Hi,
I'm working on a potential jinja2 Debian LTS security update. Here is a
proof of concept which allows to easily reproduce the issue. This should
help confirming vulnerability in other suites.
>>> from jinja2.sandbox import SandboxedEnvironment
>>> env = SandboxedEnvironment()
>>> config = {'S
Patch for Jessie version attached. Patch is applied by hand from
https://www.redhat.com/archives/libvir-list/2019-April/msg00339.html
I am a bit concerned this patch only patches the virDomainGetHostname
function and not the virDomainGetTime function, while the tests (which I
suspect are not run i
> This should help confirming vulnerability in other suites.
2.7.3-1 and all later releases affected. In addition, both 2.7.3-1 and
2.8-1 are affected by the previous str.format issue[0].
[0] https://palletsprojects.com/blog/jinja-281-released/
--
Hugo Lefeuvre (hle)|www
Dear LTS maintainers,
See attached patch for CVE-2019-3880 in samba. Don't know if it applies cleanly.
Regards
Mathieu Parent
-- Forwarded message -
De : Sebastien Delafond
Date: lun. 8 avr. 2019 à 10:27
Subject: [SECURITY] [DSA 4427-1] samba security update
To:
-BEGIN P
Hi,
On Mon, Apr 08, 2019 at 05:50:46PM +1000, Brian May wrote:
> Patch for Jessie version attached. Patch is applied by hand from
> https://www.redhat.com/archives/libvir-list/2019-April/msg00339.html
I don't think this is needed for jessie since the corresponding function
in qemu was implemented
Thanks Mathieu.
I referenced it in our dla-needed.txt task list.
A member of the LTS team will look into it.
Cheers!
Sylvain
On 08/04/2019 11:10, Mathieu Parent wrote:
> Dear LTS maintainers, > > See attached patch for CVE-2019-3880 in samba.
> Don't know if it
applies cleanly. > > Regards > >
Hi,
I've done this again and am considering (in general) to not write these mails
anymore. Please speak up if you think these mails are useful (or could
be made more useful.)
Today I do feel it's useful to point out, that one should not merely
reclaim the packages but also update the notes and ex
Hi,
On 08/04/2019 14:32, Holger Levsen wrote:
> I've done this again and am considering (in general) to not write these mails
> anymore. Please speak up if you think these mails are useful (or could
> be made more useful.)
>
> Today I do feel it's useful to point out, that one should not merely
>
> > I've done this again and am considering (in general) to not write these
> > mails
> > anymore. Please speak up if you think these mails are useful (or could
> > be made more useful.)
>
> I think they are useful, though according to the wiki page they are part
> of the front-desk duties.
I als
On Mon, Apr 08, 2019 at 02:35:21PM +0200, Sylvain Beucler wrote:
> I think they are useful
ok. as two people expressed this, I will keep them.
> though according to the wiki page they are part
> of the front-desk duties.
>
> Should we update it?
so far, I think, frontdesk has never done this, s
On Mon, Apr 08, 2019 at 12:32:35PM +, Holger Levsen wrote:
> Hi,
>
> I've done this again and am considering (in general) to not write these mails
> anymore. Please speak up if you think these mails are useful (or could
> be made more useful.)
>
> Today I do feel it's useful to point out, tha
On Mon, Apr 08, 2019 at 10:31:23AM -0400, Roberto C. Sánchez wrote:
> Is there perhaps a way of thinking about this that I am missing?
honest question: do you think it's too much work to update the notes
every other week?
--
tschau,
Holger
-
hon2.7 (Roberto C. Sánchez)
NOTE: 20190321: Patches integrated for CVE-2018-14647, CVE-2019-5010, and
CVE-2019-9636
- NOTE: 20190321: Waiting on upstream action for CVE-2019-9740 (roberto)
+ NOTE: 20190408: Waiting on upstream action for CVE-2019-9740 (roberto)
--
python3.4 (Roberto C.
On Mon, Apr 08, 2019 at 11:26:31AM -0400, Roberto C. Sánchez wrote:
> I knew something was missing from my message :-)
:)
> I have no problem updating the notes weekly or so. That solution would
> also fit well with the current system.
great! and yes, simply updating the note is enough. It's al
On Mon, Apr 08, 2019 at 04:25:39PM +, Holger Levsen wrote:
> On Mon, Apr 08, 2019 at 11:26:31AM -0400, Roberto C. Sánchez wrote:
> > I knew something was missing from my message :-)
>
> :)
>
> > I have no problem updating the notes weekly or so. That solution would
> > also fit well with the
On Mon, Apr 08, 2019 at 12:36:25PM -0400, Roberto C. Sánchez wrote:
> That is excellent to know. Thanks for the feedback.
thank you too! :)
--
tschau,
Holger
---
holger@(debian|reproducible-buil
retitle 859122 25 DLAs missing from the website
thanks
On Wed, Apr 03, 2019 at 05:47:42PM +1100, Brian May wrote:
> > Thanks for this offer! I don't think anybody would complain if you do this
> > work... quite the contrary :)
> I fixed some more:
> https://salsa.debian.org/webmaster-team/webwml/m
Hi LTS contributors,
Recently I noticed that for a no-dsa (either for no-dsa or the
stronger ignored) as explanation was started to be used e.g. "not used
by any sponsor".
If LTS is meant as Debian project, then I would suggest not to start
to use those formulations, which I think are fine for EL
Hi Salvatore,
On Mon, Apr 08, 2019 at 09:51:19PM +0200, Salvatore Bonaccorso wrote:
> Recently I noticed that for a no-dsa (either for no-dsa or the
> stronger ignored) as explanation was started to be used e.g. "not used
> by any sponsor".
>
> If LTS is meant as Debian project, then I would sugg
Hi,
On 08/04/2019 21:56, Holger Levsen wrote:
> On Mon, Apr 08, 2019 at 09:51:19PM +0200, Salvatore Bonaccorso wrote:
>> Recently I noticed that for a no-dsa (either for no-dsa or the
>> stronger ignored) as explanation was started to be used e.g. "not used
>> by any sponsor".
That sounds related
Holger Levsen writes:
> ERROR: .data or .wml file missing for DLA 1750-1
> ERROR: .data or .wml file missing for DLA 1730-2
> ERROR: .data or .wml file missing for DLA 719-1
> ERROR: .data or .wml file missing for DLA 706-1
> ERROR: .data or .wml file missing for DLA 659-1
> ERROR: .data or .wml
Am 08.04.19 um 21:51 schrieb Salvatore Bonaccorso:
> Hi LTS contributors,
>
> Recently I noticed that for a no-dsa (either for no-dsa or the
> stronger ignored) as explanation was started to be used e.g. "not used
> by any sponsor".
>
> If LTS is meant as Debian project, then I would suggest not
Hi Brian,
On Tue, Apr 09, 2019 at 07:38:19AM +1000, Brian May wrote:
> Holger Levsen writes:
>
> > ERROR: .data or .wml file missing for DLA 1750-1
> > ERROR: .data or .wml file missing for DLA 1730-2
> > ERROR: .data or .wml file missing for DLA 719-1
> > ERROR: .data or .wml file missing for D
23 matches
Mail list logo
