[SECURITY] [DLA 1757-1] cacti security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: cacti Version: 0.8.8b+dfsg-8+deb8u7 CVE ID : CVE-2019-11025 Debian Bug : #926700 It was discovered that there were a number of cross-site scripting vulnerabilities (XSS) in cacti, a web-based front-end for the RRDTool monitoring tool. For Debian 8 "Jessie", this issue has been fixed in cacti version 0.8.8b+dfsg-8+deb8u7. We recommend that you upgrade your cacti packages. Regards, - -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAly1ziEACgkQHpU+J9Qx Hljdyw//VTj9vkGLDYzIzT61V4E0SEpqR4MKkIJdk3i2YW5qXvU2UgF9u4OpcW8w QcwW5j4xB1Q36C9MR9otQgGpdIO2zGvSr5GMFtZh0klqU/hGsUO5aL0qrOfyt2/E GWf/xmEP7wZUGTJcl7dznr50hij3b3ZZSvAXVuxym7nqZuegs3mtcPLc2Y8/AOie GuIwPKpRZCwFz32UTX23WuAiYSnKiRIoXJqj3Y6BUdpJmEzpoc32HZ1OOVknM3xR AQTzmMhb34OA9KlxcOcY75RFFtxUnTBiR6FOH48CmECSi8vYI0hMsG36FF72jjNc 0+TPyOH9NPm2Cr3AvPuL123CV30hIZiKqqLghV7z2YxpLmdckZuPQdzukM7IvGUp dhe8IPDXa2dOsfpY3l656RTexZ39oi7HlLVTFM95cTnIKeAODQna7Gnoax2nQVdo 9ai/FKF3QvFwB/h3Yn48auZ9Evr6T2PwCMCLS+VPzJxxoEDJJx+wOoSKCI+6/JCL lDZeeQ/pCtC/N8kR+lK34idpI2QwZs5arhxQw2bwaSwFFAmLSkjIMpoobyP7LV5M 1R/IhZAgQrcsgL8P6YcrbKVXPT3s/ojQ+CvCL5Ej6RbKD9yxw5TZ+UJt7hofgIgK rvNhMJhf4LJYZmBNLF56RrQI6aBuXTPFbF+WB2PCCWpzYRt6IfU= =p3T7 -END PGP SIGNATURE-
Re: LTS, no-dsa reasoning and sponsored packages
Am 16.04.19 um 09:17 schrieb Raphael Hertzog: > Hi, > > On Mon, 08 Apr 2019, Markus Koschany wrote: >> "Not used by any sponsor" is often used internally in commit messages as >> an additional comment, reason and clarification why a certain issue is > > In commit message to which repository? > > I think you are mixing the ELTS security tracker here. No, I don't. > >> marked no-dsa or ignored, mostly intended for those people who work on >> LTS. Of course we always take into consideration how useful a fix is and >> on what we should spend our time on. This should come to no surprise to >> everyone who followed LTS in the past. Debian LTS is only possible >> because of this sponsorship and of course it is part of Debian. > > FWIW, I agree fully with Salvatore that "Not used by any sponsor" is > completely irrelevant for CVE triaging. > > It's relevant when paid LTS contributors have to select which packages > they are going to work on, but it's not relevant to evaluate the > importance of a CVE. > > (The story is very different for ELTS, obviously) I think there is a big misunderstanding here. For instance I have triaged edk2 which is a non-free package in Jessie. Normally we don't support non-free but we make an exception when it is used by sponsors like firmware-nonfree or unrar in the past. Thus when I write non-free is not supported, not used by any sponsor I am clarifying that we should not spend time on such a package. This was always our policy. Also popcon value is a factor to consider for spending time on a fix. When there are only 10 reported installations for a web application like hoteldruid then we usually prioritize more important packages. Hence I have sent an email to the maintainer of hoteldruid with our rationale and asked him if he would like to work on the package in the meantime. I don't agree with Salvatore's concerns and I find "Minor issue" far less informative as a reasoning which the security team uses rather often as a justification. Markus signature.asc Description: OpenPGP digital signature
Re: [Pkg-clamav-devel] LTS update of clamav and call for advice
On Mon, 2019-04-15 at 20:00 +0200, Ola Lundqvist wrote: > Hi Scott > > I have now walked through the difference in the debian directories between > the version in jessie and stretch updates. > I think there is more work than just a simple changelog update. > > 1) The changelog file contain a lot of changes. I wonder how we generally > should it. If I backport a package from current stable should I keep that > changelog and just add one entry or should I pretent that the jessie > version still apply and add one entry from that one... Not sure myself. [...] Assuming that you are going to take almost all the changes from stretch: 1. Add all the newer changelog entries from stretch to jessie's debian/changelog. 2. Add an entry for the backport version. 3. Use the -v option with the previous jessie version when building the source package. Ben. -- Ben Hutchings Make three consecutive correct guesses and you will be considered an expert. signature.asc Description: This is a digitally signed message part
Re: LTS, no-dsa reasoning and sponsored packages
Hi, On 16/04/2019 09:20, Raphael Hertzog wrote: > On Tue, 09 Apr 2019, Sylvain Beucler wrote: >> On 09/04/2019 09:50, Ingo Wichmann wrote: >>> labeling it "minor issues" when the real reason is "sponsors needed" >>> sounds wrong to me. >> That's never been the real reason so far AFAICS, only a complementary >> reason. > Ok, still to not encourage this bad practice, please remove those > "complementary reasons" from the existing entries. Already did for mine, just removed the others (pointing to your mail in the commit message). - Sylvain
Re: (E)LTS report for March
On 16/04/2019 04:22, PICCORO McKAY Lenz wrote: > but seems wheeze are removed from security debian but still april 14 and > not present at archive debain It is indeed removed from security.debian.org, however it has been archived: http://archive.debian.org/debian/dists/wheezy/ http://archive.debian.org/debian-security/dists/wheezy/ Yet this is talking about extended LTS: https://deb.freexian.com/extended-lts/docs/how-to-use-extended-lts/ Look at that if you want to use it, but note that only a subset of the archive is supported, and only for a limited time, so make sure you only use packages on that subset. Emilio
Re: Wheezy ELTS?
On Tue, 16 Apr 2019, Paul Wise wrote: > On Tue, Apr 16, 2019 at 10:20 AM PICCORO McKAY Lenz wrote: > > > was removed or not? are stil ELTS? > > The timeline says that eLTS support ended on 31st May 2019. > https://wiki.debian.org/LTS/Extended That date has not passed yet and the page said clearly that it might last longer depending on sponsors. For now it looks like that some packages will be supported until end of 2019. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Re: LTS, no-dsa reasoning and sponsored packages
Hi, On Tue, 09 Apr 2019, Sylvain Beucler wrote: > On 09/04/2019 09:50, Ingo Wichmann wrote: > > labeling it "minor issues" when the real reason is "sponsors needed" > > sounds wrong to me. > > That's never been the real reason so far AFAICS, only a complementary > reason. Ok, still to not encourage this bad practice, please remove those "complementary reasons" from the existing entries. Cheres, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Re: LTS, no-dsa reasoning and sponsored packages
Hi, On Mon, 08 Apr 2019, Markus Koschany wrote: > "Not used by any sponsor" is often used internally in commit messages as > an additional comment, reason and clarification why a certain issue is In commit message to which repository? I think you are mixing the ELTS security tracker here. > marked no-dsa or ignored, mostly intended for those people who work on > LTS. Of course we always take into consideration how useful a fix is and > on what we should spend our time on. This should come to no surprise to > everyone who followed LTS in the past. Debian LTS is only possible > because of this sponsorship and of course it is part of Debian. FWIW, I agree fully with Salvatore that "Not used by any sponsor" is completely irrelevant for CVE triaging. It's relevant when paid LTS contributors have to select which packages they are going to work on, but it's not relevant to evaluate the importance of a CVE. (The story is very different for ELTS, obviously) Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
