Re: Please remove non-lts architectures from wheezy-security

On Wed, May 4, 2016 at 12:23 AM, Tom Turelinckx wrote: > Jessie is not available for sparc. If you are actually using sparc I would recommend you look at migrating to and assisting the sparc64 porting efforts. Or reviving sparc if you need 32-bit SPARC. Or switch to another architecture.

Accepted biogenesis 0.8-1+deb7u1 (source all) into oldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 04 May 2016 00:19:39 +0200 Source: biogenesis Binary: biogenesis Architecture: source all Version: 0.8-1+deb7u1 Distribution: wheezy-security Urgency: high Maintainer: Miriam Ruiz Changed-By: Markus

Accepted rjava 0.9-3-1+deb7u1 (source amd64) into oldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 04 May 2016 00:29:13 +0200 Source: rjava Binary: r-cran-rjava Architecture: source amd64 Version: 0.9-3-1+deb7u1 Distribution: wheezy-security Urgency: high Maintainer: Dirk Eddelbuettel Changed-By: Markus

Accepted jedit 4.5.2+dfsg-1+deb7u1 (source all) into oldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 03 May 2016 22:38:11 +0200 Source: jedit Binary: jedit Architecture: source all Version: 4.5.2+dfsg-1+deb7u1 Distribution: wheezy-security Urgency: high Maintainer: Debian Java Maintainers

Re: [SECURITY] [DLA 456-1] openssl security update

returned in the buffer. Additional information about these issues can be found in the OpenSSL security advisory at https://www.openssl.org/news/secadv/20160503.txt

Accepted jftp 1.52+dfsg-2+deb7u1 (source all) into oldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 22 Apr 2016 21:58:26 +0200 Source: jftp Binary: jftp Architecture: source all Version: 1.52+dfsg-2+deb7u1 Distribution: wheezy-security Urgency: high Maintainer: Debian Java maintainers

[SECURITY] [DLA 456-1] openssl security update

in the OpenSSL security advisory at https://www.openssl.org/news/secadv/20160503.txt signature.asc Description: PGP signature

[SECURITY] [DLA 455-1] asterisk security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: asterisk Version: 1:1.8.13.1~dfsg1-3+deb7u4 CVE ID : CVE-2014-2286 CVE-2014-4046 CVE-2014-6610 CVE-2014-8412 CVE-2014-8418 CVE-2015-3008 Debian Bug : 741313 762164 771463 782411 CVE-2014-6610

[SECURITY] [DLA 454-1] minissdpd security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: minissdpd Version: 1.1.20120121-1+deb7u1 CVE ID : CVE-2016-3178 CVE-2016-3179 The minissdpd daemon contains a improper validation of array index vulnerability (CWE-129) when processing requests sent to the Unix

RE: Please remove non-lts architectures from wheezy-security

Markus, If I do that, apt-get update can't find any of the Packages files. There is no wheezy nor wheezy-updates on archive.debian.org/debian... Tom -Original Message- From: Markus Koschany [mailto:a...@debian.org] Sent: Tuesday, May 03, 2016 6:35 PM To: Tom Turelinckx Cc:

Re: Wheezy update of roundcube?

Am 03.05.2016 um 18:37 schrieb Moritz Muehlenhoff: > On Tue, May 03, 2016 at 06:28:03PM +0200, Markus Koschany wrote: >> The second best solution would be to backport either the 1.0.x branch or >> your jessie-backport packages to Wheezy. Since you actively maintain >> them, what do you think, how

Re: Wheezy update of roundcube?

On Tue, May 03, 2016 at 06:28:03PM +0200, Markus Koschany wrote: > The second best solution would be to backport either the 1.0.x branch or > your jessie-backport packages to Wheezy. Since you actively maintain > them, what do you think, how complex is the task to backport the > packages from

Re: Please remove non-lts architectures from wheezy-security

Hello Tom, Am 03.05.2016 um 18:23 schrieb Tom Turelinckx: > Hello Markus, > > Jessie is not available for sparc. True. sparc64 is the only non-official release architecture that comes somewhat close. > > My /etc/apt/sources.list looks like this: > > deb http://ftp.be.debian.org/debian wheezy

Re: Wheezy update of roundcube?

Am 03.05.2016 um 17:49 schrieb Guilhem Moulin: > On Tue, 03 May 2016 at 10:47:31 -0400, Antoine Beaupré wrote: >> I agree, however I suspect most people using roundcube in production are >> probably using the backport... There's even a dangling backport in >> wheezy right now (0.9)... a little

Re: Wheezy update of roundcube?

On Tue, 03 May 2016 at 10:47:31 -0400, Antoine Beaupré wrote: > I agree, however I suspect most people using roundcube in production are > probably using the backport... There's even a dangling backport in > wheezy right now (0.9)... a little messy. Sorry, I meant oldstable-backports not

[SECURITY] [DLA 452-1] smarty3 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: smarty3 Version: 3.1.10-2+deb7u1 CVE ID : CVE-2014-8350 Debian Bug : 765920 Smarty3, a template engine for PHP, allowed remote attackers to bypass the secure mode restrictions and execute arbitrary PHP code as

Re: xen debdiff

On 2016-05-03 04:07:08, Brian May wrote: > Hello, > > Raphael Hertzog asked me to post the debdiff of the Ubuntu package I am > working on here. > > He had some concerns with using the Ubuntu version like this. In > particular Ubuntu does some things differently with respect to init.d > scripts,

Re: testing asterisk for Wheezy LTS

On 2016-05-02 18:58:23, Gabriel Filion wrote: > Oops, I forgot to mention that I am not subscribed to the mailing list. > So please include me in CC for replies. > >> thanks alot for testing the package, I really appreciate it. >> >> On Thu, 28 Apr 2016, Gabriel Filion wrote: >> >>> >

Re: Wheezy update of roundcube?

On 2016-05-02 15:31:39, Guilhem Moulin wrote: > Hi there, > > On Mon, 02 May 2016 at 21:19:13 +0200, Markus Koschany wrote: >> Would you like to take care of this yourself? > > Not replying in the name of team (however I'm the one who pushed for > Roundcube in jessie-backports and who is trying to

Re: Looking for programmers handling security updates for Debian 7 LTS

Bonjour, Je viens de voir mon annonce pour le job de security updates. Je suis en fait développeur Debian 'retired', est-ce que cela vous convient pour le poste? Amitiés, 2016-05-02 11:41 GMT+02:00 Raphael Hertzog : > Hello, > > the amount of sponsorship for Debian LTS[1]

[SECURITY] [DLA 451-1] openjdk-7 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: openjdk-7 Version: 7u101-2.6.6-2~deb7u1 CVE ID : CVE-2016-0636 CVE-2016-0686 CVE-2016-0687 CVE-2016-0695 CVE-2016-3425 CVE-2016-3426 CVE-2016-3427 Several vulnerabilities have been discovered in

Re: xen debdiff

On Tue, May 03, 2016 at 11:01:16AM +0200, Raphael Hertzog wrote: > I don't think that any Xen experience makes a big difference here as > the problem I pointed out are in the packaging and not in the upstream > source code. I still believe that we should update to the latest 4.1.x > release.

Re: Supporting libav in wheezy

On Tue, 03 May 2016, Brian May wrote: > I have a suspicion that many of these installs may be due libav being > installed to satisfy dependancies. There are a large number of packages > that do depend on libav. Yes, that's obvious, a library is usually installed by way of dependencies. But if you

Re: xen debdiff

On Tue, 03 May 2016, Brian May wrote: > He had some concerns with using the Ubuntu version like this. In > particular Ubuntu does some things differently with respect to init.d > scripts, has a different changelog, and there are some changes other > changes here that may not be security related.

Re: Sending LTS changes to debian-lts-changes

On Mon, 02 May 2016, Ansgar Burchardt wrote: > > Send them first only to debian-lts-changes@ as it might be that the > > tracker gets them that way too. > > Now I already set both mail addresses. Should I change that to only > debian-lts-changes@? > Note that security.d.o doesn't sent mail to

Re: Sending LTS changes to debian-lts-changes

On Mon, May 02, 2016 at 08:57:40PM +0200, Ansgar Burchardt wrote: > Raphael Hertzog writes: > > On Mon, 02 May 2016, Markus Koschany wrote: > >> thank you for fixing the mirror bug. Moritz Mühlenhoff informed us on > >> IRC that accepted mails for LTS uploads are still sent to dak AT > >>