Accepted firefox-esr 45.3.0esr-1~deb7u1 (source all amd64) into oldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 03 Aug 2016 06:33:48 +0900 Source: firefox-esr Binary: firefox-esr iceweasel firefox-esr-dbg iceweasel-dbg firefox-esr-dev iceweasel-dev firefox-esr-l10n-all iceweasel-l10n-all firefox-esr-l10n-ach iceweasel-l10n-ach

Wheezy update of libsys-syslog-perl?

Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of libsys-syslog-perl: https://security-tracker.debian.org/tracker/CVE-2016-1238 Would you like to take care of this yourself? If yes, please follow the workflow we

Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling

On Wed, Aug 03, 2016 at 12:25:32AM +0200, Ola Lundqvist wrote: >Hi >Maybe. However if someone is added to a users group that should really >mean that they should at least be able to read things, even though they >may not be able to write to stuff. So I actually think bash and

Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling

Hi Maybe. However if someone is added to a users group that should really mean that they should at least be able to read things, even though they may not be able to write to stuff. So I actually think bash and others do the wrong thing here. The way I have done it is also more in line with

Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling

On 02/08/16 23:57, Ola Lundqvist wrote: > Hi Chris > > The reason I do not simply set the umask to a fixed value is to use the same > principle as upstream. That is honor the umask set bu the user. There may be > reasons why group read and/or write should be set for example. > > I agree with

Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling

Hi Chris I had this // Make sure this file is not readable by others But maybe it was not clear enough. :-) // Ola On Wed, Aug 3, 2016 at 12:00 AM, Chris Lamb wrote: > > This is why I just override the "world readable" part and > > let the rest be controlled by the user. >

Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling

> This is why I just override the "world readable" part and > let the rest be controlled by the user. Ah, didn't quite spot you are overriding just this bit. Worth a comment I think. > In the working patch you can see that I also set back the umask (just a > little further down in the file) as

Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling

Hi Chris The reason I do not simply set the umask to a fixed value is to use the same principle as upstream. That is honor the umask set bu the user. There may be reasons why group read and/or write should be set for example. I agree with upstream that the umask should be honored, but not as

Re: Wheezy update of libupnp?

On 07/26/2016 10:51 PM, Bálint Réczey wrote: > Hi Nick, > > 2016-07-19 15:35 GMT+02:00 Nick Leverton : >> On Tue, Jul 19, 2016 at 08:54:18AM +0200, Chris Lamb wrote: >>> Hello dear maintainer(s), >>> >>> the Debian LTS team would like to fix the security issues which are >>>

Re: Redis not uploaded and timely security announcements

On 02/08/16 19:16, Chris Lamb wrote: > Chris Lamb wrote: > >>> DLA-577-1 has been issued two days ago but redis hasn't been uploaded >>> yet. > [..] >> Could these checks be automated instead of relying on a diligent >> front-desk..?) > > I've pushed such a script as bin/lts-missing-uploads.py.

Re: Icedtea plugin

On 01/08/16 23:26, Markus Koschany wrote: > On 01.08.2016 23:01, Emilio Pozuelo Monfort wrote: >> On 31/07/16 19:41, Roberto C. Sánchez wrote: >>> On Sun, Jul 31, 2016 at 07:34:28PM +0200, Emilio Pozuelo Monfort wrote: Hi, Currently, icedtea-plugin depends on icedtea-6-plugin, i.e.

Re: Redis not uploaded and timely security announcements

Chris Lamb wrote: > > DLA-577-1 has been issued two days ago but redis hasn't been uploaded > > yet. [..] > Could these checks be automated instead of relying on a diligent > front-desk..?) I've pushed such a script as bin/lts-missing-uploads.py. Please consider it to be proof-of-concept right

Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling

> Here is the working patch (attached). Out of interest, why: +mode_t prev_mask = umask(0022); +// Make sure this file is not readable by others +umask(prev_mask | S_IROTH | S_IWOTH | S_IXOTH); FILE *fp = fopen(filename,"w"); .. over, say: +// Make sure this file is not

Accepted libidn 1.25-2+deb7u2 (source amd64 all) into oldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Thu, 28 Jul 2016 16:11:26 -0300 Source: libidn Binary: idn libidn11-dev libidn11 libidn11-java Architecture: source amd64 all Version: 1.25-2+deb7u2 Distribution: wheezy-security Urgency: high Maintainer: Debian Libidn Team

Accepted libreoffice 1:3.5.4+dfsg2-0+deb7u7 (source amd64 all) into oldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sat, 30 Jul 2016 12:58:14 +0200 Source: libreoffice Binary: libreoffice libreoffice-l10n-za libreoffice-l10n-in libreoffice-core libreoffice-common libreoffice-java-common libreoffice-writer libreoffice-calc libreoffice-impress

Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling

Hi again Here is the working patch (attached). Hope it helps for later versions too. // Ola On Tue, Aug 2, 2016 at 12:15 AM, Ola Lundqvist wrote: > Hi again > > I just realize that we need to change back the umask after the file is > created. I'll update the patch tomorrow

Re: Wheezy and jessie updates of lighttpd

On Aug/02, Santiago R.R. wrote: > .changes attached. security-master doesn't handle source-only uploads, > isn't it? No, in most cases it does not, so it's always better not to try it. Feel free to upload to security-master, and I'll probably have time to release the DSA tomorrow. Cheers, --Seb

Re: Wheezy and jessie updates of lighttpd

El 02/08/16 a las 10:11, Sébastien Delafond escribió: > On Aug/01, Santiago R.R. wrote: > > Please, find attached debdiffs to mitigate this in wheezy (that I plan > > to upload) and jessie. I have tested it with a python cgi taken from > > httpoxy's PoCs, and it seems to work well. However, I am

Re: Wheezy and jessie updates of lighttpd

On Aug/01, Santiago R.R. wrote: > Please, find attached debdiffs to mitigate this in wheezy (that I plan > to upload) and jessie. I have tested it with a python cgi taken from > httpoxy's PoCs, and it seems to work well. However, I am not familiar > with lighttpd, so any review is welcome. Hi