According to https://security-tracker.debian.org/tracker/CVE-2014-8127:
tiff 4.0.3-12.3+deb8u5 is vulnerable to CVE-2014-8127.
But according to the changelog CVE-2014-8127 was fixed in version
4.0.3-12.3+deb8u3:
tiff (4.0.3-12.3+deb8u3) jessie-security; urgency=high
* Backport fix for the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Thu, 07 Feb 2019 13:04:01 -0500
Source: libarchive
Binary: libarchive-dev libarchive13 bsdtar bsdcpio
Architecture: source amd64
Version: 3.1.2-11+deb8u7
Distribution: jessie-security
Urgency: medium
Maintainer: Debian Libarchive
Hi Antoine
It is my fault that python developers were not contacted. I added the
package to dla-needed.txt yesterday (or possibly the day before) and
planned to contact the maintainers. But before I had the chance to do so
the package was already fixed and then it did not feel appropriate to
On 2019-02-07 18:32:39, Markus Koschany wrote:
> Please do not CC me. I am subscribed.
>
> Am 07.02.19 um 18:23 schrieb Antoine Beaupré:
> [...]
>> Well, I don't think we should make such calls without announcing it and
>> documenting the new workflow clearly, first off.
>>
>> Second, I think I
Please do not CC me. I am subscribed.
Am 07.02.19 um 18:23 schrieb Antoine Beaupré:
[...]
> Well, I don't think we should make such calls without announcing it and
> documenting the new workflow clearly, first off.
>
> Second, I think I mostly agree with you, but we need to be certain we
> won't
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Thu, 07 Feb 2019 17:57:04 +0100
Source: dovecot
Binary: dovecot-core dovecot-dev dovecot-imapd dovecot-pop3d dovecot-lmtpd
dovecot-managesieved dovecot-pgsql dovecot-mysql dovecot-sqlite dovecot-ldap
dovecot-gssapi dovecot-sieve
On 2019-02-07 17:58:48, Markus Koschany wrote:
> Hello,
>
> Am 07.02.19 um 17:32 schrieb Antoine Beaupré:
> [...]
>> Am I missing something here? Did we change this practice, or is this an
>> oversight?
>
> I have been part of the team for three years now, from my experience
> almost all people
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: dovecot
Version: 1:2.2.13-12~deb8u5
CVE ID : CVE-2019-3814
It was discovered that there was a vulnerability in the dovecot
IMAP/POP3 server.
A flaw in the TLS username handling could lead to an attacker
logging in
Hello,
Am 07.02.19 um 17:32 schrieb Antoine Beaupré:
[...]
> Am I missing something here? Did we change this practice, or is this an
> oversight?
I have been part of the team for three years now, from my experience
almost all people are very happy when someone else fixes bugs in
oldstable. Most
On 2019-02-07 16:48:56, Holger Levsen wrote:
> On Thu, Feb 07, 2019 at 11:44:45AM -0500, Antoine Beaupré wrote:
>> But maybe, instead, we should just mark it as unsupported in
>> debian-security-support and move on. There are few packages depending on
>> it, in jessie:
> [...]
>> in buster:
>>
On Thu, Feb 07, 2019 at 11:44:45AM -0500, Antoine Beaupré wrote:
> But maybe, instead, we should just mark it as unsupported in
> debian-security-support and move on. There are few packages depending on
> it, in jessie:
[...]
> in buster:
> Note that the list is (slowly) growing.
marking it it
On 2019-02-07 11:44:45, Antoine Beaupré wrote:
> https://dev.gentoo.org/~mgorny/articles/evolution-uid-trust-extrapolation.html
> https://blogs.gentoo.org/mgorny/2019/01/29/identity-with-openpgp-trust-model/
Oops, that second link should have been:
Hi,
Recently, python-gnupg was triaged for maintenance in Debian LTS, which
brought my attention to this little wrapper around GnuPG that I'm
somewhat familiar with.
Debian is marked as "vulnerable" for CVE-2019-6690 in Jessie and Stretch
right now, with buster and sid marked as fixed, as you
Hi,
I was under the impression that we were supposed to contact maintainers
when we add packages to dla-needed.txt, as part of the triage work. That
is, at least, the method documented here:
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
Confident that people doing the
Hi Steve,
On 07/02/2019 12:12, Steve McIntyre wrote:
> On Mon, Jan 28, 2019 at 12:26:54AM +, Steve McIntyre wrote:
>> On Sun, Jan 27, 2019 at 06:33:29PM +, Steve McIntyre wrote:
>>>
>>> I'll give it a try now...
>>
>> And that worked on the first attempt. Using this approach, I've done
>>
On Mon, Jan 28, 2019 at 12:26:54AM +, Steve McIntyre wrote:
>On Sun, Jan 27, 2019 at 06:33:29PM +, Steve McIntyre wrote:
>>
>>I'll give it a try now...
>
>And that worked on the first attempt. Using this approach, I've done
>jessie builds of the various LTS arches using casulana, the
Hi,
During the month of January, I spent 42.5 hours working on LTS on the following
tasks:
- thunderbird 60.4.0 ESR security update
- tzdata and libdatetime-timezone-perl new releases
- investigated symfony test failures
- policykit-1 security update
- investigated lua vulnerability, which
On 06/02/2019 23:47, Antoine Beaupré wrote:
> On 2019-02-06 23:42:12, Chris Lamb wrote:
>> Hi Antoine,
>>
>>> all golang Debian packages are (as elsewhere) statically compiled
>>> and linked so we'd need to rebuild all the rdeps
>>
>> Hm. Can we avoid /all/ the rdeps? I mean, grep the rdeps for
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Wed, 06 Feb 2019 16:55:11 +1100
Source: python3.4
Binary: python3.4 python3.4-venv libpython3.4-stdlib python3.4-minimal
libpython3.4-minimal libpython3.4 python3.4-examples python3.4-dev
libpython3.4-dev libpython3.4-testsuite
19 matches
Mail list logo
