0203,
CVE-2024-30204 and CVE-2024-30205.
- Gave some feedback on the new ELTS upload procedures, which resulted
in some documentation improvements, thanks to Helmut Grohne.
--
Sean Whitton
signature.asc
Description: PGP signature
scenarios: one with the patch applied only
> on the server side, another with the patch applied only on the client
> side, and finally one with the patch applied on both sides.
Thanks for the review and this feedback on testing. I'll work on those.
--
Sean Whitton
signature.asc
Description: PGP signature
5 says that
it renders the fix for CVE-2024-32004 "somewhat redundant".
My understanding of the situation is that the fix for CVE-2024-32465
does fix the issue strictly designated by CVE-2024-32004, and without
the sort of usability regression linked above.
Could someone review this assessment, p
added to ela-needed close to the end of the month, so I will
be working on them at the beginning of May.
I did spend some time following up on correspondence for ELTS.
--
Sean Whitton
signature.asc
Description: PGP signature
-
Debian LTS Advisory DLA-3802-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Sean Whitton
April 30, 2024https://wiki.debian.org/LTS
-
Debian LTS Advisory DLA-3801-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Sean Whitton
April 29, 2024https://wiki.debian.org/LTS
r you take over and if so I can assist as much
> as you want.
>
> It is up to you.
>
> In any case you have been very helpful and I appreciate that.
Right now I'm working on updating Emacs, so probably best to leave bind9
to you for right now, I think. Thanks for checking.
--
Sean Whitton
signature.asc
Description: PGP signature
Hello,
On Sun 14 Apr 2024 at 10:14am +08, Sean Whitton wrote:
> Hello,
>
> On Sat 13 Apr 2024 at 10:04am +02, Ola Lundqvist wrote:
>
>> Do you happen to have reference to specific commits to look at?
>> You seem to have that since you refer to them as too big to backpo
isk of breaking things and compare that
> to the severity of the problems.
To be clear, what I was proposing was upgrading to a snapshot of the
9.11 branch, not upgrading all the way to 9.16.
--
Sean Whitton
signature.asc
Description: PGP signature
14 Fix windows build, remove
external symbols
| * 40a0656e6a..: Ondřej Surý 2023-10-11 Add CHANGES for [GL #4234]
| * 2fc28056b3..: Ondřej Surý 2023-10-11 Backport isc_ht API changes from
BIND 9.18
| * 0ceed03ebe..: Ondřej Surý 2023-09-11 Use hashtable when parsing a
message
|/
--
to pick the
> individual patches can be risky.
> Or do we know any specific reason why we should not go this path?
I tried working on this a couple of weeks ago and addressed some
questions to this list -- did you see my post? I hadn't realised it had
been a whole two weeks since I'd
Hello,
On Sun 31 Mar 2024 at 09:51pm +08, Sean Whitton wrote:
> I've started looking at the first vulnerability, CVE-2023-4408, and have
> some confusions/questions.
>
> The ISC website that 9.11 is EOL as of March 2022. But there is a lot
> of activity on the 9.11 branch,
u know if any other vendors do that? I'm
wondering if, on balance, that might be safest -- if, that is, upstream
are indeed not intending to break anything.
Finally, do you you have any notes on testing?
Thanks.
--
Sean Whitton
signature.asc
Description: PGP signature
n,
from the very beginning of my involvement as a volunteer, is how we
can design processes and tooling that suit intermittent contributor
availability and communication, and handing over work efficiently.
As a result, I found these clarificatory discussions particularly
interesting.
--
Sean Whitton
-
Debian LTS Advisory DLA-3768-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Sean Whitton
March 22, 2024https://wiki.debian.org/LTS
I've been trying to do this with at least my
own notes. My understanding is that the purpose of the document is more
of a to-do list than a logbook.
--
Sean Whitton
signature.asc
Description: PGP signature
Hello,
Thanks Chris. I'll go ahead with this.
--
Sean Whitton
signature.asc
Description: PGP signature
momentarily push my work for review to the debian/stretch branch
of salsa:lts-team/packages/pillow.
There is a nice description of the vulnerability here:
<https://duartecsantos.github.io/2023-01-02-CVE-2023-50447/>.
Thanks.
--
Sean Whitton
signature.asc
Description: PGP signature
I'm still investigating just which suites require further changes.
ELTS
- pillow
- I've been working to prepare a fix for CVE-2023-50447.
In the process, I discovered that our fix for an old vulnerability,
CVE-2022-22817, may be incomplete, and I'm now investigating.
--
Sean W
Hello,
On Thu 29 Feb 2024 at 02:14pm +08, Sean Whitton wrote:
> Does anyone have working debvm runes for stretch & jessie?
>
> If you just use 'debvm-create -r stretch --
> http://deb.freexian.com/extended-lts'
> then there isn't working networking.
Thank you to those
Hello,
Does anyone have working debvm runes for stretch & jessie?
If you just use 'debvm-create -r stretch --
http://deb.freexian.com/extended-lts'
then there isn't working networking.
Thanks.
--
Sean Whitton
Hello,
On Tue 27 Feb 2024 at 09:46am GMT, Bastien Roucariès wrote:
> Le mardi 27 février 2024, 05:31:01 UTC Sean Whitton a écrit :
>> Hello Bastien,
>>
>> Is there someway I could help with imagemagick under LTS? It looks like
>> the status has been unchanged for some
-
Debian LTS Advisory DLA-3742-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Sean Whitton
February 27, 2024 https://wiki.debian.org/LTS
Hello Chris,
Do you have WIP for python-django LTS fixes? Can I work on it without
duplicating effort? Thought I'd check, since you're the maintainer.
--
Sean Whitton
signature.asc
Description: PGP signature
Hello Bastien,
Is there someway I could help with imagemagick under LTS? It looks like
the status has been unchanged for some months. I'm not an expert but I
can review things. Thanks!
--
Sean Whitton
patches, it might save somebody some more time. We
> can accept the changes, but we will likely not do release though.
Thank you for this information. My work is currently awaiting internal
peer review, and then I'll look into posting an MR.
--
Sean Whitton
signature.asc
Description: PGP signature
be significant for the vulnerability.
Thanks!
--
Sean Whitton
signature.asc
Description: PGP signature
tinued working on libssh, and the ELTS I followed
up on some correspondence.
--
Sean Whitton
Hello,
On Tue 02 Jan 2024 at 04:32pm +01, Jakub Jelen wrote:
> Hi.
> Thank you for all the good questions! I will try to reply inline.
Many thanks. This will be helpful indeed.
--
Sean Whitton
signature.asc
Description: PGP signature
ause I couldn't get the new
tests to pass. I unclaimed the package in the hope that a fresh set
of eyes could see more quickly what was wrong.
--
Sean Whitton
signature.asc
Description: PGP signature
exercise the relevant code?
I'm asking because the vulnerability scanner on terrapin-attack.com
only seems to check for support of strict key exchange, not whether
it actually works.
Thanks.
--
Sean Whitton
signature.asc
Description: PGP signature
Hello,
On Mon 25 Dec 2023 at 11:31am +01, Martin Pitt wrote:
> Hello Sean and security team,
>
> Sean Whitton [2023-12-24 9:12 +]:
>> I have taken responsibility for fixing these CVEs in libssh in buster,
>> as part of Freexian-funded LTS work. I would like to see if I
sers might soon upgrade their machines.
I see the fixes are all in sid. Are you expecting to issue DSAs for
bullseye and bookworm? I would be grateful for some information on the
sec team's plans for these fixes.
Thanks!
--
Sean Whitton
signature.asc
Description: PGP signature
-45803.
--
Sean Whitton
signature.asc
Description: PGP signature
Thanks all.
--
Sean Whitton
Hello Anton,
Ola added tinymce to dla-needed.txt.
I found <https://salsa.debian.org/lts-team/packages/tinymce-archived>.
Could you let me know why the repository was archived?
Thanks.
--
Sean Whitton
signature.asc
Description: PGP signature
-
Debian LTS Advisory DLA-3649-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Sean Whitton
November 08, 2023 https://wiki.debian.org/LTS
ed.
- One new test added by the patch failed with Python 3 due to API
changes in Python's core module for processing base64 encoded data.
I hacked in a fix and confirmed the test passed, but decided not to
commit or upload the change, at least for now.
--
Sean Whitton
signature.asc
-
Debian LTS Advisory DLA-3634-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Sean Whitton
October 28, 2023 https://wiki.debian.org/LTS
Hello,
On Fri 27 Oct 2023 at 02:54pm -04, Roberto C. Sánchez wrote:
> It seems your backported patch might be faulty. [...]
Thank you for the second pair of eyes. I have confirmed your analysis.
--
Sean Whitton
signature.asc
Description: PGP signature
, the backported patch is here:
<https://salsa.debian.org/lts-team/packages/nss/-/blob/debian/buster/debian/patches/CVE-2020-25648.patch>.
Thank you.
--
Sean Whitton
[ RUN ] TlsConnectStreamTls13.ChangeCipherSpecAfterClientHelloEmptySid
Version: TLS 1.3
server: Changing state from INI
alsa.debian.org/lts-team/packages/nss/-/blob/debian/buster/debian/patches/CVE-2020-25648.patch>.
Thank you.
--
Sean Whitton
[ RUN ] TlsConnectStreamTls13.ChangeCipherSpecAfterClientHelloEmptySid
Version: TLS 1.3
server: Changing state from INIT to CONNECTING
client: Changing state f
-
Debian LTS Advisory DLA-3621-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Sean Whitton
October 16, 2023 https://wiki.debian.org/LTS
-
Debian LTS Advisory DLA-3614-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Sean Whitton
October 11, 2023 https://wiki.debian.org/LTS
possible.
> 365 383
> 366 384 Only when you have confirmed that the package was processed after
> upload (once you get the accept email) should you send the DLA to the mailing
> list.
> 367 385
Hmm, could you explain the use of no-re...@debian.org ? Isn't it
generally discouraged by the e-mail standards?
--
Sean Whitton
signature.asc
Description: PGP signature
-
Debian LTS Advisory DLA-3604-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Sean Whitton
October 05, 2023 https://wiki.debian.org/LTS
eeting.
ELTS
- ncurses
- Released ELA-967-1 fixing CVE-2020-19189.
- Updated the security tracker's data regarding a number of other CVEs
that were already fixed in buster.
--
Sean Whitton
signature.asc
Description: PGP signature
-
Debian LTS Advisory DLA-3586-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Sean Whitton
September 28, 2023https://wiki.debian.org/LTS
-
Debian LTS Advisory DLA-3581-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Sean Whitton
September 25, 2023https://wiki.debian.org/LTS
Hello Utkarsh,
On Thu 14 Sep 2023 at 11:53am +01, Sean Whitton wrote:
> Hello Utkarsh,
>
> I see that you've recently worked on open-vm-tools. Could you share
> what you did to test your updates, please? More efficient than me
> figuring it out from scratch again. Thank you.
Hello Utkarsh,
I see that you've recently worked on open-vm-tools. Could you share
what you did to test your updates, please? More efficient than me
figuring it out from scratch again. Thank you.
--
Sean Whitton
signature.asc
Description: PGP signature
,
near the end of August. It's not clear yet how many actual fixes
will be required, as at least one CVE is fixed by a patch that's
already applied.
--
Sean Whitton
signature.asc
Description: PGP signature
-
Debian LTS Advisory DLA-3545-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Sean Whitton
August 28, 2023 https://wiki.debian.org/LTS
-
Debian LTS Advisory DLA-3536-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Sean Whitton
August 20, 2023 https://wiki.debian.org/LTS
-
Debian LTS Advisory DLA-3516-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Sean Whitton
August 05, 2023 https://wiki.debian.org/LTS
or CVE-2023-37378.
ELTS
- nsis
- Prepared and released ELA-891-1, also for CVE-2023-37378.
--
Sean Whitton
signature.asc
Description: PGP signature
Hello,
On Sat 08 Jul 2023 at 09:14am +02, Salvatore Bonaccorso wrote:
> Just noticed the suffix for the version for the buster-security / LTS
> upload was +deb9u1, was this intentional? This should have been
> +deb10u1.
It wasn't. Thank you for pointing out the mistake.
--
Sea
-
Debian LTS Advisory DLA-3483-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Sean Whitton
July 07, 2023 https://wiki.debian.org/LTS
dition I like to add a couple fields to note the source of the patch and
> some who/when info, e.g.:
> https://salsa.debian.org/lts-team/packages/runc/-/blob/debian/buster/debian/patches/CVE-2022-29162.patch
Thank you very much for this review.
I've applied those changes and I'll upload
be appreciated.
I can provide .debs if it's not straightforward for you to build it.
[1] https://salsa.debian.org/lts-team/packages/nsis
[2] https://nsis.sourceforge.io/Simple_tutorials
--
Sean Whitton
signature.asc
Description: PGP signature
eep LTS needs in mind while doing their other
work. Indeed, that's what you're asking for in the paragraphs of your
e-mail I've quoted. Reducing integration avoids this problem.
--
Sean Whitton
signature.asc
Description: PGP signature
61 matches
Mail list logo