Re: Tools for testing LTS updates

2017-01-31 Thread Antoine Beaupré
On 2017-01-24 08:37:05, Guido Günther wrote: > I'm using a qemu VM bootstrapped via > > > http://honk.sigxcpu.org/con/Preseeding_Debian_virtual_machines_with_virt_install.html > > Note that there's also autopkgtest-virt-qemu but since it doesn't use > libvirt I'd have to handle it differently

Re: [Secure-testing-commits] r48631 - in data: . CVE

2017-01-31 Thread Bálint Réczey
Hi Emilio, 2017-01-31 22:23 GMT+01:00 Bálint Réczey : > Hi Emilio, > > 2017-01-31 22:14 GMT+01:00 Emilio Pozuelo Monfort : >> Hi Balint, >> >> On 31/01/17 21:46, Balint Reczey wrote: >>> Log: >>> wavpack's issues don't affect wheezy >>> >>> The first part

Re: Wheezy update of mysql-5.5?

2017-01-31 Thread Bálint Réczey
Hi, I have prepared a patch for the issue, I'm just waiting for the CVE assignment till tomorrow (2 Feb) with the upload. Cheers, Balint 2017-01-28 22:03 GMT+01:00 Ola Lundqvist : > Hello dear maintainer(s), > > the Debian LTS team would like to fix the security issues which

Re: openssl wheezy update

2017-01-31 Thread Kurt Roeckx
On Tue, Jan 31, 2017 at 11:13:55PM +0100, Emilio Pozuelo Monfort wrote: > Hi Kurt, > > I have prepared an update of openssl for wheezy based on 1.0.1t-1+deb8u6. I > have > done some smoke testing on it and it seems fine, but I haven't been able to > verify the three fixes as I can't find

Re: Wheezy update of xrdp?

2017-01-31 Thread Bálint Réczey
Hi Dominik, 2016-12-23 12:08 GMT+01:00 Dominik George : > Hi Chris, > >> the Debian LTS team would like to fix the security issues which are >> currently open in the Wheezy version of xrdp: >> https://security-tracker.debian.org/tracker/source-package/xrdp >> >> Would you like

LTS report for January

2017-01-31 Thread Emilio Pozuelo Monfort
Hi, This month I was allocated 12.75h (plus 2.5h carried from last month). I spent this time doing the following: - DLA 684-2: libx11 regression update - DLA 784-1: gcc-mozilla new package - DLA 800-1: firefox-esr security update - DLA 801-1: libxpm security update - DLA 802-1: openjdk-7

openssl wheezy update

2017-01-31 Thread Emilio Pozuelo Monfort
Hi Kurt, I have prepared an update of openssl for wheezy based on 1.0.1t-1+deb8u6. I have done some smoke testing on it and it seems fine, but I haven't been able to verify the three fixes as I can't find exploits for them (there is mention of one for CVE-2016-8610 in [1] but I can't find the

Re: graphicsmagick update

2017-01-31 Thread Guido Günther
On Tue, Jan 31, 2017 at 04:07:19PM -0500, Antoine Beaupré wrote: > On 2017-01-31 21:42:41, Emilio Pozuelo Monfort wrote: > > I'd say it makes sense to release a regression update. > > > > BTW I'm not sure about this change, which is not mentioned in your > > changelog entry: > > > > ---

Re: [Secure-testing-commits] r48631 - in data: . CVE

2017-01-31 Thread Bálint Réczey
Hi Emilio, 2017-01-31 22:14 GMT+01:00 Emilio Pozuelo Monfort : > Hi Balint, > > On 31/01/17 21:46, Balint Reczey wrote: >> Log: >> wavpack's issues don't affect wheezy >> >> The first part of the upstream patch is not needed since the >> code is very different and not

Re: [Secure-testing-commits] r48631 - in data: . CVE

2017-01-31 Thread Emilio Pozuelo Monfort
Hi Balint, On 31/01/17 21:46, Balint Reczey wrote: > Log: > wavpack's issues don't affect wheezy > > The first part of the upstream patch is not needed since the > code is very different and not vulnerable. > The second part applies, but does not make any difference when > trying the exploits.

Re: graphicsmagick update

2017-01-31 Thread Antoine Beaupré
On 2017-01-31 21:42:41, Emilio Pozuelo Monfort wrote: > I'd say it makes sense to release a regression update. > > BTW I'm not sure about this change, which is not mentioned in your changelog > entry: > > --- graphicsmagick-1.3.16/debian/rules 2016-09-20 23:52:26.0 +0200 > +++

Re: graphicsmagick update

2017-01-31 Thread Emilio Pozuelo Monfort
On 16/01/17 20:48, Antoine Beaupré wrote: > Hi, > > I've looked at updating the graphicsmagick (GM) update to fix the issues > outlined in a [recent discussion][1]. The fix to CVE-2016-5240.patch is > trivial. I can also confirm the current GM version in wheezy-security > segfaults with the POC.

[SECURITY] [DLA 812-1] ikiwiki security update

2017-01-31 Thread Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: ikiwiki Version: 3.20120629.2+deb7u2 CVE ID : CVE-2016-9646 CVE-2016-10026 CVE-2017-0356 Several vulnerabilities have been found in ikiwiki, a wiki compiler: CVE-2016-9646 Commit metadata forgery

[SECURITY] [DLA 811-1] libplist security update

2017-01-31 Thread Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: libplist Version: 1.8-1+deb7u1 CVE ID : CVE-2017-5209 CVE-2017-5545 Debian Bug : 851196 852385 The following vulnerabilities have been fixed in libplist: CVE-2017-5209 Out of bounds read when parsing

Accepted ikiwiki 3.20120629.2+deb7u2 (source all) into oldstable

2017-01-31 Thread Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 31 Jan 2017 19:00:50 +0100 Source: ikiwiki Binary: ikiwiki Architecture: source all Version: 3.20120629.2+deb7u2 Distribution: wheezy-security Urgency: medium Maintainer: Simon McVittie Changed-By: Emilio

Re: Accepted openjdk-7 7u121-2.6.8-1~deb7u1 (source all amd64) into oldstable

2017-01-31 Thread Ola Lundqvist
Ok, thanks. // Ola On 31 January 2017 at 00:35, Emilio Pozuelo Monfort wrote: > On 27/01/17 22:18, Ola Lundqvist wrote: >> Hi Emilio >> >> I saw that you have uploaded a new openjdk-7 package. Were that >> package supposed to fix the current issues reported for openjdk-7 or