For April I had 21 hours available. I spent 16.5 as follows:
- samba: CVE-2017-2619: final package preparation, review, and upload
- ghostscript: CVE-2017-8291: prepare, test, and upload package
- imagemagick: begin review of latest batch of CVEs
- icu: CVE-2017-7867, CVE-2017-7868: Assist
On Tue, May 09, 2017 at 09:57:25PM +0100, Chris Lamb wrote:
> Hey Thorsten,
>
> You currently have the following packages claimed in data/dla-needed.txt,
> some of them for over 3 weeks:
>
> bind9
> icu
> jasper
>
> Could you spare a few moments to update data/dla-needed.txt with "NOTE"s
On 09.05.2017 22:53, Chris Lamb wrote:
> Dear maintainer(s),
>
> The Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of binutils:
> https://security-tracker.debian.org/tracker/source-package/binutils
>
> Would you like to take care of this
Dear maintainer(s),
The Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of binutils:
https://security-tracker.debian.org/tracker/source-package/binutils
Would you like to take care of this yourself?
If yes, please follow the workflow we have
Dear maintainer(s),
The Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of rzip:
https://security-tracker.debian.org/tracker/source-package/rzip
Would you like to take care of this yourself?
If yes, please follow the workflow we have defined
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: radicale
Version: 0.7-1.1+deb7u2
CVE ID : CVE-2017-8342
Radicale before 1.1.2 and 2.x before 2.0.0rc2 is prone to
timing oracles and simple brute-force attacks when using
the htpasswd authentication method.
For
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Sun, 05 May 2017 17:03:02 +0200
Source: radicale
Binary: radicale python-radicale
Architecture: source all
Version: 0.7-1.1+deb7u2
Distribution: wheezy-security
Urgency: high
Maintainer: Jonas Smedegaard
Changed-By:
Hugo Lefeuvre writes:
> I think this is a crafted file.
>
> By the way, where did you find the reproducer ? I can't find it
> anywhere.
It was sent on the oss-security list as an attachment, but the HTML
archive strips attachments.
Hi Brian,
> It looks like the bm_new() function, referenced by CVE-2016-8686 has
> been refactored. In particular the size calculation has been moved to a
> getsize function.
>
> Unfortunately the description of CVE-2016-8686 is vague - "A crafted
> image, through a fuzz testing, causes the
Dear maintainer(s),
The Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of eglibc:
https://security-tracker.debian.org/tracker/source-package/eglibc
Would you like to take care of this yourself?
If yes, please follow the workflow we have
Hugo Lefeuvre writes:
>> This is the potrace 0.14 diff, which supposedly resolves CVE-2016-8685
>> and CVE-2016-8686 (which was previously described as not a bug in
>> #843861).
>>
>> Unfortunately, it is somewhat large...
>>
>>
11 matches
Mail list logo