Re: Icedove security update for Wheezy LTS

Hi Markus, On Fri, May 13, 2016 at 06:54:39PM +0200, Markus Koschany wrote: > If you don't want to do it, no problem, please let us know and we will > take care of the rest. please take care of it. Icedove 38.8.0-1~deb7u1 fixes the following Mozilla Foundation Security Advisories (MFSA) -

Re: Accepted libuser 1:0.56.9.dfsg.1-1.2+deb7u1 (source amd64) into oldstable

Hi Markus, On Thu, May 12, 2016 at 08:31:46PM +0200, Markus Koschany wrote: > > do you plan to also fix it in unstable? (and jessie…?) > Yes, I intend to lend the Security Team a hand with a stable update as > usual. cool! :) > Moreover I tested the new version by using the public exploit for

Re: Accepted libuser 1:0.56.9.dfsg.1-1.2+deb7u1 (source amd64) into oldstable

On Fri, May 13, 2016 at 09:36:19AM +0200, Raphael Hertzog wrote: > I don't think we ever agreed on this. We should make sure that > a fix in unstable is going to happen so we have to make sure that a bug > with a proper severity is filed and we should share there our patch to > help kickstart the

Icedove security update for Wheezy LTS

Hello Christoph, thanks for your Icedove security update. We usually send an e-mail to debian-lts-announce to make users aware of the changes. Do you want to take care of this yourself? Then please follow our workflow that we have outlined at

Re: Unsupported packages for Wheezy LTS

>>> AFAIK Xen in Wheezy is using the version shipped with Xen itself and we Yes, and this is used to support HVM mode guests, where the security of qemu matters. Seemingly (from qemu/VERSION) this is a very old "0.10.2" version of qemu!!! I do wonder to what extent updating _that_ qemu used to

Re: Unsupported packages for Wheezy LTS

On 2016-05-13 06:30:35, Moritz Muehlenhoff wrote: > On Fri, May 13, 2016 at 12:21:13PM +0200, Raphael Hertzog wrote: >> On Fri, 13 May 2016, Moritz Muehlenhoff wrote: >> > > I'm not convinced that >> > > supporting the current Wheezy versions of QEMU for two more years is of >> > > much use (in

Re: Unsupported packages for Wheezy LTS

Hi, On Fri, May 13, 2016 at 12:30:35PM +0200, Moritz Muehlenhoff wrote: > On Fri, May 13, 2016 at 12:21:13PM +0200, Raphael Hertzog wrote: > > On Fri, 13 May 2016, Moritz Muehlenhoff wrote: > > > > I'm not convinced that > > > > supporting the current Wheezy versions of QEMU for two more years is

Re: Bug#824015: Unsupported packages for Wheezy LTS

On Fri, 13 May 2016, Santiago Ruano Rincón wrote: > > And announce those changes at the same time ideally. > > Through DLAs maybe? Yes, a DLA is fine for this. > I have a pending upload to close #824015, but now I'd prefer to wait > until May 23, for giving time to decide on this, and to wait

Re: Supporting libav in wheezy

(Please CC me, I'm not subscribed.) Hi On 2016-05-02 20:46:37, Brian May wrote: > Raphael Hertzog writes: > > > There's also an alternate way to go forward... continue to support > > the current version with paid external help if needed. > >

Re: icu package and debdiff [new contributor, first attempt]

On Thu, May 12, 2016 at 05:07:21PM -0400, Antoine Beaupré wrote: > > I will unfortunately not be able to do that until next week, unless > there's some sort of emergency. But given that this package has been > rotting there for a while, I don't feel like i should just drop > everything just yet.

Re: Unsupported packages for Wheezy LTS

On Fri, 13 May 2016, Moritz Muehlenhoff wrote: > > I'm not convinced that > > supporting the current Wheezy versions of QEMU for two more years is of > > much use (in contrast to the version currently in Jessie) compared to > > the effort of backporting security fixes. > > Ack. I'm not sure that

Re: Unsupported packages for Wheezy LTS

On Fri, May 13, 2016 at 12:09:08PM +0200, Guido Günther wrote: > On Fri, May 13, 2016 at 09:40:42AM +0200, Raphael Hertzog wrote: > > On Thu, 12 May 2016, Guido Günther wrote: > > > > I would rather see qemu supported, in other words. But the version in > > > > wheezy is really old, and in

Re: Unsupported packages for Wheezy LTS

On Fri, May 13, 2016 at 09:40:42AM +0200, Raphael Hertzog wrote: > On Thu, 12 May 2016, Guido Günther wrote: > > > I would rather see qemu supported, in other words. But the version in > > > wheezy is really old, and in xen/wheezy even more so. > > > > AFAIK Xen in Wheezy is using the version

Re: Unsupported packages for Wheezy LTS

Hi, El 13/05/16 a las 09:51, Raphael Hertzog escribió: > Hello, > > On Thu, 12 May 2016, Markus Koschany wrote: > > I saw those commits too yesterday. I would suggest that we discuss EOLed > > packages on debian-lts before we mark CVEs as unsupported in Wheezy LTS. > > Definitely, we should not

Re: Unsupported packages for Wheezy LTS

Hi, On Thu, 12 May 2016, Guido Günther wrote: > I have maintained icedove a while ago and know the codebase a bit. I'm > also sure we might get support from the current maintainers as long as > we're able to build the ESR releases for wheezy - which is Debian's > standard way to deal with

Re: Unsupported packages for Wheezy LTS

Hello, On Thu, 12 May 2016, Markus Koschany wrote: > I saw those commits too yesterday. I would suggest that we discuss EOLed > packages on debian-lts before we mark CVEs as unsupported in Wheezy LTS. Definitely, we should not mark CVE as "end-of-life" before we agreed to mark it as such in

Re: Unsupported packages for Wheezy LTS

On Thu, 12 May 2016, Antoine Beaupré wrote: > On 2016-05-12 09:16:15, Santiago Ruano Rincón wrote: > > Also, Antoine has filled a bug [1] regarding libmatroska and libebml, > > but DLA-420-1 and DLA-438-1 addressed those packages. Antoine, why they > > should be tagged as not-supported? > > Uh! I

Re: Unsupported packages for Wheezy LTS

On Thu, 12 May 2016, Guido Günther wrote: > > I would rather see qemu supported, in other words. But the version in > > wheezy is really old, and in xen/wheezy even more so. > > AFAIK Xen in Wheezy is using the version shipped with Xen itself and we > have gathered extra support for this so

Re: Accepted libuser 1:0.56.9.dfsg.1-1.2+deb7u1 (source amd64) into oldstable

On Thu, 12 May 2016, Holger Levsen wrote: > I think there should be the general rule to always fix things in > unstable first, even if this requires an NMU by the LTS team. I also > thought we agreed on this previously, but I might be wrong here. We > certainly discussed this before… I don't