last call for KRACK update on wheezy

2017-10-30 Thread Antoine Beaupré 
I have heard positive comments in private about the binary packages
supplied: apparently, they work, but no one has been able to test them
against an actual attack yet. I have also done some smoke tests myself
and things generally seem to work.

So I will probably upload the binaries tomorrow if no one steps up to
halt the presses here.

Cheers,

A.
-- 
Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety.
- Benjamin Franklin, 1755

Re: Version number for the next quagga update

2017-10-30 Thread Chris Lamb 
Hi Hugo,

> I'm currently preparing the next quagga update, but found out that the
> current version number of quagga in wheezy is pretty unusual:
> 
> 0.99.22.4-1+wheezy3+deb7u1
[…]
> Is there a specific reason for that ?

No, it was an accident on my part. Presumably blindly calling dch without
double-checking the result was sane.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Re: Version number for the next quagga update

2017-10-30 Thread Markus Koschany 
Am 30.10.2017 um 16:47 schrieb Hugo Lefeuvre:
> Hi,
> 
> I'm currently preparing the next quagga update, but found out that the
> current version number of quagga in wheezy is pretty unusual:
> 
> 0.99.22.4-1+wheezy3+deb7u1
> 
> I'd have expected it to be 0.99.22.4-1+wheezy4.
> 
> Is there a specific reason for that ?
> 
> Since 0.99.22.4-1+wheezy3+deb7u1 < 0.99.22.4-1+wheezy4, I'd like to
> continue with 0.99.22.4-1+wheezy4, but this may be somewhat misleading.
> 
> Otherwise I'll probably have to use 0.99.22.4-1+wheezy3+deb7u2.
> 
> Any advice ?
> 

I think using 0.99.22.4-1+wheezy4 would have been correct in this case
but I would continue with 0.99.22.4-1+wheezy3+deb7u2 now. In the light
of our proposed change to reportbug it makes even sense to append
+deb7u1 because this is the string we are looking for when we want to
determine whether someone reports a regressions because of a security
update.

Cheers,

Markus




signature.asc
Description: OpenPGP digital signature

Version number for the next quagga update

2017-10-30 Thread Hugo Lefeuvre 
Hi,

I'm currently preparing the next quagga update, but found out that the
current version number of quagga in wheezy is pretty unusual:

0.99.22.4-1+wheezy3+deb7u1

I'd have expected it to be 0.99.22.4-1+wheezy4.

Is there a specific reason for that ?

Since 0.99.22.4-1+wheezy3+deb7u1 < 0.99.22.4-1+wheezy4, I'd like to
continue with 0.99.22.4-1+wheezy4, but this may be somewhat misleading.

Otherwise I'll probably have to use 0.99.22.4-1+wheezy3+deb7u2.

Any advice ?

Cheers,
 Hugo

-- 
 Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA


signature.asc
Description: PGP signature

October Report

2017-10-30 Thread Hugo Lefeuvre 
Hi,

October 2017 was my 14th month as a payed Debian LTS contributor.

I was allocated 20 hours. I have spent all of them doing the following
tasks:

* Organize libav support in Wheezy, test and upload libav update
  6:0.8.21-0+deb7u1 (DLA 1142-1).

  Despite the higher activity around libav LTS support these last weeks,
  the backlog is still quite high (42 CVEs with status "affected" or
  "undetermined" in the tracker). The next update is scheduled in two
  weeks, with the goal of addressing as many vulnerabilities as reasonably
  possible until the end of Wheezy LTS support.

* Prepare, test and upload ming 1:0.4.4-1.1+deb7u4 (DLA 1133-1).

  This upload has been quite a lot of work since I've been writing all
  patches by myself (6 CVEs fixed). Fortunately, upstream was very
  responsive and reviewed/accepted all pull requests.

  You can find more informations about affected issues here:

  https://github.com/libming/libming/issues/76
  https://github.com/libming/libming/issues/82
  https://github.com/libming/libming/issues/83

* Prepare next security update for ming (1:0.4.4-1.1+deb7u5).

  Not uploaded yet, I am still working on patches for further issues.

  Similarily to 1:0.4.4-1.1+deb7u4, I am writing all patches by
  myself.
  
  You can find more informations about affected issues here:

  https://github.com/libming/libming/issues/85
  https://github.com/libming/libming/issues/86
  https://github.com/libming/libming/issues/78

Next month I am planning to continue my work on ming, with the goal of
addressing all remaining issues in a near future.

Best Regards,
 Hugo

-- 
 Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA


signature.asc
Description: PGP signature

Re: Wheezy update of suricata?

2017-10-30 Thread Arturo Borrero Gonzalez 
On 27 October 2017 at 20:06, Thorsten Alteholz  wrote:
> Dear maintainer(s),
>
> The Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of suricata:
> https://security-tracker.debian.org/tracker/source-package/suricata
>
> Would you like to take care of this yourself?
>
> If yes, please follow the workflow we have defined here:
> https://wiki.debian.org/LTS/Development
>
> If that workflow is a burden to you, feel free to just prepare an
> updated source package and send it to debian-lts@lists.debian.org
> (via a debdiff, or with an URL pointing to the source package,
> or even with a pointer to your packaging repository), and the members
> of the LTS team will take care of the rest. Indicate clearly whether you
> have tested the updated package or not.
>
> If you don't want to take care of this update, it's not a problem, we
> will do our best with your package. Just let us know whether you would
> like to review and/or test the updated package before it gets released.
>
> You can also opt-out from receiving future similar emails in your
> answer and then the LTS Team will take care of suricata updates
> for the LTS releases.
>

Please, go ahead.

Nobody should be using such an old version of suricata though.

Re: Heads-up CVE-2017-16227/quagga

2017-10-30 Thread Hugo Lefeuvre 
Hi Salvatore,

> In case LTS team is interested in releasing a DLA for
> CVE-2017-16227/quagga: The patch has been tested as well for the
> wheezy version and solves the problem.
> 
> Info: https://security-tracker.debian.org/CVE-2017-16227 and
> corresponding https://bugs.debian.org/879474 .

Thanks for the information, I'll look into it.

Regards,
 Hugo

-- 
 Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA


signature.asc
Description: PGP signature

Heads-up CVE-2017-16227/quagga

2017-10-30 Thread Salvatore Bonaccorso 
Hi

In case LTS team is interested in releasing a DLA for
CVE-2017-16227/quagga: The patch has been tested as well for the
wheezy version and solves the problem.

Info: https://security-tracker.debian.org/CVE-2017-16227 and
corresponding https://bugs.debian.org/879474 .

Regards,
Salvatore

Re: Wheezy update of icedove?

2017-10-30 Thread Moritz Mühlenhoff 
On Mon, Oct 30, 2017 at 08:06:27AM +0100, Guido Günther wrote:
> I've seen preparation mails for Stretch and Jessie. Is there anything
> missing that I can help with?

The stretch version is in NEW due to the rename and needs FTP master
processing. jessie is ready.

Cheers,
Moritz

Re: Wheezy update of icedove?

2017-10-30 Thread Guido Günther 
Hi Carsten,
On Fri, Oct 20, 2017 at 01:06:09PM +0200, Guido Günther wrote:
> Hi Carsten,
> On Tue, Oct 17, 2017 at 09:05:38PM +0200, Carsten Schoenert wrote:
> > Am 15.10.2017 um 23:24 schrieb Guido Günther:
> > > Hi Carsten,
> > > On Sun, Oct 15, 2017 at 09:46:15PM +0200, Carsten Schoenert wrote:
> > >> Hello Ola,
> > >>
> > >> Am 15.10.2017 um 13:59 schrieb Ola Lundqvist:
> > >>> Sounds good! I have updated dla-needed.txt now.
> > >>
> > >> I uploaded all thunderbird related packages within a new source package
> > >> named thunderbird to NEW on Friday last week. The upload will be
> > >> processed by the ftp-masters soon hopefully.
> > >> The binary packages haven't changed, expect the version bump to 52.4.0
> > >> and the usual small adaptations.
> > >> Once the package is accepted I will push my local modifications to
> > >> Alioth. If Guido is requesting some earlier access to 52.4.0 I can push
> > >> the data before, but I'd prefer to push this all in one go.
> > > 
> > > Why not tag nd push to git right away? The version is used now anyway
> > > even if it should get rejected.
> > 
> > Right.
> > As Chris due a misunderstanding rejected my second upload of
> > src:thunderbird I've re-uploaded all now again to NEW with only some
> > additional added bug reports that should be closed by this version and
> > small modifications of README.source.
> > I also pushed all trees and tags to Alioth right now after I got the
> > message from DAK.
> > 
> > On Alioth I moved the folder icedove.git to thunderbird.git and added
> > also a symlink from icedove.git to the moved folder. So no matter what
> > people are using for getting access to the git tree, they will get it
> > under both names.
> 
> Thanks. Looks good here on Wheezy. Any idea when the versions for Jessie
> and Stretch will be done? Wheezy was a straight rebuild of your work so
> Jessie and Stretch should be the same. I'd like to avoid having a newer
> version in Wheezy for too long. Since there's not even a MFSA for
> Thunderbird yet I assume there are no really critical issues.

I've seen preparation mails for Stretch and Jessie. Is there anything
missing that I can help with?
Cheers,
 -- Guido