Accepted libupnp 1:1.6.17-1.2+deb7u1 (source amd64 all) into oldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 27 Jul 2016 19:01:31 +0200 Source: libupnp Binary: libupnp6 libupnp6-dev libupnp-dev libupnp6-dbg libupnp6-doc Architecture: source amd64 all Version: 1:1.6.17-1.2+deb7u1 Distribution: wheezy-security Urgency: medium

Re: Security support for libav in Debian Wheezy

On 2016-08-17 21:04, Markus Koschany wrote: On 26.07.2016 18:51, Diego Biurrun wrote: Sorry, I'm afraid I maintained too much radio silence.. Yes, that happens. You don't need to wait until you have fixed all open libav issues because LTS users will also benefit from a intermediate release of

Wheezy update of libgcrypt11?

Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of libgcrypt11: https://security-tracker.debian.org/tracker/CVE-2016-6313 Would you like to take care of this yourself? If yes, please follow the workflow we have

Re: Security support for libav in Debian Wheezy

Hello, On 26.07.2016 18:51, Diego Biurrun wrote: > Sorry, I'm afraid I maintained too much radio silence.. Yes, that happens. You don't need to wait until you have fixed all open libav issues because LTS users will also benefit from a intermediate release of your fixes. I believe we should work

Re: Security update of Wordpress

On 16.08.2016 10:22, Brian May wrote: > Markus Koschany writes: > >> I also tried to fix CVE-2015-8834 for Wheezy by backporting >> changeset/32387 but the database upgrade failed, at least I could not >> log back into the admin backend again. Did you notice a similar issue >>

My Debian LTS activities in July 2016

Hi, For July 2016, I had in total 25.95 paid hours available (including those spare from previous months) to work on Debian LTS via the Freexian umbrella. However, I was only able to use 14. This is partially what I have done: * Helped to test the apache2 package prepared and uploaded by

Re: Wheezy update of icu?

On Sun, Jul 24, 2016 at 04:26:20PM -0400, Roberto C. Sánchez wrote: > FYI, I did the last LTS update of ICU earlier this month, so I think I > will be able to easily prepare another update. I went ahead and claimed > it in dla-needed.txt, but if the maintainer or someone else would like > to

Re: Security update of Wordpress

It's probably best to compare the 4.1.12 upstream version and make sure it follows whatever they do there. That in theory has been tested. I'm surprised there was a database update skipped. And yes the security bug was around having comments too long. I forget the exact attack method but it was

Re: CVE-2016-2839 / Firefox-ESR

On Wed, Aug 17, 2016 at 09:00:30AM +0100, Chris Lamb wrote: > Hi Brian, > > > 45.3.0esr-1~deb7u1 in wheezy is vulnerable. > > 45.3.0esr-1~deb8u1 in jessie is vulnerable. > > 45.3.0esr-1 in sid and stretch is not vulnerable. > > > > Which makes me wonder if Wheezy and Jessie versions have been

Re: CVE-2016-2839 / Firefox-ESR

Hi Brian, > 45.3.0esr-1~deb7u1 in wheezy is vulnerable. > 45.3.0esr-1~deb8u1 in jessie is vulnerable. > 45.3.0esr-1 in sid and stretch is not vulnerable. > > Which makes me wonder if Wheezy and Jessie versions have been fixed, but > not marked as such Good spot. CVE-2016-2839 is marked as

Re: matrixssl

Guido Günther writes: > As I wrote in dla-needed.txt the bignum handling is in > crypto/peersec/mpi.c and it seems to use the same algorithms (and lacks > the same checks in e.g. mp_exptmod) so I marked it as > vulnerable. Porting back the fixes from the current version will be