Re: RFC / Call for testing: ghostscript

Hi, Am 30.01.19 um 13:07 schrieb Emilio Pozuelo Monfort: [...] > I would appreciate some testing and/or feedback. I have done most of the backporting work for the previous vulnerabilities of Ghostscript. I don't recommend to backport the stable version to Jessie at the moment but rather to

RFC / Call for testing: ghostscript

Hi, There is a vulnerability in ghostscript that allows maliciously crafted files to bypass the sandbox and execute arbitrary code: https://bugs.chromium.org/p/project-zero/issues/detail?id=1729 I would be wary of backporting the fix to our old version of ghostscript as the code has changed

Re: RFC / Call for testing: ghostscript

On Wed, Jan 30, 2019 at 01:24:40PM +0100, Markus Koschany wrote: > Hi, > > Am 30.01.19 um 13:07 schrieb Emilio Pozuelo Monfort: > [...] > > I would appreciate some testing and/or feedback. > > I have done most of the backporting work for the previous > vulnerabilities of Ghostscript. I don't

PHP 5.6.40 on Jessie

Hello, PHP 5.6.40 had been made available on 10 Jan 2019 and contains several bugs and security fixes. Is it planned to package it for Jessie ? When the package should be available ? JB

[SECURITY] [DLA 1648-1] firefox-esr security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: firefox-esr Version: 60.5.0esr-1~deb8u1 CVE ID : CVE-2018-18500 CVE-2018-18501 CVE-2018-18505 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the

[SECURITY] [DLA 1649-1] spice security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: spice Version: 0.12.5-1+deb8u7 CVE ID : CVE-2019-3813 Debian Bug : 920762 Christophe Fergeau discovered an out-of-bounds read vulnerability in spice, a SPICE protocol client and server library, which might

Re: PHP 5.6.40 on Jessie

Hello, Am 30.01.19 um 15:56 schrieb Jean-Baptiste Martin-Ariès: > Hello, > > PHP 5.6.40 had been made available on 10 Jan 2019 and contains several > bugs and security fixes.  > > Is it planned to package it for Jessie ? When the package should be > available ? Yes, we will package 5.6.40.

[SECURITY] [DLA 1651-1] libgd2 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: libgd2 Version: 2.1.0-5+deb8u12 CVE ID : CVE-2018-5711 CVE-2018-1000222 CVE-2019-6977 CVE-2019-6978 Several issues in libgd2, a graphics library that allows to quickly draw images, have been

[SECURITY] [DLA 1650-1] rssh security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: rssh Version: 2.3.4-4+deb8u1 CVE ID : CVE-2019-118 Debian Bug : 919623 The ESnet security team discovered a vulnerability in rssh, a restricted shell that allows users to perform only scp, sftp, cvs,

Accepted rssh 2.3.4-4+deb8u1 (source amd64) into oldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 30 Jan 2019 18:34:46 +0100 Source: rssh Binary: rssh Architecture: source amd64 Version: 2.3.4-4+deb8u1 Distribution: jessie-security Urgency: high Maintainer: Russ Allbery Changed-By: Markus Koschany Description: rssh

Re: RFC / Call for testing: ghostscript

[No need to CC me, I am subscribed] Am 30.01.19 um 14:29 schrieb Moritz Mühlenhoff: > On Wed, Jan 30, 2019 at 01:24:40PM +0100, Markus Koschany wrote: >> Hi, >> >> Am 30.01.19 um 13:07 schrieb Emilio Pozuelo Monfort: >> [...] >>> I would appreciate some testing and/or feedback. >> >> I have done