Re: Wheezy update of icu?

2016-09-07 Thread Guido Günther
On Wed, Sep 07, 2016 at 07:15:56PM -0400, Roberto C. Sánchez wrote: > On Wed, Sep 07, 2016 at 09:10:16PM +0200, Moritz Muehlenhoff wrote: > > > > So, you've identified the upstream fix for CVE-2016-6293 and why does > > that not get commited to the security tracker? > > > > That really sucks.

Re: Wheezy update of icu?

2016-09-07 Thread Roberto C . Sánchez
On Wed, Sep 07, 2016 at 09:10:16PM +0200, Moritz Muehlenhoff wrote: > > So, you've identified the upstream fix for CVE-2016-6293 and why does > that not get commited to the security tracker? > > That really sucks. LTS development almost fully relies on the > security tracker, so why don't you

curl security update for Wheezy LTS

2016-09-07 Thread Bálint Réczey
Hi, I have prepared an update for curl in Wheezy. Please see the diff to previous version attached. Changes: curl (7.26.0-1+wheezy15) wheezy-security; urgency=medium . * Non-maintainer upload by the LTS team. * Fix CVE-2016-7141: Incorrect reuse of client certificates The binary

Re: Wheezy update of icu?

2016-09-07 Thread Moritz Muehlenhoff
On Wed, Sep 07, 2016 at 08:25:36AM -0400, Roberto C. Sánchez wrote: > On Wed, Sep 07, 2016 at 11:07:16AM +0200, Bálint Réczey wrote: > > > > I have not found however the proposed fix on the list thus I did not > > know if you used the upstream fix. > > > > I think it would be a good idea to send

Re: Wheezy update of libtomcrypt?

2016-09-07 Thread Jonas Meurer
Am 07.09.2016 um 13:23 schrieb Bálint Réczey: >>> I (on behalf of the LTS Team since I'm responsible for frontdesk now) take >>> your >>> answer as covering all future security updates for releases in LTS period >>> thus we won't contact you for each CVE. >> >> It's great idea to have maintainers

Re: Wheezy update of inspircd?

2016-09-07 Thread Ben Hutchings
On Tue, 2016-09-06 at 22:28 -0400, Antoine Beaupré wrote: > I am a bit surprised to see this - are ircd packages sponsored now? > There's a similar issue in Charybdis and I deliberately marked it as > unsupported in LTS because, AFAIK, no customer expressed the need to > support those yet. If

Re: testing asterisk for Wheezy LTS

2016-09-07 Thread Thorsten Alteholz
Hi Balint, On Wed, 7 Sep 2016, Bálint Réczey wrote: Are you still working on the remaining CVE-s? yes, I am still working on them. Thorsten

Re: Wheezy update of libtomcrypt?

2016-09-07 Thread Guido Günther
Hi, Thanks for having a look! On Wed, Sep 07, 2016 at 01:23:49PM +0200, Bálint Réczey wrote: > Hi, > > 2016-09-07 8:00 GMT+02:00 Guido Günther : > > Hi Bálint, > > On Wed, Sep 07, 2016 at 12:21:28AM +0200, Bálint Réczey wrote: > >> Hi Michael, > >> > >> 2016-09-04 17:51

Re: Wheezy update of libtomcrypt?

2016-09-07 Thread Bálint Réczey
Hi, 2016-09-07 8:00 GMT+02:00 Guido Günther : > Hi Bálint, > On Wed, Sep 07, 2016 at 12:21:28AM +0200, Bálint Réczey wrote: >> Hi Michael, >> >> 2016-09-04 17:51 GMT+02:00 Michael Stapelberg : >> > Thanks for your work on LTS. >> > >> > Time does not

Re: Wheezy update of icu?

2016-09-07 Thread Bálint Réczey
Hi Roberto, 2016-09-07 4:06 GMT+02:00 Roberto C. Sánchez : > Hi Balint, > > On Wed, Sep 07, 2016 at 03:12:46AM +0200, Bálint Réczey wrote: >> Hi Roberto, >> >> I think there is no need wait more (wearing my frontdesk hat). >> There are fixes in upstream's repository: >>

Re: Wheezy update of roundcube

2016-09-07 Thread Ola Lundqvist
Hi If you are sure CVE-2016-4068 is mitigated then we should be able to mark it as fixed. But you need to be sure. :-) // Ola On Tue, Sep 6, 2016 at 6:13 PM, Raphael Hertzog wrote: > Hi Markus, > > On Wed, 20 Jul 2016, Markus Koschany wrote: >> Feel free to work on

Re: testing php5 for Wheezy LTS

2016-09-07 Thread Jan Ingvoldstad
On 08/31/2016 08:37 PM, Thorsten Alteholz wrote: Hi everybody, I uploaded version 5.4.45-0+deb7u4 of php5 to: https://people.debian.org/~alteholz/packages/wheezy-lts/php5/amd64/ Please give it a try and tell me about any problems you met. As requested by Jan, besides the CVEs I also added

Re: Wheezy update of inspircd?

2016-09-07 Thread Ola Lundqvist
Hi The LTS team also tries to fix security holes in all packages. Not only the ones explicitly expressed a need for by the customers. The ones expressed a need for always have a higher priority. However if it is like you write that 2.0.5 is full of security holes and nobody have expressed a

Re: Wheezy update of libtomcrypt?

2016-09-07 Thread Guido Günther
Hi Bálint, On Wed, Sep 07, 2016 at 12:21:28AM +0200, Bálint Réczey wrote: > Hi Michael, > > 2016-09-04 17:51 GMT+02:00 Michael Stapelberg : > > Thanks for your work on LTS. > > > > Time does not permit me to do any of this work myself. > > > > Please go ahead and make any