LTS Report for April 2017

For April I had 21 hours available. I spent 16.5 as follows: - samba: CVE-2017-2619: final package preparation, review, and upload - ghostscript: CVE-2017-8291: prepare, test, and upload package - imagemagick: begin review of latest batch of CVEs - icu: CVE-2017-7867, CVE-2017-7868: Assist

Re: Claimed issues in data/dla-needed.txt (bind9, icu, jasper)

On Tue, May 09, 2017 at 09:57:25PM +0100, Chris Lamb wrote: > Hey Thorsten, > > You currently have the following packages claimed in data/dla-needed.txt, > some of them for over 3 weeks: > > bind9 > icu > jasper > > Could you spare a few moments to update data/dla-needed.txt with "NOTE"s

Re: Wheezy update of binutils?

On 09.05.2017 22:53, Chris Lamb wrote: > Dear maintainer(s), > > The Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of binutils: > https://security-tracker.debian.org/tracker/source-package/binutils > > Would you like to take care of this

Wheezy update of binutils?

Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of binutils: https://security-tracker.debian.org/tracker/source-package/binutils Would you like to take care of this yourself? If yes, please follow the workflow we have

Wheezy update of rzip?

Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of rzip: https://security-tracker.debian.org/tracker/source-package/rzip Would you like to take care of this yourself? If yes, please follow the workflow we have defined

[SECURITY] [DLA 934-1] radicale security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: radicale Version: 0.7-1.1+deb7u2 CVE ID : CVE-2017-8342 Radicale before 1.1.2 and 2.x before 2.0.0rc2 is prone to timing oracles and simple brute-force attacks when using the htpasswd authentication method. For

Accepted radicale 0.7-1.1+deb7u2 (source all) into oldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 05 May 2017 17:03:02 +0200 Source: radicale Binary: radicale python-radicale Architecture: source all Version: 0.7-1.1+deb7u2 Distribution: wheezy-security Urgency: high Maintainer: Jonas Smedegaard Changed-By:

Re: potrace

Hugo Lefeuvre writes: > I think this is a crafted file. > > By the way, where did you find the reproducer ? I can't find it > anywhere. It was sent on the oss-security list as an attachment, but the HTML archive strips attachments.

Re: potrace

Hi Brian, > It looks like the bm_new() function, referenced by CVE-2016-8686 has > been refactored. In particular the size calculation has been moved to a > getsize function. > > Unfortunately the description of CVE-2016-8686 is vague - "A crafted > image, through a fuzz testing, causes the

Wheezy update of eglibc?

Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of eglibc: https://security-tracker.debian.org/tracker/source-package/eglibc Would you like to take care of this yourself? If yes, please follow the workflow we have

Re: potrace

Hugo Lefeuvre writes: >> This is the potrace 0.14 diff, which supposedly resolves CVE-2016-8685 >> and CVE-2016-8686 (which was previously described as not a bug in >> #843861). >> >> Unfortunately, it is somewhat large... >> >>