Re: fixing links for DLAs in the security tracker

Hi, On Wed, Mar 29, 2017 at 06:28:49AM +0200, Salvatore Bonaccorso wrote: > Hi, > > On Tue, Mar 28, 2017 at 10:16:52PM +, Holger Levsen wrote: > > On Tue, Mar 28, 2017 at 10:35:34PM +0200, Moritz Muehlenhoff wrote: > > > Well, you don't have a web site comparable to > > >

Re: fixing links for DLAs in the security tracker

On Wed, Mar 29, 2017 at 12:28 PM, Salvatore Bonaccorso wrote: > See as well https://bugs.debian.org/761945 (and respective clones for > debian-). Committed a patch for this, carnil deployed it. One downside to this is that committing DLAs to the Debian website hasn't happened since 2016

Re: fixing links for DLAs in the security tracker

Hi, On Tue, Mar 28, 2017 at 10:16:52PM +, Holger Levsen wrote: > On Tue, Mar 28, 2017 at 10:35:34PM +0200, Moritz Muehlenhoff wrote: > > Well, you don't have a web site comparable to > > https://www.debian.org/security/2017/dsa-3796, so where should > > it possibly link to? > > I guess

Re: fixing links for DLAs in the security tracker

On Tue, Mar 28, 2017 at 10:35:34PM +0200, Moritz Muehlenhoff wrote: > Well, you don't have a web site comparable to > https://www.debian.org/security/2017/dsa-3796, so where should > it possibly link to? I guess it's time to create this "web site" then :) -- cheers, Holger

[SECURITY] [DLA 547-2] graphicsmagick regression update

Package: graphicsmagick Version: 1.3.16-1.1+deb7u6 CVE ID : CVE-2016-5240 Debian Bug : N/A The fix for CVE-2016-5240 was improperly applied which resulted in GraphicsMagick crashing instead of entering an infinite loop with the given proof of concept. Furthermore, the

Re: fixing links for DLAs in the security tracker

On Tue, Mar 28, 2017 at 04:08:19PM -0400, Antoine Beaupré wrote: > I constantly find myself struggling to find the actual DLA announcements > when I browse the security tracker. Take for example: > > https://security-tracker.debian.org/tracker/CVE-2016-8743 > > If you click on the DSA there: >

Accepted graphicsmagick 1.3.16-1.1+deb7u6 (source amd64 all) into oldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 16 Jan 2017 14:35:02 -0500 Source: graphicsmagick Binary: graphicsmagick libgraphicsmagick3 libgraphicsmagick1-dev libgraphicsmagick++3 libgraphicsmagick++1-dev libgraphics-magick-perl graphicsmagick-imagemagick-compat

[SECURITY] [DLA 878-1] libytnef security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: libytnef Version: 1.5-4+deb7u1 CVE ID : CVE-2017-6298 CVE-2017-6299 CVE-2017-6300 CVE-2017-6301 CVE-2017-6302 CVE-2017-6303 CVE-2017-6304 CVE-2017-6305 CVE-2017-6801 CVE-2017-6802

Re: Fwd: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download

2017-03-28 21:07 GMT+02:00 Ola Lundqvist : > Hi Mathieu and Roberto Hi, > Mathieu, do you mean that they patches should apply cleanly and if they do > not, then we have missed some other important patch, or do you just mean > that they should generally apply cleanly? I don't

fixing links for DLAs in the security tracker

I constantly find myself struggling to find the actual DLA announcements when I browse the security tracker. Take for example: https://security-tracker.debian.org/tracker/CVE-2016-8743 If you click on the DSA there: https://security-tracker.debian.org/tracker/DSA-3796-1 You have a nice

Re: Fwd: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download

Hi Mathieu and Roberto Mathieu, do you mean that they patches should apply cleanly and if they do not, then we have missed some other important patch, or do you just mean that they should generally apply cleanly? I'm asking as it is rather expected that patches do not apply cleanly when we are

Re: Update wheezy samba to 3.6.25?

Hi Roberto When you write that the latest patches do not apply cleanly. Do you mean that the code is substantially different so even a manual apply is difficult or do you just mean that the patches do not apply cleanly when running the patch command? Best regards // Ola On 28 March 2017 at

Re: Wheezy update of ca-certificates?

Hi Let us in the LTS team know if you need assistance on this. Best regards // Ola On 28 March 2017 at 18:05, Michael Shuler wrote: > On 03/27/2017 09:06 PM, Paul Wise wrote: > > On Tue, Mar 28, 2017 at 8:12 AM, Michael Shuler wrote: > > > >> I need to fix up the

Re: Wheezy update of binutils?

Hi That should be fine. // Ola On 27 March 2017 at 22:16, Antoine Beaupré wrote: > FWIW, the security team just marked all the currently pending security > issues of binutils in jessie as "no-dsa (minor issue)" which means they > consider the issues are not serious

Accepted libytnef 1.5-4+deb7u1 (source amd64) into oldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 26 Mar 2017 18:03:02 +0100 Source: libytnef Binary: libytnef0 libytnef0-dev Architecture: source amd64 Version: 1.5-4+deb7u1 Distribution: wheezy-security Urgency: high Maintainer: Debian QA Group

skipping clean on host when building in a chroot

On 2017-01-31 21:36:02, Guido Günther wrote: > On Tue, Jan 31, 2017 at 04:07:19PM -0500, Antoine Beaupré wrote: >> On 2017-01-31 21:42:41, Emilio Pozuelo Monfort wrote: >> > I'd say it makes sense to release a regression update. >> > >> > BTW I'm not sure about this change, which is not mentioned

Re: Wheezy update of ca-certificates?

On 03/27/2017 09:06 PM, Paul Wise wrote: > On Tue, Mar 28, 2017 at 8:12 AM, Michael Shuler wrote: > >> I need to fix up the jessie PU I have filed (and update to 2.11), and >> I'll do a wheezy PU at the same time. Thanks! s/wheezy PU/wheezy LTS/ > Debian wheezy is no longer managed by the

Update wheezy samba to 3.6.25?

LTS folks, Based on Mathieu's comment related to the most recent samba patches not applying cleanly to the version in wheezy, it seems that an update to the latest upstream 3.6 release might be necessary. That said, I have looked at the diffstat between the version in wheezy (3.6.6) and 3.6.25,

[SECURITY] [DLA 877-1] tiff security update

Package: tiff Version: 4.0.2-6+deb7u11 CVE ID : CVE-2016-10266 CVE-2016-10267 CVE-2016-10268 CVE-2016-10269 libtiff is vulnerable to multiple buffer overflows and integer overflows that can lead to application crashes (denial of service) or worse. CVE-2016-10266

Accepted tiff 4.0.2-6+deb7u11 (source all amd64) into oldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 28 Mar 2017 12:11:07 +0200 Source: tiff Binary: libtiff5 libtiffxx5 libtiff5-dev libtiff5-alt-dev libtiff-tools libtiff-opengl libtiff-doc Architecture: source all amd64 Version: 4.0.2-6+deb7u11 Distribution: wheezy-security

Re: Dealing with renamed source packages during CVE triaging

On Tue, Mar 28, 2017 at 03:55:12PM +0200, Raphael Hertzog wrote: > On Tue, 28 Mar 2017, Moritz Muehlenhoff wrote: > > I'd suggest a cron job running once or twice per day, which keeps > > a table of (current source package name / old source package name(s)) > > and adds SOURCEPACKAGE for the

Re: Dealing with renamed source packages during CVE triaging

On Tue, 28 Mar 2017, Moritz Muehlenhoff wrote: > I'd suggest a cron job running once or twice per day, which keeps > a table of (current source package name / old source package name(s)) > and adds SOURCEPACKAGE for the older source package. > These can then be set to or after manual > triage.

Re: Fwd: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download

Hi, 2017-03-26 14:39 GMT+02:00 Roberto C. Sánchez : > On Thu, Mar 23, 2017 at 11:30:09AM +0100, Mathieu Parent wrote: >> >> See attached the backported patches for 3.6 (those are from the samba >> bugzilla which is still embargoed). >> >> Please take care of it. >> > > Hi

Accepted eject 2.1.5+deb1+cvs20081104-13+deb7u1 (source amd64) into oldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 28 Mar 2017 09:45:00 +0100 Source: eject Binary: eject eject-udeb Architecture: source amd64 Version: 2.1.5+deb1+cvs20081104-13+deb7u1 Distribution: wheezy-security Urgency: high Maintainer: Frank Lichtenheld

[SECURITY] [DLA 876-1] eject security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: eject Version: 2.1.5+deb1+cvs20081104-13+deb7u1 CVE ID : CVE-2017-6964 Debian Bug : #858872 Ilja Van Sprundel discovered that eject (a tool to eject CD/DVD drives) did not properly handle errors returned from