-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Wed, 03 Aug 2016 06:33:48 +0900
Source: firefox-esr
Binary: firefox-esr iceweasel firefox-esr-dbg iceweasel-dbg firefox-esr-dev
iceweasel-dev firefox-esr-l10n-all iceweasel-l10n-all firefox-esr-l10n-ach
iceweasel-l10n-ach
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of libsys-syslog-perl:
https://security-tracker.debian.org/tracker/CVE-2016-1238
Would you like to take care of this yourself?
If yes, please follow the workflow we
On Wed, Aug 03, 2016 at 12:25:32AM +0200, Ola Lundqvist wrote:
>Hi
>Maybe. However if someone is added to a users group that should really
>mean that they should at least be able to read things, even though they
>may not be able to write to stuff. So I actually think bash and
Hi
Maybe. However if someone is added to a users group that should really mean
that they should at least be able to read things, even though they may not
be able to write to stuff. So I actually think bash and others do the wrong
thing here.
The way I have done it is also more in line with
On 02/08/16 23:57, Ola Lundqvist wrote:
> Hi Chris
>
> The reason I do not simply set the umask to a fixed value is to use the same
> principle as upstream. That is honor the umask set bu the user. There may be
> reasons why group read and/or write should be set for example.
>
> I agree with
Hi Chris
I had this
// Make sure this file is not readable by others
But maybe it was not clear enough. :-)
// Ola
On Wed, Aug 3, 2016 at 12:00 AM, Chris Lamb wrote:
> > This is why I just override the "world readable" part and
> > let the rest be controlled by the user.
>
> This is why I just override the "world readable" part and
> let the rest be controlled by the user.
Ah, didn't quite spot you are overriding just this bit. Worth a comment
I think.
> In the working patch you can see that I also set back the umask (just a
> little further down in the file) as
Hi Chris
The reason I do not simply set the umask to a fixed value is to use the
same principle as upstream. That is honor the umask set bu the user. There
may be reasons why group read and/or write should be set for example.
I agree with upstream that the umask should be honored, but not as
On 07/26/2016 10:51 PM, Bálint Réczey wrote:
> Hi Nick,
>
> 2016-07-19 15:35 GMT+02:00 Nick Leverton :
>> On Tue, Jul 19, 2016 at 08:54:18AM +0200, Chris Lamb wrote:
>>> Hello dear maintainer(s),
>>>
>>> the Debian LTS team would like to fix the security issues which are
>>>
On 02/08/16 19:16, Chris Lamb wrote:
> Chris Lamb wrote:
>
>>> DLA-577-1 has been issued two days ago but redis hasn't been uploaded
>>> yet.
> [..]
>> Could these checks be automated instead of relying on a diligent
>> front-desk..?)
>
> I've pushed such a script as bin/lts-missing-uploads.py.
On 01/08/16 23:26, Markus Koschany wrote:
> On 01.08.2016 23:01, Emilio Pozuelo Monfort wrote:
>> On 31/07/16 19:41, Roberto C. Sánchez wrote:
>>> On Sun, Jul 31, 2016 at 07:34:28PM +0200, Emilio Pozuelo Monfort wrote:
Hi,
Currently, icedtea-plugin depends on icedtea-6-plugin, i.e.
Chris Lamb wrote:
> > DLA-577-1 has been issued two days ago but redis hasn't been uploaded
> > yet.
[..]
> Could these checks be automated instead of relying on a diligent
> front-desk..?)
I've pushed such a script as bin/lts-missing-uploads.py. Please consider
it to be proof-of-concept right
> Here is the working patch (attached).
Out of interest, why:
+mode_t prev_mask = umask(0022);
+// Make sure this file is not readable by others
+umask(prev_mask | S_IROTH | S_IWOTH | S_IXOTH);
FILE *fp = fopen(filename,"w");
.. over, say:
+// Make sure this file is not
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Format: 1.8
Date: Thu, 28 Jul 2016 16:11:26 -0300
Source: libidn
Binary: idn libidn11-dev libidn11 libidn11-java
Architecture: source amd64 all
Version: 1.25-2+deb7u2
Distribution: wheezy-security
Urgency: high
Maintainer: Debian Libidn Team
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Sat, 30 Jul 2016 12:58:14 +0200
Source: libreoffice
Binary: libreoffice libreoffice-l10n-za libreoffice-l10n-in libreoffice-core
libreoffice-common libreoffice-java-common libreoffice-writer libreoffice-calc
libreoffice-impress
Hi again
Here is the working patch (attached).
Hope it helps for later versions too.
// Ola
On Tue, Aug 2, 2016 at 12:15 AM, Ola Lundqvist wrote:
> Hi again
>
> I just realize that we need to change back the umask after the file is
> created. I'll update the patch tomorrow
On Aug/02, Santiago R.R. wrote:
> .changes attached. security-master doesn't handle source-only uploads,
> isn't it?
No, in most cases it does not, so it's always better not to try it. Feel
free to upload to security-master, and I'll probably have time to
release the DSA tomorrow.
Cheers,
--Seb
El 02/08/16 a las 10:11, Sébastien Delafond escribió:
> On Aug/01, Santiago R.R. wrote:
> > Please, find attached debdiffs to mitigate this in wheezy (that I plan
> > to upload) and jessie. I have tested it with a python cgi taken from
> > httpoxy's PoCs, and it seems to work well. However, I am
On Aug/01, Santiago R.R. wrote:
> Please, find attached debdiffs to mitigate this in wheezy (that I plan
> to upload) and jessie. I have tested it with a python cgi taken from
> httpoxy's PoCs, and it seems to work well. However, I am not familiar
> with lighttpd, so any review is welcome.
Hi
19 matches
Mail list logo