Hi,
On Wed, Mar 29, 2017 at 06:28:49AM +0200, Salvatore Bonaccorso wrote:
> Hi,
>
> On Tue, Mar 28, 2017 at 10:16:52PM +, Holger Levsen wrote:
> > On Tue, Mar 28, 2017 at 10:35:34PM +0200, Moritz Muehlenhoff wrote:
> > > Well, you don't have a web site comparable to
> > >
On Wed, Mar 29, 2017 at 12:28 PM, Salvatore Bonaccorso wrote:
> See as well https://bugs.debian.org/761945 (and respective clones for
> debian-).
Committed a patch for this, carnil deployed it.
One downside to this is that committing DLAs to the Debian website
hasn't happened since 2016
Hi,
On Tue, Mar 28, 2017 at 10:16:52PM +, Holger Levsen wrote:
> On Tue, Mar 28, 2017 at 10:35:34PM +0200, Moritz Muehlenhoff wrote:
> > Well, you don't have a web site comparable to
> > https://www.debian.org/security/2017/dsa-3796, so where should
> > it possibly link to?
>
> I guess
On Tue, Mar 28, 2017 at 10:35:34PM +0200, Moritz Muehlenhoff wrote:
> Well, you don't have a web site comparable to
> https://www.debian.org/security/2017/dsa-3796, so where should
> it possibly link to?
I guess it's time to create this "web site" then :)
--
cheers,
Holger
Package: graphicsmagick
Version: 1.3.16-1.1+deb7u6
CVE ID : CVE-2016-5240
Debian Bug : N/A
The fix for CVE-2016-5240 was improperly applied which resulted in
GraphicsMagick crashing instead of entering an infinite loop with the
given proof of concept.
Furthermore, the
On Tue, Mar 28, 2017 at 04:08:19PM -0400, Antoine Beaupré wrote:
> I constantly find myself struggling to find the actual DLA announcements
> when I browse the security tracker. Take for example:
>
> https://security-tracker.debian.org/tracker/CVE-2016-8743
>
> If you click on the DSA there:
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Mon, 16 Jan 2017 14:35:02 -0500
Source: graphicsmagick
Binary: graphicsmagick libgraphicsmagick3 libgraphicsmagick1-dev
libgraphicsmagick++3 libgraphicsmagick++1-dev libgraphics-magick-perl
graphicsmagick-imagemagick-compat
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: libytnef
Version: 1.5-4+deb7u1
CVE ID : CVE-2017-6298 CVE-2017-6299 CVE-2017-6300 CVE-2017-6301
CVE-2017-6302 CVE-2017-6303 CVE-2017-6304 CVE-2017-6305
CVE-2017-6801 CVE-2017-6802
2017-03-28 21:07 GMT+02:00 Ola Lundqvist :
> Hi Mathieu and Roberto
Hi,
> Mathieu, do you mean that they patches should apply cleanly and if they do
> not, then we have missed some other important patch, or do you just mean
> that they should generally apply cleanly?
I don't
I constantly find myself struggling to find the actual DLA announcements
when I browse the security tracker. Take for example:
https://security-tracker.debian.org/tracker/CVE-2016-8743
If you click on the DSA there:
https://security-tracker.debian.org/tracker/DSA-3796-1
You have a nice
Hi Mathieu and Roberto
Mathieu, do you mean that they patches should apply cleanly and if they do
not, then we have missed some other important patch, or do you just mean
that they should generally apply cleanly?
I'm asking as it is rather expected that patches do not apply cleanly when
we are
Hi Roberto
When you write that the latest patches do not apply cleanly. Do you mean
that the code is substantially different so even a manual apply is
difficult or do you just mean that the patches do not apply cleanly when
running the patch command?
Best regards
// Ola
On 28 March 2017 at
Hi
Let us in the LTS team know if you need assistance on this.
Best regards
// Ola
On 28 March 2017 at 18:05, Michael Shuler wrote:
> On 03/27/2017 09:06 PM, Paul Wise wrote:
> > On Tue, Mar 28, 2017 at 8:12 AM, Michael Shuler wrote:
> >
> >> I need to fix up the
Hi
That should be fine.
// Ola
On 27 March 2017 at 22:16, Antoine Beaupré wrote:
> FWIW, the security team just marked all the currently pending security
> issues of binutils in jessie as "no-dsa (minor issue)" which means they
> consider the issues are not serious
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Sun, 26 Mar 2017 18:03:02 +0100
Source: libytnef
Binary: libytnef0 libytnef0-dev
Architecture: source amd64
Version: 1.5-4+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Debian QA Group
On 2017-01-31 21:36:02, Guido Günther wrote:
> On Tue, Jan 31, 2017 at 04:07:19PM -0500, Antoine Beaupré wrote:
>> On 2017-01-31 21:42:41, Emilio Pozuelo Monfort wrote:
>> > I'd say it makes sense to release a regression update.
>> >
>> > BTW I'm not sure about this change, which is not mentioned
On 03/27/2017 09:06 PM, Paul Wise wrote:
> On Tue, Mar 28, 2017 at 8:12 AM, Michael Shuler wrote:
>
>> I need to fix up the jessie PU I have filed (and update to 2.11), and
>> I'll do a wheezy PU at the same time. Thanks!
s/wheezy PU/wheezy LTS/
> Debian wheezy is no longer managed by the
LTS folks,
Based on Mathieu's comment related to the most recent samba patches not
applying cleanly to the version in wheezy, it seems that an update to
the latest upstream 3.6 release might be necessary. That said, I have
looked at the diffstat between the version in wheezy (3.6.6) and 3.6.25,
Package: tiff
Version: 4.0.2-6+deb7u11
CVE ID : CVE-2016-10266 CVE-2016-10267 CVE-2016-10268 CVE-2016-10269
libtiff is vulnerable to multiple buffer overflows and integer overflows
that can lead to application crashes (denial of service) or worse.
CVE-2016-10266
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Tue, 28 Mar 2017 12:11:07 +0200
Source: tiff
Binary: libtiff5 libtiffxx5 libtiff5-dev libtiff5-alt-dev libtiff-tools
libtiff-opengl libtiff-doc
Architecture: source all amd64
Version: 4.0.2-6+deb7u11
Distribution: wheezy-security
On Tue, Mar 28, 2017 at 03:55:12PM +0200, Raphael Hertzog wrote:
> On Tue, 28 Mar 2017, Moritz Muehlenhoff wrote:
> > I'd suggest a cron job running once or twice per day, which keeps
> > a table of (current source package name / old source package name(s))
> > and adds SOURCEPACKAGE for the
On Tue, 28 Mar 2017, Moritz Muehlenhoff wrote:
> I'd suggest a cron job running once or twice per day, which keeps
> a table of (current source package name / old source package name(s))
> and adds SOURCEPACKAGE for the older source package.
> These can then be set to or after manual
> triage.
Hi,
2017-03-26 14:39 GMT+02:00 Roberto C. Sánchez :
> On Thu, Mar 23, 2017 at 11:30:09AM +0100, Mathieu Parent wrote:
>>
>> See attached the backported patches for 3.6 (those are from the samba
>> bugzilla which is still embargoed).
>>
>> Please take care of it.
>>
>
> Hi
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Tue, 28 Mar 2017 09:45:00 +0100
Source: eject
Binary: eject eject-udeb
Architecture: source amd64
Version: 2.1.5+deb1+cvs20081104-13+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Frank Lichtenheld
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: eject
Version: 2.1.5+deb1+cvs20081104-13+deb7u1
CVE ID : CVE-2017-6964
Debian Bug : #858872
Ilja Van Sprundel discovered that eject (a tool to eject CD/DVD drives) did not
properly handle errors returned from
25 matches
Mail list logo