Accepted libdatetime-timezone-perl 1:1.58-1+2017c (source all) into oldoldstable

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Tue, 31 Oct 2017 18:49:10 +0100
Source: libdatetime-timezone-perl
Binary: libdatetime-timezone-perl
Architecture: source all
Version: 1:1.58-1+2017c
Distribution: wheezy-security
Urgency: medium
Maintainer: Debian Perl Group 
Changed-By: Emilio Pozuelo Monfort 
Description: 
 libdatetime-timezone-perl - framework exposing the Olson time zone database to 
Perl
Changes: 
 libdatetime-timezone-perl (1:1.58-1+2017c) wheezy-security; urgency=medium
 .
   * Update to Olson database version 2017c.
Checksums-Sha1: 
 91c3caaf536d3cc3232a77103b36f87478c760a6 2460 
libdatetime-timezone-perl_1.58-1+2017c.dsc
 8c6b6f43885160a8f782b1a6d1036346291a5520 852884 
libdatetime-timezone-perl_1.58.orig.tar.gz
 0cb48c9869bd4cec5b46255c8778d3f4bb96c265 348792 
libdatetime-timezone-perl_1.58-1+2017c.debian.tar.xz
 7a978956baf503e20a672f385bb6cda2b88b7832 266908 
libdatetime-timezone-perl_1.58-1+2017c_all.deb
Checksums-Sha256: 
 621b6ce95cca6153b369725852600249f25168db47ac46c1e2f482de7be7c5f3 2460 
libdatetime-timezone-perl_1.58-1+2017c.dsc
 82c3e94140908af96aca2f46c0334631b1739f8a444b64260814a6974bc44367 852884 
libdatetime-timezone-perl_1.58.orig.tar.gz
 b3502694f2dc872329603c130a69a4e589f7bae23d20aa95cda6dc3c14f8bb79 348792 
libdatetime-timezone-perl_1.58-1+2017c.debian.tar.xz
 807e487b5f0efba7b34b483c10acfd1a9db384d25780f9035ad7d1c61b0bec28 266908 
libdatetime-timezone-perl_1.58-1+2017c_all.deb
Files: 
 93388fb9a6095b065a25779c63fbfd61 2460 perl optional 
libdatetime-timezone-perl_1.58-1+2017c.dsc
 a815c7a18b3386ff2d2f6bcadab61fb6 852884 perl optional 
libdatetime-timezone-perl_1.58.orig.tar.gz
 6fc2a2351ea45c0522f7698539f802bd 348792 perl optional 
libdatetime-timezone-perl_1.58-1+2017c.debian.tar.xz
 4a550db639c3afafd1cf9f6471a52371 266908 perl optional 
libdatetime-timezone-perl_1.58-1+2017c_all.deb

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAln4waAACgkQnUbEiOQ2
gwJOjxAAg/Am48PbTEcACZEJjN+zEGtjZNurBtNjrFGHNOzZYUc+5f4IVyqfJ2CY
BDjL3HHny5apkYBOj/767TnIt6vzlNx49f5cQTZcg07jND4RKg9oaY9rBWkSpR6B
MGsY1kaWmVVmtu23hDowiyi9P+R5vQewOIuIO/7As/qvQ8qJCfNNyb/jGQsbmfEa
Q4JYjJeYBGTrmwMOuHRhCNEq6wzR02qR2e16KMqy+C6+loLqGZRpvwdadDcbRV4S
IeelVaIj7zI2GZmITz6joxSYRlnIGCHKTG+1Sj6UNgW7C1lH2dSVEc4hIGkHO3QI
harRNL01goQAuE8B1PZ2wWWuGzeYrti8WDE5neEbFjJyu0W6IbxpqnCI9bEj00hN
A/UsHq2iLSRcfQ0rRLLfO3p0rMB1Oe0C49r7rPbh7i/yjWsG+mrOOmvjx/hLSE28
CEfjTN5px/14GJ7huq0WpeG91MnNnm+NUnttDQmQBHHMd336//0o11XSpq32cBkj
Fwlj/YAq7GqKDhnYugV+En0iMBs0YKHqQKggEz64zSN43hdKx0+SRFkOCfUwWLPA
nhJPW58+a0AEDZBkDJKIlleW4YxPlk/cNoTOBPY787p2keGsFiXyTZkzP3WyMHD5
kbJ2HKmre9yAc1QK0kn4QOJJBZ5BjNkYKCNdkb8LE6vG6rIWnEM=
=OhBS
-END PGP SIGNATURE-

Accepted tzdata 2017c-0+deb7u1 (source all) into oldoldstable

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Tue, 31 Oct 2017 18:08:50 +0100
Source: tzdata
Binary: tzdata tzdata-java
Architecture: source all
Version: 2017c-0+deb7u1
Distribution: wheezy-security
Urgency: medium
Maintainer: GNU Libc Maintainers 
Changed-By: Emilio Pozuelo Monfort 
Description: 
 tzdata - time zone and daylight-saving time data
 tzdata-java - time zone and daylight-saving time data for use by java runtimes
Changes: 
 tzdata (2017c-0+deb7u1) wheezy-security; urgency=medium
 .
   * New upstream version, affecting the following timestamps:
 - Northern Cyprus resumed EU rules starting 2017-10-29.
 - Namibia will switch from +01 with DST to +02 all year, affecting
   UT offsets starting 2018-04-01.
 - Sudan will switch from +03 to +02 on 2017-11-01.
 - Tonga will not observe DST on 2017-11-05.
 - Turks & Caicos will switch from -04 all year to -05 with US DST,
   affecting UT offset starting 2018-11-04.
Checksums-Sha1: 
 f3eb277eac6d218217e415b87fd2c7ab6a25a119 1966 tzdata_2017c-0+deb7u1.dsc
 d7b686e550b824f6f832332efa65594e2f570954 335571 tzdata_2017c.orig.tar.gz
 64cb3eecffcc5ff3b0a6899c5381447e077d38d4 102100 
tzdata_2017c-0+deb7u1.debian.tar.xz
 0be98e2623be1948ca1c4c5a2634e67a91c438d0 493072 tzdata_2017c-0+deb7u1_all.deb
 782309247ab7980ccdf6b1ba1940a59af5e6c31c 136738 
tzdata-java_2017c-0+deb7u1_all.deb
Checksums-Sha256: 
 8d1398642a537a57ec210bcd39956458b9ff6b148f73a3a28597d042961ff95a 1966 
tzdata_2017c-0+deb7u1.dsc
 d6543f92a929826318e2f44ff3a7611ce5f565a43e10250b42599d0ba4cbd90b 335571 
tzdata_2017c.orig.tar.gz
 5da97af6fa8054321d817dacd9ea43bef9b0f343b296554feff1d81b38b181a1 102100 
tzdata_2017c-0+deb7u1.debian.tar.xz
 64cf707c97f2bb6687d6b10b0c4dca01b9c3cbfe481a830cb01011c00a8c62b1 493072 
tzdata_2017c-0+deb7u1_all.deb
 0a58331ce99e3e20517f6457ae2f6dbbd77ca8991b89da46d5bcbf5ce00274aa 136738 
tzdata-java_2017c-0+deb7u1_all.deb
Files: 
 d349f4a0183e554e60e37c6edc8c6787 1966 libs required tzdata_2017c-0+deb7u1.dsc
 1e751e7e08f8b68530674f04619d894d 335571 libs required tzdata_2017c.orig.tar.gz
 3c68dfee909cd51dbcf93eafdce83c33 102100 libs required 
tzdata_2017c-0+deb7u1.debian.tar.xz
 abbec9434f9aae2128f39090e2b061d3 493072 libs required 
tzdata_2017c-0+deb7u1_all.deb
 0685c2f3cf1f82740311c796594d30e7 136738 java optional 
tzdata-java_2017c-0+deb7u1_all.deb

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAln4wXUACgkQnUbEiOQ2
gwLzWA//ZlA7cAwm3FdBIhhV6hcR0j/+A4gbW1sK+x/tyixf2CV31NBdDLTOc+5N
papJqK1XK/yDYq6ld7+hFxfN59etCcSbmAnm+P8oiX6Fjs67USYy8jpHhV17s11L
ujakiDukU3b75CfVyXoOeVUrJeA0VuJtQCZy+AnS99hg/o3JQIoP/58XAX0LxZpR
6l3kvcO7sEg9GGpkQ1jWHFw9k0WGEc8Qs8v4j1IU+9WhcyvIDNfSqGqkg6EBKyuG
R+PSxNJimd2Y5BooDuLy3Kxd2TyPOpAl1m432wFzS6Tsif4E7kHXbKZGXYxods3d
HBV2pWCFkAvUpxyTSkWS5UAmMOSDaB8VjwXEm337F0mUQhLyj9FFlEI9ThpnoHDX
BGkaSVesZ6dfEK/6byg5RE0l1UnEKK3uT5kwIhq6UOZiKMDs+G9zhGFRLzShxGJR
XYEBFnANEkiMjSVSpwVIp5dDoI9ySIUxom58yl3uww9narsnKWPtgdrv3sRPZdub
Ll5+YTvoVG6dmLPc0F+QxUpmAlewHJpz/loyKj50fqo2R32QlKzy/pEFrVKKDZP/
jnBAjKKxkqI4u0UdGoQiu4mgydbaUiUdaXrO9yPZcTK1VeUeE2L+PdVJE0cPIkGU
KWBXSAuLGxZzEvjZKnjuYAOqhSFiWcWhW1O5hfw3zMZe19wcUJY=
=RMnU
-END PGP SIGNATURE-

[SECURITY] [DLA 1155-1] tzdata new upstream version

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: tzdata
Version: 2017c-0+deb7u1

This update includes the changes in tzdata 2017b. Notable
changes are:
 - Northern Cyprus resumed EU rules starting 2017-10-29.
 - Namibia will switch from +01 with DST to +02 all year, affecting
   UT offsets starting 2018-04-01.
 - Sudan will switch from +03 to +02 on 2017-11-01.
 - Tonga will not observe DST on 2017-11-05.
 - Turks & Caicos will switch from -04 all year to -05 with US DST,
   affecting UT offset starting 2018-11-04.

For Debian 7 "Wheezy", these problems have been fixed in version
2017c-0+deb7u1.

We recommend that you upgrade your tzdata packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAln4w8UACgkQnUbEiOQ2
gwLXDw//SjmcCJip9FXaj57Ha33fwg5hDHSCckMcfv7hnMyf6lg+HENYMKg58yhE
zp1x1VaBVJumH9YWb3ir5UaOTAjkCjSl+j9uZx1b6ZA2WcJ4Wa6mIar0if4jIFn9
SZ3rlzW9S9In8xvwKnehzvCDztjktzQBEqANOpREea4Y+tnjyBSwz8hPd/Fdoq6o
gtXfSBfdx1uj2lEOWazMBqLOw83dzwHvy3Z6pYjmLm906kJFMQ/yVD5WNdg7p9hq
8kogpdF2Eib5BI4k1RjzSfOubvckFxr7uG23yt4TUp/0jTuN7RZp4jXWAUkzWwbH
CnXDzdn8lM0rEMc3vQyTcgSU22tEZI98YBdyH0MdgjUSNqIYOmxhcDk4iUbk2IQ8
Qn6Sbfruxmz23ibENQEDzXvt7OJ8W3NY8LACb3DCgCwnKeiH/Di68zOUX6BKnWO5
asemSN98yWqbndbRA6Acal69EkrLO5jSTYmxVdN8nmOqLdcayH+Kjfn652jNELaa
ZTM2NtLOUG4F3ONLhqEZ93rE1avcQCVEPYKdZb0TmYmQ/SPzVy3xfjBjbJwncqO6
ObZu70dAT9uAniC7Kfv9KkE91qf/o1pNb6dJtm4vqPS2DOIHAabTYixD/TQSCuPa
U8gk8faEtI0enNh17j9Mt/tKG04qXEk5FZaas7Zhsh60AQYhdws=
=/kiR
-END PGP SIGNATURE-

[SECURITY] [DLA 1154-1] graphicsmagick security update

[Antoine Beaupré]

Package: graphicsmagick
Version: 1.3.16-1.1+deb7u12
CVE ID : CVE-2017-14103 CVE-2017-14314 CVE-2017-14504
 CVE-2017-14733 CVE-2017-14994 CVE-2017-14997
 CVE-2017-15930
Debian Bug : 87

Multiple vulnerabilities were found in graphicsmagick.

CVE-2017-14103

The ReadJNGImage and ReadOneJNGImage functions in coders/png.c in
GraphicsMagick 1.3.26 do not properly manage image pointers after
certain error conditions, which allows remote attackers to conduct
use-after-free attacks via a crafted file, related to a
ReadMNGImage out-of-order CloseBlob call. NOTE: this vulnerability
exists because of an incomplete fix for CVE-2017-11403.

CVE-2017-14314

Off-by-one error in the DrawImage function in magick/render.c in
GraphicsMagick 1.3.26 allows remote attackers to cause a denial of
service (DrawDashPolygon heap-based buffer over-read and
application crash) via a crafted file.

CVE-2017-14504

ReadPNMImage in coders/pnm.c in GraphicsMagick 1.3.26 does not
ensure the correct number of colors for the XV 332 format, leading
to a NULL Pointer Dereference.

CVE-2017-14733

ReadRLEImage in coders/rle.c in GraphicsMagick 1.3.26 mishandles
RLE headers that specify too few colors, which allows remote
attackers to cause a denial of service (heap-based buffer
over-read and application crash) via a crafted file.

CVE-2017-14994

ReadDCMImage in coders/dcm.c in GraphicsMagick 1.3.26 allows
remote attackers to cause a denial of service (NULL pointer
dereference) via a crafted DICOM image, related to the ability of
DCM_ReadNonNativeImages to yield an image list with zero frames.

CVE-2017-14997

GraphicsMagick 1.3.26 allows remote attackers to cause a denial of
service (excessive memory allocation) because of an integer
underflow in ReadPICTImage in coders/pict.c.

CVE-2017-15930

In ReadOneJNGImage in coders/png.c in GraphicsMagick 1.3.26, a
Null Pointer Dereference occurs while transferring JPEG scanlines,
related to a PixelPacket pointer.

For Debian 7 "Wheezy", CVE-2017-15930 has been fixed in version
1.3.16-1.1+deb7u12. The other security issues were fixed in
1.3.16-1.1+deb7u10 on 10 Oct 2017 in DLA-1130-1 but that announcement
was never sent out so this advisory also contains the notice about
those vulnerabilities.

We recommend that you upgrade your graphicsmagick packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

Re: missing DLAs

[Hugo Lefeuvre]

> The mailing list web archives are being rebuilt, according to
> #debian-lists.
> 
> So even though you don't see your message in the web interface, it may
> have actually gone through, SMTP-wise.
> 
> Mine (DLA-1150-1, wpa) did, in any case.

Oh, you're right, the web archive is now displaying them. I should
really subscribe to -announce.

Thanks !

cheers,
 Hugo

-- 
 Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA


signature.asc
Description: PGP signature

Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable

[Antoine Beaupré]

On 2017-10-31 15:45:31, Raphael Hertzog wrote:
> On Tue, 31 Oct 2017, Antoine Beaupré wrote:
>> I'll take care of it then. Should I just reuse the old DLA id? or
>> simply mention the old DLA id in the announcement? Or mention all the
>> CVEs fixed in the old DLA in the new DLA?
>> 
>> Not actually sure how to merge this. :)
>
> You prepare your DLA like usual but then you also document the CVE
> fixed by the old DLA in the mail sent to debian-lts-announce. But when
> you generate your template with bin/gen-DLA you only pass the newly fixed
> CVE (to not fix the same CVE twice in data/DLA/list).

Excellent, this will come out this afternoon once the package is
accepted.

A.

-- 
A genius is someone who discovers that the stone that falls and the
moon that doesn't fall represent one and the same phenomenon.
 - Ernesto Sabato

Re: missing DLAs

[Antoine Beaupré]

On 2017-10-31 17:40:30, Hugo Lefeuvre wrote:
> Hi,
>
>> In my case, I also previously had issues because I added a new signing
>> subkey that took some time to propagate across Debian's infrastructure.
>> 
>> The main issue is we have currently no way of noticing when a number is
>> skipped. It would be nice to automate this stuff somehow, yet I can't
>> quite think of how... Maybe by adding (signed) DLA files themselves into
>> security tracker and have *that* send out the announcements?
>
> Hum, I think something is still going wrong here. The last DLA I sent
> (1152-1) didn't reach debian-lts-announce, and it may also be the case
> of 1150-1 and 1151-1 (both uploaded today, though).
>
> Raphaël, Antoine, did you already publish your DLAs ?

The mailing list web archives are being rebuilt, according to
#debian-lists.

So even though you don't see your message in the web interface, it may
have actually gone through, SMTP-wise.

Mine (DLA-1150-1, wpa) did, in any case.

A.

-- 
Ils versent un pauvre miel sur leurs mots pourris et te parlent de pénurie
Et sur ta faim, sur tes amis, ils aiguisent leur appétit
- Richard Desjardins, La maison est ouverte

Re: missing DLAs

[Hugo Lefeuvre]

Hi,

> In my case, I also previously had issues because I added a new signing
> subkey that took some time to propagate across Debian's infrastructure.
> 
> The main issue is we have currently no way of noticing when a number is
> skipped. It would be nice to automate this stuff somehow, yet I can't
> quite think of how... Maybe by adding (signed) DLA files themselves into
> security tracker and have *that* send out the announcements?

Hum, I think something is still going wrong here. The last DLA I sent
(1152-1) didn't reach debian-lts-announce, and it may also be the case
of 1150-1 and 1151-1 (both uploaded today, though).

Raphaël, Antoine, did you already publish your DLAs ?

Cheers,
 Hugo

-- 
 Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA


signature.asc
Description: PGP signature

[SECURITY] [DLA 1151-1] wordpress security update

[Markus Koschany]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: wordpress
Version: 3.6.1+dfsg-1~deb7u17
CVE ID : CVE-2016-9263  CVE-2017-14718 CVE-2017-14719
 CVE-2017-14720 CVE-2017-14721 CVE-2017-14722
 CVE-2017-14723 CVE-2017-14725 CVE-2017-14990
Debian Bug : 876274 877629

Several vulnerabilities were discovered in wordpress, a web blogging
tool. The Common Vulnerabilities and Exposures project identifies the
following issues.

CVE-2016-9263
When domain-based flashmediaelement.swf sandboxing is not used,
allows remote attackers to conduct cross-domain Flash injection
(XSF) attacks by leveraging code contained within the
wp-includes/js/mediaelement/flashmediaelement.swf file.

This issue was resolved by completely removing
flashmediaelement.swf.

CVE-2017-14718
WordPress was susceptible to a Cross-Site Scripting attack in the
link modal via a javascript: or data: URL.

CVE-2017-14719
WordPress was vulnerable to a directory traversal attack during
unzip operations in the ZipArchive and PclZip components.

CVE-2017-14720
WordPress allowed a Cross-Site scripting attack in the template list
view via a crafted template name.

CVE-2017-14721
WordPress allowed Cross-Site scripting in the plugin editor via a
crafted plugin name.

CVE-2017-14722
WordPress allowed a Directory Traversal attack in the Customizer
component via a crafted theme filename.

CVE-2017-14723
WordPress mishandled % characters and additional placeholder values
in $wpdb->prepare, and thus did not properly address the possibility
of plugins and themes enabling SQL injection attacks.

CVE-2017-14725
WordPress was susceptible to an open redirect attack in
wp-admin/user-edit.php.

CVE-2017-14990
WordPress stores cleartext wp_signups.activation_key values (but
stores the analogous wp_users.user_activation_key values as hashes),
which might make it easier for remote attackers to hijack
unactivated user accounts by leveraging database read access
   (such as access gained through an unspecified SQL injection
vulnerability).

For Debian 7 "Wheezy", these problems have been fixed in version
3.6.1+dfsg-1~deb7u17.

We recommend that you upgrade your wordpress packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAln4lRlfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeQeXBAAsg+z+OUvK5teqWOEg0hz4r0zIRvAJtslymt3N9UkhBUk02dg1AmPjmgi
su4HJB9/cfiB6GLQnp3kbvqOLyOX+DnSbDdk3oknUDsm3wfBsVYk3U69l5ePQLNT
pcXGsXtENIx4zp4pzl7QVuchzggM7oPv36H3fc/NFuzCypojRz+Ua5aVO01zRd0K
yAwXxxI8hyLlb3nI53EWEmfsbGUj1pyMmbKU8mOxmyezikYJrucA/fyB1VJbdU3N
Z32jh5GUhvmx7mDC8Mb7NJGeUOeihHMLpNS7bFPMM2YoCnEIdeG3zUQ768sUDaUV
cijuzfg+6o5KR9zKcBm33Vs95JXRib27sFBfJXOPI6E7TyKt7nO0bKc4yaftL4p9
6EX5bF3vON476shhLPHD7GgGjyzZB5YBAuGNtB/7S7esFYidptEh97bbCHoA7C6n
sY1Vf9PWWEDC/M/cm38SLRt2Qw62/iXHiO9E2IsgW9bLG71Dd9DoVLmBMAnuUhhV
txFmzGBn2sPxdS8oC79FfFfVuQFj2LWtjIUjuYLCA7ShLHtyj1XaRg31aLUwfFGq
ggJZxRhEc3HBz4QOQ1K41DRKkzuOA7IUesAt+vHniLeLt4YOB6DJdNdrBiAbLTQW
igC1gcTy6nXd25C7Z9jywkNE8l9+J9691KpLxaiwOXiEyIkUHmM=
=R75A
-END PGP SIGNATURE-

[SECURITY] [DLA 1152-1] quagga security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: quagga
Version: quagga_0.99.22.4-1+wheezy3+deb7u2
CVE ID : CVE-2017-16227
Debian Bug : 879474 

It was discovered that the bgpd daemon in the Quagga routing suite
does not properly calculate the length of multi-segment AS_PATH UPDATE
messages, causing bgpd to drop a session and potentially resulting in
loss of network connectivity.

For Debian 7 "Wheezy", these problems have been fixed in version
quagga_0.99.22.4-1+wheezy3+deb7u2.

We recommend that you upgrade your quagga packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEE5LpPtQuYJzvmooL3LVy48vb3khkFAln4jecACgkQLVy48vb3
khk9Lwf+O6XzblrxsJ6cBJGR+zes2B2ztLWhut/+fM1J8x9M+iNQGzNyXqp+cgZv
5jOik68Mq2cj3vB4MJIhHoYlEUQS8iaKZHih9/0uTzPw9mgY08ZgkChl71a6JVbY
U2Nuo4FxAMTRQ2a43YpEvuct8/YOHuFBORntvBmILN3OYCRGCHSpCk8om3QgdaM/
AD0ql6nH+d0dajI/zMIDCcG4ZN5k81t0Vpo1keH/Y2agb+zzl8vWdxeytIYYBBfD
ldMmuMSsrpjYmPkbkAT6bCBYwZQvIVyIHjRdjsbPtPtnsYkdscfgOcIV55KBBzZS
t+Et40tN3a/bEAKROdtL5CrqPa7d4w==
=NQ5a
-END PGP SIGNATURE-

[SECURITY] [DLA 1150-1] wpa security update

[Antoine Beaupré]

Package: wpa
Version: 1.0-3+deb7u5
CVE ID : CVE-2017-13077 CVE-2017-13078 CVE-2017-13079 CVE-2017-13080 
 CVE-2017-13081 CVE-2017-13082 CVE-2017-13086 CVE-2017-13087 
 CVE-2017-13088

A vulnerability was found in how WPA code can be triggered to
reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by replaying a specific
frame that is used to manage the keys. Such reinstallation of the
encryption key can result in two different types of vulnerabilities:
disabling replay protection and significantly reducing the security of
encryption to the point of allowing frames to be decrypted or some parts
of the keys to be determined by an attacker depending on which cipher is
used.

Those issues are commonly known under the "KRACK" appelation. According
to US-CERT, "the impact of exploiting these vulnerabilities includes
decryption, packet replay, TCP connection hijacking, HTTP content
injection, and others."

CVE-2017-13077

Reinstallation of the pairwise encryption key (PTK-TK) in the
4-way handshake.

CVE-2017-13078

Reinstallation of the group key (GTK) in the 4-way handshake.

CVE-2017-13079

Reinstallation of the integrity group key (IGTK) in the 4-way
handshake.

CVE-2017-13080

Reinstallation of the group key (GTK) in the group key handshake.

CVE-2017-13081

Reinstallation of the integrity group key (IGTK) in the group key
handshake.

CVE-2017-13082

Accepting a retransmitted Fast BSS Transition (FT) Reassociation
Request and reinstalling the pairwise encryption key (PTK-TK)
while processing it.

CVE-2017-13084

Reinstallation of the STK key in the PeerKey handshake.

CVE-2017-13086

reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey
(TPK) key in the TDLS handshake.

CVE-2017-13087

reinstallation of the group key (GTK) when processing a Wireless
Network Management (WNM) Sleep Mode Response frame.

CVE-2017-13088

reinstallation of the integrity group key (IGTK) when processing a
Wireless Network Management (WNM) Sleep Mode Response frame.

For Debian 7 "Wheezy", these problems have been fixed in version
1.0-3+deb7u5. Note that the latter two vulnerabilities (CVE-2017-13087
and CVE-2017-13088) were mistakenly marked as fixed in the changelog
whereas they simply did not apply to the 1.0 version of the WPA source
code, which doesn't implement WNM sleep mode responses.

We recommend that you upgrade your wpa packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable

[Raphael Hertzog]

On Tue, 31 Oct 2017, Antoine Beaupré wrote:
> I'll take care of it then. Should I just reuse the old DLA id? or
> simply mention the old DLA id in the announcement? Or mention all the
> CVEs fixed in the old DLA in the new DLA?
> 
> Not actually sure how to merge this. :)

You prepare your DLA like usual but then you also document the CVE
fixed by the old DLA in the mail sent to debian-lts-announce. But when
you generate your template with bin/gen-DLA you only pass the newly fixed
CVE (to not fix the same CVE twice in data/DLA/list).

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Accepted quagga 0.99.22.4-1+wheezy3+deb7u2 (source amd64 all) into oldoldstable

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 30 Oct 2017 16:57:40 +0100
Source: quagga
Binary: quagga quagga-dbg quagga-doc
Architecture: source amd64 all
Version: 0.99.22.4-1+wheezy3+deb7u2
Distribution: wheezy-security
Urgency: high
Maintainer: Christian Hammers 
Changed-By: Hugo Lefeuvre 
Description: 
 quagga - BGP/OSPF/RIP routing daemon
 quagga-dbg - BGP/OSPF/RIP routing daemon (debug symbols)
 quagga-doc - documentation files for quagga
Closes: 879474
Changes: 
 quagga (0.99.22.4-1+wheezy3+deb7u2) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the LTS Team.
   * CVE-2017-16227: BGP session termination due to rather long AS paths in
 update messages (Closes: #879474).
Checksums-Sha1: 
 8e6759bb51611861555c55386199dce85e47ea08 1836 
quagga_0.99.22.4-1+wheezy3+deb7u2.dsc
 fa65170118ee112c76394f9fc7c1ab6f87251c35 43713 
quagga_0.99.22.4-1+wheezy3+deb7u2.debian.tar.gz
 47cfe113862ddf3804fe3b0d22253a120fc01ead 1727756 
quagga_0.99.22.4-1+wheezy3+deb7u2_amd64.deb
 9dc6770a85e883b072a63d3197d2b1e39994f70f 2528892 
quagga-dbg_0.99.22.4-1+wheezy3+deb7u2_amd64.deb
 546de1e19d945b5bcb5e6c55ddcadb0c3eeb8ea9 656714 
quagga-doc_0.99.22.4-1+wheezy3+deb7u2_all.deb
Checksums-Sha256: 
 5ea683110dfcd765107bafbe774a83da8ea002f8b929e8725ba0ee4fb3413247 1836 
quagga_0.99.22.4-1+wheezy3+deb7u2.dsc
 8afe0fd3388f41eda70b0b4f9da656fe8d9c0fd96aa0dd58f82b979adaa6a6f1 43713 
quagga_0.99.22.4-1+wheezy3+deb7u2.debian.tar.gz
 889483d04743f58ed05208e4086f5a467a21cd989a208295c81dac0bd38e4d76 1727756 
quagga_0.99.22.4-1+wheezy3+deb7u2_amd64.deb
 1ee260f5bd8b9361315766cf572dbe21bf8f61dbfdff67905ddb8f6a2bbceb37 2528892 
quagga-dbg_0.99.22.4-1+wheezy3+deb7u2_amd64.deb
 86fd5f0cd6ea56e820258e06c204c5cf50668eb934059bada071e8da76c983a6 656714 
quagga-doc_0.99.22.4-1+wheezy3+deb7u2_all.deb
Files: 
 51ea5ebed99879a658dae84a16bfa41d 1836 net optional 
quagga_0.99.22.4-1+wheezy3+deb7u2.dsc
 5a1e21e724548bc61314d35e73ee6b7d 43713 net optional 
quagga_0.99.22.4-1+wheezy3+deb7u2.debian.tar.gz
 70679383622817a9c4970eca6ca1dba0 1727756 net optional 
quagga_0.99.22.4-1+wheezy3+deb7u2_amd64.deb
 b38b29f0855bf40ebed6e589042e54da 2528892 debug extra 
quagga-dbg_0.99.22.4-1+wheezy3+deb7u2_amd64.deb
 9c31b0cd28c1834c809013d590a1fd5d 656714 net optional 
quagga-doc_0.99.22.4-1+wheezy3+deb7u2_all.deb

-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEE5LpPtQuYJzvmooL3LVy48vb3khkFAln4h3wACgkQLVy48vb3
khkg/Af+O8GNNoMcODJAqbnun6jaIOqR8qPN4gMqKPd3z63+g1zSkMEULpMClfJA
Oc0e3tWMPEAdH0mQE39sa5pDukeeUvWhB6DwOVkTtGhsDImzf1TUxiTxXKPmK6/I
rKFXBL/qqKXkR+Ihl5cW3vIt1b3br1p1nS3QmbYLq8tlwdZtOua5DyyQq3V6fOEP
IpSEBCsiNWHXMXs/M93SLS9tlqH/KJ/xgFtCctpioeSyujtJ8tBPkoc+Q93fkmjv
RjjqM1049BjGsU/nIdl1QyXFPgzaVUit4Nbmwdj/0cCs2fotR7X51bYj1TyRgJGT
KG8xb6RKunFg0E5gKj6r6Th77oJXZw==
=6C2j
-END PGP SIGNATURE-

Accepted wordpress 3.6.1+dfsg-1~deb7u17 (source all) into oldoldstable

[Markus Koschany]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 31 Oct 2017 15:13:56 +0100
Source: wordpress
Binary: wordpress wordpress-l10n
Architecture: source all
Version: 3.6.1+dfsg-1~deb7u17
Distribution: wheezy-security
Urgency: high
Maintainer: Giuseppe Iuculano 
Changed-By: Markus Koschany 
Description: 
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
Changes: 
 wordpress (3.6.1+dfsg-1~deb7u17) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the LTS team.
   * Backport security fixes from 4.8.2.
   * CVE-2016-9263:
 When domain-based flashmediaelement.swf sandboxing is not used, allows
 remote attackers to conduct cross-domain Flash injection (XSF) attacks by
 leveraging code contained within the
 wp-includes/js/mediaelement/flashmediaelement.swf file.
 This issue was resolved by completely removing flashmediaelement.swf.
   * CVE-2017-14718:
 WordPress was susceptible to a Cross-Site Scripting attack in the link
 modal via a javascript: or data: URL.
   * CVE-2017-14719:
 WordPress was vulnerable to a directory traversal attack during unzip
 operations in the ZipArchive and PclZip components.
   * CVE-2017-14720:
 WordPress allowed a Cross-Site scripting attack in the template list view
 via a crafted template name.
   * CVE-2017-14721:
 WordPress allowed Cross-Site scripting in the plugin editor via a crafted
 plugin name.
   * CVE-2017-14722:
 WordPress allowed a Directory Traversal attack in the Customizer component
 via a crafted theme filename.
   * CVE-2017-14723:
 WordPress mishandled % characters and additional placeholder values in
 $wpdb->prepare, and thus did not properly address the possibility of
 plugins and themes enabling SQL injection attacks.
   * CVE-2017-14725:
 WordPress was susceptible to an open redirect attack in
 wp-admin/user-edit.php.
   * CVE-2017-14990:
 WordPress stores cleartext wp_signups.activation_key values (but
 stores the analogous wp_users.user_activation_key values as hashes), which
 might make it easier for remote attackers to hijack unactivated user
 accounts by leveraging database read access (such as access gained through
 an unspecified SQL injection vulnerability).
Checksums-Sha1: 
 841ea3f7ee82299c35c19cd43677a6d5a2fd2ca0 2488 
wordpress_3.6.1+dfsg-1~deb7u17.dsc
 9993b964732b530d8f52181db90ee036708a2776 5279372 
wordpress_3.6.1+dfsg-1~deb7u17.debian.tar.xz
 8b412db73c039ecf7953f3bd4fd33835cec4f074 3959110 
wordpress_3.6.1+dfsg-1~deb7u17_all.deb
 e6ec78d49e4f34a3bd6edf771e03587f1585024f 8871762 
wordpress-l10n_3.6.1+dfsg-1~deb7u17_all.deb
Checksums-Sha256: 
 58df783cc0e96ddc57aeeab25a8e089adf57297e7c881f31c7f2c0046170d906 2488 
wordpress_3.6.1+dfsg-1~deb7u17.dsc
 4427792e5fb04942c9d719f170baa2786d7cbe9b1bc8eb624a5fae4a423290d4 5279372 
wordpress_3.6.1+dfsg-1~deb7u17.debian.tar.xz
 52f5c9e349350d31157354373545be7a65c1ca4e62ed7d3d9b22c2a50616d001 3959110 
wordpress_3.6.1+dfsg-1~deb7u17_all.deb
 7f81c7bf5436dd9266a9607132165e39c1a5b91b36e9324fac21813c683ef3e2 8871762 
wordpress-l10n_3.6.1+dfsg-1~deb7u17_all.deb
Files: 
 bcd80d029c57fe99e950e0d3a7aecd8a 2488 web optional 
wordpress_3.6.1+dfsg-1~deb7u17.dsc
 a844dbc470fb7b90f624f753d9636a53 5279372 web optional 
wordpress_3.6.1+dfsg-1~deb7u17.debian.tar.xz
 8b5dd4d8ed9cd3794f1434aa84c23651 3959110 web optional 
wordpress_3.6.1+dfsg-1~deb7u17_all.deb
 7cfbae96da6ed29eddecf4d377369857 8871762 localization optional 
wordpress-l10n_3.6.1+dfsg-1~deb7u17_all.deb

-BEGIN PGP SIGNATURE-

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAln4h0tfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkD/kP/RsBpX3DKx7Qf6dGjxntT7SfH61m0yAQva7Y
ARKArWMKYRyt6/qItp963le/9WxPW9jlLVDSY0JSxsuzkNSjnR8+FJZT5/ST+lgG
Qi75O/oGEaHDiW9MRoBmE3H84l28rU5hn0LFW7gD+b+LX443MHk32aWQxXZHZ6/g
gxbdR2DsjUSdW/uPdF4tb75n6zYIKr8o5W9cocOFfN98tFj0UOBX/rWXhxAFEC64
dlVWGpUiQKvKiOKrh3WhD9UG8gvN967IR7sEFcQpbAf/geOiThbAhG+EOLZNhQgQ
g8J/HHz6SwleKhMmSVF0ofR6qX84wyMtbaR8lNEqAJU4/bbzWA5w+CXaD4U9cNRl
sEKc0EUBZQgw3rsOQazn0xJzAv4cBypW/64UGSwkFgZgGPT2UP8pNzreJsF/9fU9
I71e/3lbrvMAqUAukL92UAqDpYagiZDbVQsk7B9Zpcdr9X2fVMMa+m5mpYofUsDp
1VMOAx9UneV1QuVSdrbv6uvcJSaqRbwIop6xx7GZd6zLFVkimKZODOwfKXKjPPgH
hiIZUTy2tChF1pKYcWg/BmjGQYJe3BbBI68WlTFuBkm1KC+skq5BnmNDBIZxwpqL
CRLakrPbewmu2xIYfixLgFpxJ1EVBHlG3DmWSsF0hlPah12mExF9OHziIFjxfdXk
B2eJYYLO
=s5+d
-END PGP SIGNATURE-

Re: Version number for the next quagga update

[Hugo Lefeuvre]

Hi Markus, Chris,

> I think using 0.99.22.4-1+wheezy4 would have been correct in this case
> but I would continue with 0.99.22.4-1+wheezy3+deb7u2 now. In the light
> of our proposed change to reportbug it makes even sense to append
> +deb7u1 because this is the string we are looking for when we want to
> determine whether someone reports a regressions because of a security
> update.

Thanks, I have opted for 0.99.22.4-1+wheezy3+deb7u2.

Cheers,
 Hugo

-- 
 Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA


signature.asc
Description: PGP signature

Accepted wpa 1.0-3+deb7u5 (source amd64) into oldoldstable

[Antoine Beaupré]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Mon, 23 Oct 2017 17:09:19 -0400
Source: wpa
Binary: hostapd wpagui wpasupplicant wpasupplicant-udeb
Architecture: source amd64
Version: 1.0-3+deb7u5
Distribution: wheezy-security
Urgency: high
Maintainer: Debian/Ubuntu wpasupplicant Maintainers 

Changed-By: Antoine Beaupré 
Description:
 hostapd- user space IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authentica
 wpagui - graphical user interface for wpa_supplicant
 wpasupplicant - client support for WPA and WPA2 (IEEE 802.11i)
 wpasupplicant-udeb - Client support for WPA and WPA2 (IEEE 802.11i) (udeb)
Changes:
 wpa (1.0-3+deb7u5) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the LTS Security Team.
   * Fix multiple issues in WPA protocol, branded as the "KRACK"
 vulnerability (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
 CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086,
 CVE-2017-13087, CVE-2017-13088)
Checksums-Sha1:
 3de6c8f55ccfcf0dc03286d1a2ae1c6497d7635d 2135 wpa_1.0-3+deb7u5.dsc
 dbd260ac0a32284f99d4c8c7cc3f6487fcf52e8f 104058 wpa_1.0-3+deb7u5.debian.tar.gz
 b381c5ea49a6ceec20704565ab41030c6468080a 477406 hostapd_1.0-3+deb7u5_amd64.deb
 7d5970e67ecbce6cf3b10eaf792eb53ddfcd537f 369520 wpagui_1.0-3+deb7u5_amd64.deb
 d18413185603fba1d23699270c05e659202bd96c 610830 
wpasupplicant_1.0-3+deb7u5_amd64.deb
 b460880896d789b5401a6a812208e8d46540b317 155224 
wpasupplicant-udeb_1.0-3+deb7u5_amd64.udeb
Checksums-Sha256:
 8acc1dfdd270721dd85a4895484f9bcee0d695badfbf2b23840ff0ed634d2e0e 2135 
wpa_1.0-3+deb7u5.dsc
 ba0b08c5d8ba9da5890e607931a4e834ea2b9919f36909f1676b51020bec7315 104058 
wpa_1.0-3+deb7u5.debian.tar.gz
 982160261faa8663f34e6b3b73cfd3d1d3996d046f563b4ae146b05c99cb9dfc 477406 
hostapd_1.0-3+deb7u5_amd64.deb
 c8adf7129d6e9131305cc97287aefe2ad9c4658d0893fb08da028bcf81da9a3d 369520 
wpagui_1.0-3+deb7u5_amd64.deb
 7b284293dcb91f3d831387e3dc8419301ae2a713ab5656a03c9e08c7a7dc1b94 610830 
wpasupplicant_1.0-3+deb7u5_amd64.deb
 d965659a6f2c14d87a730999202e50d596f3008008ad164dd224f09fe9a894a2 155224 
wpasupplicant-udeb_1.0-3+deb7u5_amd64.udeb
Files:
 ba09f4a3f758cf34cd5b92474b233751 2135 net optional wpa_1.0-3+deb7u5.dsc
 b4ee418c9da556f24a3ceb774b60b096 104058 net optional 
wpa_1.0-3+deb7u5.debian.tar.gz
 b754fb89f1e9f2d7b0471e617b7980e9 477406 net optional 
hostapd_1.0-3+deb7u5_amd64.deb
 75050607f0ea7bbee85e9b274efc6484 369520 net optional 
wpagui_1.0-3+deb7u5_amd64.deb
 9f86b245d73472b04582d588ae202ae0 610830 net optional 
wpasupplicant_1.0-3+deb7u5_amd64.deb
 61d6549fbe2de235792bff9e245b86c9 155224 debian-installer standard 
wpasupplicant-udeb_1.0-3+deb7u5_amd64.udeb

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEexZCBNCWcjsBljWrPqHd3bJh2XsFAln4exkACgkQPqHd3bJh
2XvTLwf8CYn/Ma7W4GCViMAF2lWwOb3a9h3W9h3tGUh04VkefHMhQdo47mqYIMw5
byNdYo2rG50i2lK+RfkXW8NyKiZw2vQtCr/nYi2h4Pqe7BxG2yU7otg2LtzXMq+Y
iAZIUme73vRP1tLuQRNijchKD9D5yvK9VwtDHZZsPjdCTLixzvhjCbXie8TF7QeY
FT22niGM2NprD4hud8j/GpX7XHpVogVFREzcIfvgUDrfy4sMqTsstDc4MXUDAxBf
ydZjD/FBhhD3iRc410bkymsG6sstoxnbTPK+vWpyCNyFSp4Djk+xsRvt+aVll9v3
G9SF80J1VuvcTkKx4SiAOTasboNEKQ==
=RZHu
-END PGP SIGNATURE-

Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable

[Antoine Beaupré]

On 2017-10-31 14:13:13, Raphael Hertzog wrote:
> On Tue, 31 Oct 2017, Antoine Beaupré wrote:
>> > Please send it again and add a small sentence explaining that you send an
>> > old advisory that never made it to the list... IOW if you expect
>> > confusion, add an explanation to clear it up.
>> 
>> I will be looking at a GM update later today - should i merge that
>> announcement in?
>
> That also works, sure.

I'll take care of it then. Should I just reuse the old DLA id? or
simply mention the old DLA id in the announcement? Or mention all the
CVEs fixed in the old DLA in the new DLA?

Not actually sure how to merge this. :)

A.

-- 
If you have come here to help me, you are wasting our time.
But if you have come because your liberation is bound up with mine, then
let us work together.- Aboriginal activists group, Queensland, 1970s

Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable

[Raphael Hertzog]

On Tue, 31 Oct 2017, Antoine Beaupré wrote:
> > Please send it again and add a small sentence explaining that you send an
> > old advisory that never made it to the list... IOW if you expect
> > confusion, add an explanation to clear it up.
> 
> I will be looking at a GM update later today - should i merge that
> announcement in?

That also works, sure.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable

[Antoine Beaupré]

On 2017-10-31 11:56:31, Raphael Hertzog wrote:
> Hi,
>
> On Sat, 28 Oct 2017, Brian May wrote:
>> I didn't realize until after I uploaded the newer version associated
>> with DLA-1140-1. So I tried sending DLA-1130-1 again, followed by
>> DLA-1140-1.
>> 
>> Unfortunately DLA-1140-1 made it to the list, but DLA-1130-1 still
>> didn't. I am concerned if I send DLA-1130-1 now that DLA-1140-1 has been
>> published it would cause confusion.
>
> Please send it again and add a small sentence explaining that you send an
> old advisory that never made it to the list... IOW if you expect
> confusion, add an explanation to clear it up.

I will be looking at a GM update later today - should i merge that
announcement in?

> But not sending the announce is not a good option IMO. FWIW checking that the
> announce went through is part of my routine for each DLA.

Agreed. What I do is that I have the DLA template in my secure-testing
SVN checkout after I sent it, and leave it there until I have verified
it shows up in the archives.

(Or that I received it, but my email client (notmuch) strangely makes
that quite difficult, as it deduplicates multiple messages with the same
message ID, so I can't really tell if I actually received my own
messages! That will fortunately be fixed in the 0.26 release though... )

A.

-- 
Il n'existe aucune limite sacrée ou non à l'action de l'homme dans
l'univers. Depuis nos origines nous avons le choix: être aveuglé par
la vérité ou coudre nos paupières.
- [no one is innocent]

Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable

[Raphael Hertzog]

Hi,

On Sat, 28 Oct 2017, Brian May wrote:
> I didn't realize until after I uploaded the newer version associated
> with DLA-1140-1. So I tried sending DLA-1130-1 again, followed by
> DLA-1140-1.
> 
> Unfortunately DLA-1140-1 made it to the list, but DLA-1130-1 still
> didn't. I am concerned if I send DLA-1130-1 now that DLA-1140-1 has been
> published it would cause confusion.

Please send it again and add a small sentence explaining that you send an
old advisory that never made it to the list... IOW if you expect
confusion, add an explanation to clear it up.

But not sending the announce is not a good option IMO. FWIW checking that the
announce went through is part of my routine for each DLA.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Re: Wheezy update of icedove?

[Carsten Schoenert]

Hello Guido and Moritz,

Am 30.10.2017 um 09:29 schrieb Moritz Mühlenhoff:
> On Mon, Oct 30, 2017 at 08:06:27AM +0100, Guido Günther wrote:
>> I've seen preparation mails for Stretch and Jessie. Is there anything
>> missing that I can help with?

I guess we are done with the things that are possible now, jessie and
stretch are on the way.
Upstream was discussing about releasing a version 52.4.1 due some bugs
that aren't fixed in time for 52.4.0 but due a lack of personal
resources no progress until today. And I don't expect this planned
version will still happen. Right now again upstream has again build
issues for the next beta version 57.0b1 ... but that's a bit OT here.

> The stretch version is in NEW due to the rename and needs FTP master
> processing. jessie is ready.

sounds good so far. :)

The git tree on Alioth is up2date about both branches.

-- 
Regards
Carsten Schoenert



signature.asc
Description: OpenPGP digital signature