Wheezy update of openssh?

2016-08-08 Thread Guido Günther
Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of openssh: https://security-tracker.debian.org/tracker/CVE-2016-6515 Would you like to take care of this yourself? If yes, please follow the workflow we have

Re: find-work script no longer working on stable

2016-08-08 Thread Chris Lamb
> ola@tigereye:~/git/debian-lts$ ./find-work > Traceback (most recent call last): > File "./find-work", line 3, in > import requests > I think I'm missing some bit of your traceback/testcase here? > 8056874b90d35883fd3a1747b911d935367edda3 Guessing from this, I think you had locale

Re: [SECURITY] [DLA 588-1] mongodb security update

2016-08-08 Thread Ben Hutchings
On Mon, 2016-08-08 at 11:52 +0200, Ola Lundqvist wrote: > Package: mongodb > Version: 2.0.6-1+deb7u1 > CVE ID : CVE-2016-6494 > Debian Bug : 832908, 833087 > > Two security related problems have been found in the mongodb > package, related to logging. > >

find-work script no longer working on stable

2016-08-08 Thread Ola Lundqvist
Hi Chris First thanks for impoving find-work. The additions have been good, except for one thing. I have Debian stable on my workstation and the latest find-work update make it spit out the following: ola@tigereye:~/git/debian-lts$ ./find-work Traceback (most recent call last): File

Security check of libical

2016-08-08 Thread Ola Lundqvist
Hi libical developers, libical maintainer and LTS team As part of the Debian Long Term Security team I have started to look into a few possible security related vulnerabilities. More details are available here: https://security-tracker.debian.org/tracker/source-package/libical My problem is that

Re: Security update of ntp

2016-08-08 Thread Ola Lundqvist
Hi Kurt Thanks a lot for a quick and good answer. Will mark it as unaffected in wheezy too then. Best regards // Ola On Mon, Aug 8, 2016 at 6:30 PM, Kurt Roeckx wrote: > On Mon, Aug 08, 2016 at 01:12:28PM +0200, Ola Lundqvist wrote: > > Hi Kurt > > > > As a member of the LTS

Re: Security update of ntp

2016-08-08 Thread Kurt Roeckx
On Mon, Aug 08, 2016 at 01:12:28PM +0200, Ola Lundqvist wrote: > Hi Kurt > > As a member of the LTS team I have started to look into a ntp security > update of CVE-2016-4953 mentioned here: > https://security-tracker.debian.org/tracker/source-package/ntp > > I see that you have prepared security

Security update of ntp

2016-08-08 Thread Ola Lundqvist
Hi Kurt As a member of the LTS team I have started to look into a ntp security update of CVE-2016-4953 mentioned here: https://security-tracker.debian.org/tracker/source-package/ntp I see that you have prepared security updates for Debian wheezy in the past so I would like to check with you if

Re: Security update of nettle

2016-08-08 Thread Ola Lundqvist
Hi all I have now prepared a build of nettle for wheezy, based on the patch that Magnus prepared for me (thanks a lot for that!). You can find the debdiff here: http://apt.inguza.net/wheezy-security/nettle/nettle.debdiff You can find the prepared packages here:

[SECURITY] [DLA 589-1] mupdf security update

2016-08-08 Thread Jonas Meurer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: mupdf Version: 0.9-2+deb7u3 CVE ID : CVE-2016-6525 Debian Bug : 833417 A flaw was discovered in the pdf_load_mesh_params() function allowing out-of-bounds write access to memory locations. With carefully crafted

Accepted mupdf 0.9-2+deb7u3 (source amd64) into oldstable

2016-08-08 Thread Jonas Meurer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Sat, 06 Aug 2016 16:13:05 +0200 Source: mupdf Binary: libmupdf-dev mupdf mupdf-tools Architecture: source amd64 Version: 0.9-2+deb7u3 Distribution: wheezy-security Urgency: high Maintainer: Kan-Ru Chen Changed-By:

Accepted mongodb 1:2.0.6-1+deb7u1 (source amd64) into oldstable

2016-08-08 Thread Ola Lundqvist
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 01 Aug 2016 21:10:47 + Source: mongodb Binary: mongodb mongodb-server mongodb-clients mongodb-dev Architecture: source amd64 Version: 1:2.0.6-1+deb7u1 Distribution: wheezy-security Urgency: high Maintainer: Antonin Kral

Re: Wheezy update of twisted?

2016-08-08 Thread Salvatore Bonaccorso
Hi, Just a quick comment on: On Mon, Aug 08, 2016 at 06:29:30PM +1000, Brian May wrote: > I am inclined to say that no version of twisted, by itself, has this > vulnerability. However like I said earlier it is possible that > applications that use twisted have this vulnerability. Looking at the

Re: Wheezy update of python-django?

2016-08-08 Thread Salvatore Bonaccorso
Hi, On Mon, Aug 08, 2016 at 05:59:36PM +1000, Brian May wrote: > Brian May writes: > > > Attached is my latest debdiff patch, only includes changes to debian/*. > > I just uploaded this to wheezy-security. Not 100% certain my upload will > get accepted yet, my first attempt

Re: Wheezy update of twisted?

2016-08-08 Thread Brian May
Free Ekanayaka writes: > I had a quick look at the code too (both in wheezy and jessie), but I > couldn't find the offending bits. Perhaps it'd be good to put together a > small web server and see what happens when you pass the 'Proxy' > header. So I created the following

Re: Security update of firefox-esr for Wheezy

2016-08-08 Thread Raphael Hertzog
On Mon, 08 Aug 2016, Emilio Pozuelo Monfort wrote: > > Shall we mark gcc-4.8 as unsupported in wheezy, explaining that its only > > purpose is to enable build of other packages? > > That would make sense. > > I'll see if I can take a look at this. The problematic part is likely libstdc++. I