? Which queue should it be
uploaded to?
Apologies for the delay. Could you also adress #700912 (CVE-2013-0332)
for the stable-security update.
I think we can
Hi Timo
Any update on this? I see the patches at [1]. At this stage of the
release I'm unsure the other changes are acceptable. Do you have time
to prepare an upload only adressing #698871? If you get a ACK from
release-team I would happily sonsor the upload if needed.
[1]:
Control: found -1 0.8.3-5+squeeze2
Control: found -1 0.9.12-6
Control: found -1 0.9.12-7
Hi Guido
On Tue, Feb 26, 2013 at 11:44:28AM +0100, Guido Günther wrote:
This also affects stable, bpo and wheezzy. The attached fix that I
applied to the version in experimental applies to 0.9.12 as well.
Control: tags -1 + patch
Only for direct reference: A patch looks available trough following
commit:
http://mspgcc.git.sourceforge.net/git/gitweb.cgi?p=mspgcc/gcc;a=commitdiff;h=0594213396817815f584efe3257987e704b4f187
Package: chicken
Version: 4.5.0-1
Severity: grave
Tags: security patch
Hi,
@Release Team: This probably should not delay the release for wheezy, as
chicken has other security relevant bugreport open (#702410) with wheezy-ignore
tag. The same can be done here, IMO.
the following vulnerability
Hi Steven, hi Arthur
On Thu, May 02, 2013 at 11:55:22PM +0200, Arthur de Jong wrote:
On Wed, 2013-05-01 at 23:05 +0100, Steven Chamberlain wrote:
I noticed (by chance) there is a problem with the squeeze-security
patch for #690319; it introduces a regression on kfreebsd and has not
built.
Hi
Additional update for CVE-2012-6122:
http://lists.nongnu.org/archive/html/chicken-announce/2013-05/msg0.html
Regards,
Salvatore
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Control: tags -1 + confirmed
Hi Lucas
Thanks for your rebuilds :). Can confirm this.
On Thu, May 09, 2013 at 10:12:27AM +0200, Lucas Nussbaum wrote:
Source: perlipq
Version: 1.25-3
Severity: serious
Tags: jessie sid
User: debian...@lists.debian.org
Usertags: qa-ftbfs-20130509 qa-ftbfs
Package: libvirt
Version: 1.0.5-2
Severity: grave
Tags: security upstream patch
Hi,
the following vulnerability was published for libvirt.
CVE-2013-1962[0]:
DoS (max count of open files exhaustion) due sockets leak in the storage pool
Upstream patch can be found at [1].
If you fix the
Hi Gregor, hi Michael
On Sat, May 18, 2013 at 07:14:56PM +0200, gregor herrmann wrote:
On Sun, 16 Dec 2012 05:53:22 +0100, Michael Biebl wrote:
Attached is a build-tested patch.
Please review and apply.
After applying the patch, the build fails for me (tested in an amd64
and in 386 sid
Hi
On Thu, May 23, 2013 at 10:57:35PM -0700, Dana Jacobsen wrote:
I just found this report of build failures on the Debian mailing list -- I
had not seen these before. I managed to reproduce it on a Power7 machine,
and found the fix.
I see that the issue came up when I switched the ranged
Hi Dana
On Thu, May 23, 2013 at 10:57:35PM -0700, Dana Jacobsen wrote:
I just found this report of build failures on the Debian mailing list -- I
had not seen these before. I managed to reproduce it on a Power7 machine,
and found the fix.
I see that the issue came up when I switched the
Hi
On Tue, Jan 08, 2013 at 02:06:39AM +0900, Nobuhiro Ban wrote:
Package: jenkins
Version: 1.447.2+dfsg-2
Severity: grave
Tags: security
Dear Maintainer,
The upstream vendor announced a security advisory, that is rated
critical severity.
See:
Package: poppler
Severity: grave
Tags: security
Hi,
the following vulnerabilities were published for poppler.
CVE-2013-1788[0]:
invalid memory issues
CVE-2013-1789[1]:
crash in broken documents
CVE-2013-1790[2]:
uninitialized memory read
Patches are referenced in the Red Hat Bugzilla to the
Ciao Pino
Thanks for already working on it!
On Sat, Mar 02, 2013 at 06:58:31PM +0100, Pino Toscano wrote:
Would it be possible to have all the test cases references by the CVEs?
(You can email them to me directly, of course.)
Some of the commits mentioned in the Red Hat bugs refer to code
Control: retitle -1 Update libextlib-ruby / ruby-extlib for vulnerabilities
(Re: CVE-2013-1802)
Hi
A separate CVE was assigned to this vulerability: CVE-2013-1802
Regards,
Salvatore
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble?
Control: tags -1 + patch
Hi Alex
On Sat, Feb 23, 2013 at 01:19:14PM +0100, Alexander Wirt wrote:
On Sat, 23 Feb 2013, Salvatore Bonaccorso wrote:
On Sat, Feb 23, 2013 at 08:33:20AM +0100, Salvatore Bonaccorso wrote:
In the debian package we have explicitly --enable-command-args so
Hey Alex
On Mon, Mar 04, 2013 at 09:06:52AM +0100, Alexander Wirt wrote:
[...]
In fact it looks like the patch on my disk :). I am sorry for not handling
this earlier, but our new bathroom took my whole spare time in the last
weeks.
It should be better this week.
Okay and thank you!
Hi all
On Mon, Feb 27, 2012 at 08:27:05PM +0100, Florian Weimer wrote:
* Antoine Beaupré:
I don't actually know - I followed your lead and used that patch in the
bugzilla Redhat bugtrackers:
Source: perl
Version: 5.10.1-17squeeze4
Severity: grave
Tags: security patch
Control: found -1 5.16.2-1
Hi Niko and Dominic
A a hash-related flaw was announced today and CVE-2013-1667 assigned
to it.
For further reference see [1,2].
[1]:
Hi Raphael, Ganglia maintainers
On Thu, Feb 21, 2013 at 02:50:13PM +0100, Raphael Geissert wrote:
The other operations related to views (in views_view.php) are all
still vulnerable to XSS via the view_name GET parameter.
Also reported this now to upstream issue tracker, sorry for the delay.
On Tue, Mar 05, 2013 at 03:26:46PM +0100, Salvatore Bonaccorso wrote:
Hi Raphael, Ganglia maintainers
On Thu, Feb 21, 2013 at 02:50:13PM +0100, Raphael Geissert wrote:
The other operations related to views (in views_view.php) are all
still vulnerable to XSS via the view_name GET parameter
Further information at [1].
[1]: https://dev.twitter.com/blog/planning-for-api-v1-retirement
Salvatore
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
)
+
+ -- Salvatore Bonaccorso car...@debian.org Thu, 07 Mar 2013 17:06:28 +0100
+
gksu-polkit (0.0.3-1) unstable; urgency=low
* Fix glib includes (Closes: #665534)
only in patch2:
unchanged:
--- gksu-polkit-0.0.3.orig/data/org.gnome.gksu.policy
+++ gksu-polkit-0.0.3/data/org.gnome.gksu.policy
@@ -10,9
Control: clone 702486 -1
Control: reassign -1 libnet-twitter-lite-perl
Control: retitle -1 libnet-twitter-perl: needs update for new Twitter API
On Thu, Mar 07, 2013 at 07:28:50AM +0100, Ansgar Burchardt wrote:
Package: libnet-twitter-perl
Severity: grave
Let's turn this into a proper bug
Source: ruby1.9.1
Severity: grave
Tags: security upstream patch
Hi,
the following vulnerability was published for ruby1.9.1.
CVE-2013-1821[0]:
entity expansion DoS vulnerability in REXML
More details are explained in the upstream announcement[1]. Patches
are commited to svn with revision
Source: ruby1.8
Severity: grave
Tags: security upstream patch
Hi,
the following vulnerability was published for ruby.
CVE-2013-1821[0]:
entity expansion DoS vulnerability in REXML
More details are explained in the upstream announcement[1]. Patches (for
ruby1.9.1) are commited to svn with
+Origin: upstream,
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revisionrevision=39384view=patch
+Bug-Debian: http://bugs.debian.org/702525
+Forwarded: not-needed
+Author: Salvatore Bonaccorso car...@debian.org
+Last-Update: 2013-03-08
+Applied-Upstream: yes
+
+--- a/lib/rexml/document.rb
b
: upstream, http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revisionrevision=39384view=patch
+Bug-Debian: http://bugs.debian.org/702525
+Forwarded: not-needed
+Author: Salvatore Bonaccorso car...@debian.org
+Last-Update: 2013-03-08
+Applied-Upstream: yes
+
+--- a/lib/rexml/document.rb
b/lib/rexml
on the system. (Closes: #702526)
+
+ -- Salvatore Bonaccorso car...@debian.org Sat, 09 Mar 2013 08:05:35 +0100
+
ruby1.8 (1.8.7.358-6) unstable; urgency=high
* Timeout the execution of the tests after 2 hours. This should fix the
diff -Nru ruby1.8-1.8.7.358/debian/patches/CVE-2013-1821.patch
Hi Tzafrir!
Are there news on this?
I have noticed that in the svn repository for asterisk there is
already:
asterisk (1:1.8.13.1~dfsg-2) unstable; urgency=high
* Patches backported from Asterisk 1.8.19.1 (Closes: #697230):
- Patch AST-2012-014 (CVE-2012-5976) - fixes Crashes due to
Source: firebird2.1
Severity: grave
Tags: security
Hi
the following vulnerability was published for firebird2.1.
CVE-2013-2492[0]:
Request Processing Buffer Overflow Vulnerability
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities Exposures) id in
Source: firebird2.5
Severity: grave
Tags: security
Hi
the following vulnerability was published for firebird2.5.
CVE-2013-2492[0]:
Request Processing Buffer Overflow Vulnerability
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities Exposures) id in
Control: retitle -1 TYPO3-CORE-SA-2013-001: SQL Injection and Open Redirection
in TYPO3 Core (CVE-2013-1842, CVE-2013-1843)
Hi
Only for reference, CVE's where assigned to it now:
CVE-2013-1842 for Typo3 Extbase Framework SQL Injection
Hi all
On Thu, Mar 14, 2013 at 08:54:06AM -, Steve Hay wrote:
Niko Tyni wrote on 2013-03-13:
On Wed, Mar 13, 2013 at 09:13:15AM -, Steve Hay wrote:
Dominic Hargreaves wrote on 2013-03-12:
When trying to fix this issue in Debian stable, I found that the
patch
at
Hi Dmitry
On Thu, Mar 14, 2013 at 04:01:25PM +0400, Dmitry E. Oboukhov wrote:
Can you please downgrade back and verify that the crashes go away
with 2.0.7-1?
No, 2.0.7-1 is already removed from repo :(
You can find old package versions at
Hi
On Thu, Mar 14, 2013 at 05:03:21PM +0400, Dmitry E. Oboukhov wrote:
I downgraded mod-perl, 2.0.7-1 crashes, too (the same backtrace)
Then I downgraded apache to 2.2.22-12 and 2.2.22-12 + modperl 2.0.7-1
don't crash. Also apache 2.2.22-12 and modperl 2.0.7-2 don't crash,
too.
Package: owncloud
Severity: grave
Tags: security
Hi,
the following vulnerabilities were published for owncloud.
CVE-2013-1851[0]:
user_migrate: Local file disclosure
CVE-2013-1850[1]:
Contacts: Bypass of file blacklist
If you fix the vulnerabilities please also make sure to include the
CVE
Hi!
On Fri, Mar 15, 2013 at 03:33:05PM +0100, Yves-Alexis Perez wrote:
On jeu., 2013-03-14 at 22:48 -0400, Michael Gilbert wrote:
Hi,
I've prepared new nss packages fixing the lucky 13 issue:
http://people.debian.org/~mgilbert
For the mozilla team, this is a new upstream, so would
Hi
On Fri, Mar 15, 2013 at 05:56:05PM -, Steve Hay wrote:
[...]
Zefram has now come up with an even better patch (on the same RT
ticket), after reproducing the Debian 5.10.1 failure himself.
Please take a look (I've also attached it here for your convenience) and
let me know whether
to the patterns to exclude more special
+characters. (Closes: #659899)
+
+ -- Salvatore Bonaccorso car...@debian.org Fri, 15 Mar 2013 22:46:57 +0100
+
smokeping (2.3.6-5) unstable; urgency=medium
* debian/patches/20_html-parser.dpatch: fix an incompatibility with
diff -u smokeping-2.3.6
Control: fixed -1 2.3.6-5+squeeze1
Control: tags -1 pending
Control: block -1 with 703193
On 2013-03-16, Salvatore Bonaccorso wrote:
Control: fixed -1 2.6.7-1
Hi Steven
On Sat, Mar 16, 2013 at 12:40:04PM +, Steven Chamberlain wrote:
Control: reopen -1
Hmm, as Adam wrote
On Sat, Mar 16, 2013 at 10:47:54PM +0100, Salvatore Bonaccorso wrote:
Hmm, this will quite sure not be approved. And Jonathan Wiltshire
already commented there. A new upstream version at this stage of the
freeze is not acceptable. But how about the attached patch for
unstable?
... which I
Hi!
On Sun, Mar 17, 2013 at 12:29:45PM +0100, Yves-Alexis Perez wrote:
On dim., 2013-03-17 at 08:56 +0100, Salvatore Bonaccorso wrote:
open /dev/kvm: Permission denied
Could not initialize KVM, will disable KVM support
Can you check permissions on the /dev/kvm device and the groups
Hi
On Sun, Mar 17, 2013 at 08:07:51PM +0100, Yves-Alexis Perez wrote:
On dim., 2013-03-17 at 19:23 +0100, Guido Günther wrote:
Uploded. But can we please wait until somebody else confirms the
packages at
http://honk.sigxcpu.org/projects/libvirt/snapshots/
are working for
Hi Michael
On Sun, Mar 17, 2013 at 03:04:15PM -0400, Michael Gilbert wrote:
control: tag -1 patch
Hi, I've uploaded an nmu to delayed/2 fixing this issue. Please see
attached patch.
Thank you for taking this. I read trough your proposed text looks
good. Only one comment if you could please
Hi Pino
On Mon, Mar 18, 2013 at 02:48:18PM +0100, Pino Toscano wrote:
I've verified the issues, and the situation that I found for current
wheezy+sid (= 0.18.4-5) is the following:
Alle sabato 2 marzo 2013, Salvatore Bonaccorso ha scritto:
CVE-2013-1788[0]:
invalid memory issues
Hi Benjamin
On Tue, Mar 19, 2013 at 04:04:59PM -0400, Benjamin Kaduk wrote:
On Tue, 19 Mar 2013, Adam D. Barratt wrote:
On Tue, 2013-03-19 at 15:47 -0400, Benjamin Kaduk wrote:
reopen 702633
Why? Do you believe that the 1.10.1+dfsg-4+nmu1 package does not contain
a fix for this bug?
Control: severity -1 important
Hi
I'm downgrading the bug to severity important for now. Do you had
already a chance to try again the downgrade of libapache2-mod-perl2
only and see if there are the segfaults again?
If so could you give some more information as asked by Niko to see if
this is
Hi Pino
On Mon, Mar 18, 2013 at 05:10:00PM +0100, Salvatore Bonaccorso wrote:
Hi Pino
On Mon, Mar 18, 2013 at 02:48:18PM +0100, Pino Toscano wrote:
I've verified the issues, and the situation that I found for current
wheezy+sid (= 0.18.4-5) is the following:
Alle sabato 2 marzo 2013
Hi Angel
Disclaimer: not part of the release team but noticed #702911 as the
corresponding #702905 in almanah fixes a security bug.
It looks that your unblock request never went trough the list, as the
debdiff is quite big. At this stage of the release the release team
will probably not
Source: moodle
Severity: grave
Tags: security
Hi,
the following vulnerabilities were published for moodle.
CVE-2013-1829[0]:
Calendar subscription capability issue
(this seems not to affect moodle in Debian as versions affected are
reported as 2.4 to 2.4.1)
CVE-2013-1830[1]:
Information leak
Hi
On Sat, Mar 09, 2013 at 07:20:44PM +0100, Salvatore Bonaccorso wrote:
Hi Tzafrir!
Are there news on this?
I have noticed that in the svn repository for asterisk there is
already:
asterisk (1:1.8.13.1~dfsg-2) unstable; urgency=high
* Patches backported from Asterisk 1.8.19.1 (Closes
Hi
See also
http://marc.info/?l=oss-securitym=136419144903756w=2
Regards,
Salvatore
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
601 - 700 of 3875 matches
Mail list logo