Re: MySQL 5.5 EOL before Debian 8 LTS ends

2018-02-07 Thread Lars Tangvald
Hi, On 01/23/2018 10:32 PM, Markus Koschany wrote: Am 23.01.2018 um 11:41 schrieb Lars Tangvald: Hi, On 01/22/2018 04:35 PM, Markus Koschany wrote: [...] I also think it makes sense to take a smaller step and upgrade from 5.5 to 5.6. Are there any known issues with 5.6 or can you share any

Re: python-crypto / pycryptodome / CVE-2018-6594

2018-02-07 Thread Salvatore Bonaccorso
Hi Brian On Thu, Feb 08, 2018 at 08:20:22AM +1100, Brian May wrote: > Hello, > > According to the upstream bug report: > https://github.com/dlitz/pycrypto/issues/253 > > "This bug is prevalent. It exists in PyCryptodome and libgcrypt (if used > directly to encrypt messages)." > > Anyone know

Re: Bug#889285: bind9: CVE-2017-3139 affects debian too: assertion failure in validator.c:1858

2018-02-07 Thread Roberto C . Sánchez
On Sat, Feb 03, 2018 at 05:17:01PM +0100, Salvatore Bonaccorso wrote: > > The bug was about CVE-2017-3137, it's never a good idea to mix up > things ;-). This is true. However, it appears that Ondrej Zary's comment to #860225 on 2017-09-02 is in fact related to CVE-2017-3139. Since one of the

krb5 security vulnerabilities

2018-02-07 Thread Brian May
CVE-2018-5709 points to https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow CVE-2018-5710 points to https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Denial%20Of%20Service(DoS) Both these pages have the same text: "We have removed

python-crypto / pycryptodome / CVE-2018-6594

2018-02-07 Thread Brian May
Hello, According to the upstream bug report: https://github.com/dlitz/pycrypto/issues/253 "This bug is prevalent. It exists in PyCryptodome and libgcrypt (if used directly to encrypt messages)." Anyone know what the connection is between these python libraries and libgcrypt? Should libgcrypt be

Re: [Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] add python2.6, 2.7 and claim 2.7

2018-02-07 Thread Brian May
Abhijith PA writes: >> Do you have any objections to marking python2.6 and python2.7 as no-DSA >> in wheezy too? > > No, I don't have any objection. :) > I tried to reproduce this CVE with the given POC from upstream bug > report. But 8 out of 10 I didn't see any. As

[SECURITY] [DLA-1271-1] postgresql-9.1 security update

2018-02-07 Thread Christoph Berg
Package: postgresql-9.1 Version: 9.1.24lts2-0+deb7u2 CVE ID : CVE-2018-1053 A vulnerabilities has been found in the PostgreSQL database system: CVE-2018-1053 Tom Lane discovered that pg_upgrade, a tool used to upgrade PostgreSQL database clusters, creates

Re: [Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Readd krb5 to dla-needed.txt

2018-02-07 Thread Thorsten Alteholz
On Wed, 7 Feb 2018, Brian May wrote: Abhijith PA writes: On Wednesday 07 February 2018 12:38 PM, Brian May wrote: Markus Koschany writes: +krb5 + NOTE: lts-do-not-call +-- What does lts-do-not-call mean? See

[SECURITY] [DLA-1271-1] postgresql-9.1 security update

2018-02-07 Thread Christoph Berg
Package: postgresql-9.1 Version: 9.1.24lts2-0+deb7u2 CVE ID : CVE-2018-1053 A vulnerabilities has been found in the PostgreSQL database system: CVE-2018-1053 Tom Lane discovered that pg_upgrade, a tool used to upgrade PostgreSQL database clusters, creates

Accepted postgresql-9.1 9.1.24lts2-0+deb7u2 (source amd64 all) into oldoldstable

2018-02-07 Thread Christoph Berg
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 07 Feb 2018 16:04:12 +0100 Source: postgresql-9.1 Binary: libpq-dev libpq5 libecpg6 libecpg-dev libecpg-compat3 libpgtypes3 postgresql-9.1 postgresql-9.1-dbg postgresql-client-9.1 postgresql-server-dev-9.1 postgresql-doc-9.1

Re: Upload mailman

2018-02-07 Thread Thijs Kinkhorst
Hi, On Wed, February 7, 2018 06:02, Abhijith PA wrote: > I prepared a LTS security update for mailman. Debdiff is attached. > link: > https://mentors.debian.net/debian/pool/main/m/mailman/mailman_2.1.15-1+deb7u3.dsc Looks good to me. Cheers, Thijs