Re: rssh security update breaks rsync via Synology's "hyper backup"

Russ Allbery writes: > I'll follow up with the proposed diffs for stable and oldstable. Here are the proposed diffs for stable and oldstable. The stable diff just fixes the libssh2 interoperability regression. The oldstable diff fixes both that and the regression with downloading multiple

Re: rssh security update breaks rsync via Synology's "hyper backup"

Roman Medina-Heigl Hernandez writes: > El 18/02/2019 a las 18:27, Russ Allbery escribió: >> While I agree that using undocumented features of rsync is a little >> dubious, I'm also willing to include a fix to allow the specific >> command line "rsync --server --daemon " since (a) it seems to be

(early) monthly report

Hi all, Here's my early LTS report. The TL;DR: is: * website work * python-gpg * golang * libarchive * netmask * libreoffice * enigmail # Website work I again worked on the website this month, doing one more mass import ([MR 53][]) which was finally merged by Holger Levsen, after I

Re: rssh security update breaks rsync via Synology's "hyper backup"

Antoine Beaupré wrote: > > Does this plan sound good to everyone? I'll follow up with the proposed > > diffs for stable and oldstable. > > Works for me (LTS), although I won't be the one performing the upgrade > (I've unclaimed the package for other reasons). Works for me too and happy to take

[SECURITY] [DLA 1682-1] uriparser security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: uriparser Version: 0.8.0.1-2+deb8u2 CVE ID : CVE-2018-20721 Joergen Ibsen reported an issue with uriparser, a URI parsing library compliant with RFC 3986. An Out-of-bounds read for incomplete URIs with IPv6

heads up: DLA should now be published on the website

On 2019-02-01 20:58:28, Holger Levsen wrote: > On Fri, Feb 01, 2019 at 01:58:04PM -0500, Antoine Beaupré wrote: [...] > can you please put that on wiki.d.o/LTS/Development?! This is now done. I added a new section to the wiki

Re: rssh security update breaks rsync via Synology's "hyper backup"

On 2019-02-18 09:27:37, Russ Allbery wrote: > Does this plan sound good to everyone? I'll follow up with the proposed > diffs for stable and oldstable. Works for me (LTS), although I won't be the one performing the upgrade (I've unclaimed the package for other reasons). Thanks for your work!

Accepted uriparser 0.8.0.1-2+deb8u2 (source amd64) into oldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 18 Feb 2019 19:03:02 +0100 Source: uriparser Binary: liburiparser1 liburiparser-dev Architecture: source amd64 Version: 0.8.0.1-2+deb8u2 Distribution: jessie-security Urgency: medium Maintainer: Jörg Frings-Fürst Changed-By:

Re: rssh security update breaks rsync via Synology's "hyper backup"

El 18/02/2019 a las 18:27, Russ Allbery escribió: > While I agree that using undocumented features of rsync is a little > dubious, I'm also willing to include a fix to allow the specific command > line "rsync --server --daemon " since (a) it seems to be safe, (b) > looks easy enough to do, and (c)

Re: rssh security update breaks rsync via Synology's "hyper backup"

Antoine Beaupré writes: > That said, if we do fix this in jessie, we should do it at the same time > as the regression identified in stretch (DSA-4377-2). > Russ, do you want to handle the Jessie update or should the LTS team do > it? > Should we wait for resolution on this issue before

Accepted gsoap 2.8.17-1+deb8u2 (source amd64 all) into oldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 14 Feb 2019 16:59:28 +0100 Source: gsoap Binary: libgsoap5 libgsoap-dev gsoap gsoap-doc libgsoap-dbg gsoap-dbg Architecture: source amd64 all Version: 2.8.17-1+deb8u2 Distribution: jessie-security Urgency: high Maintainer:

Re: Bug#922384: jessie-pu: package gsoap/2.8.17-1+deb8u2

[Adding 922...@bugs.debian.org to CC for completeness / BTS archive] Chris Lamb wrote: > > So using the ssize_t version that preserves the sizes of the arguments > > and return type of the function is the safer choice, regardless of > > upstream's claim that the function is private. > >

[SECURITY] [DLA 1681-1] gsoap security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: gsoap Version: 2.8.17-1+deb8u2 CVE ID : CVE-2019-7659 It was discovered that there was a denial of service vulnerability in gsoap a C/C++ language binding used for SOAP-based web services. For Debian 8 "Jessie",

Re: Bug#922384: jessie-pu: package gsoap/2.8.17-1+deb8u2

Hi Mattias, > Is the aim of this discussion still to determine which version of the > proposed change to use? The original int version, or the updated > ssize_t version? I'm sorry to hear in your mail that you are feeling frustrated ("derail into a general complaint…" etc.) as our shared goal is

Re: Bug#922384: jessie-pu: package gsoap/2.8.17-1+deb8u2

lör 2019-02-16 klockan 22:05 + skrev Ben Hutchings: > On Sat, 2019-02-16 at 06:43 +0100, Mattias Ellert wrote: > > lör 2019-02-16 klockan 00:12 +0100 skrev Chris Lamb: > > > Hi Mattias, > > > > > > > What exactly do you want to run past upstream? It is not clear to me > > > > what you are

Accepted postgresql-9.4 9.4.21-0+deb8u1 (source amd64 all) into oldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 18 Feb 2019 12:00:44 +0100 Source: postgresql-9.4 Binary: libpq-dev libpq5 libecpg6 libecpg-dev libecpg-compat3 libpgtypes3 postgresql-9.4 postgresql-9.4-dbg postgresql-client-9.4 postgresql-server-dev-9.4 postgresql-doc-9.4

Re: [SECURITY] [DLA 1680-1] tiff security update

Thank you merci Le Lun 18 Fév 2019 8:13, Brian May a écrit : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Package: tiff > Version: 4.0.3-12.3+deb8u8 > CVE ID : CVE-2018-17000 CVE-2018-19210 CVE-2019-7663 > > > Brief introduction > > CVE-2018-17000 > > A