On 2020-11-09 14:04:02, Sylvain Beucler wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> - -
> Debian LTS Advisory DLA-2441-1debian-lts@lists.debian.org
> https://www.debian.org/lts/security/
On 2019-02-21 18:18:06, Holger Levsen wrote:
> Hi Antoine,
>
> On Mon, Feb 18, 2019 at 04:10:47PM -0500, Antoine Beaupré wrote:
>> But my little finger tells me there are many DLAs still missing from the
>> website. So even if/when the above MR does get merged, more entries w
Hi all,
Here's my early LTS report. The TL;DR: is:
* website work
* python-gpg
* golang
* libarchive
* netmask
* libreoffice
* enigmail
# Website work
I again worked on the website this month, doing one more mass import
([MR 53][]) which was finally merged by Holger Levsen, after I
On 2019-02-01 20:58:28, Holger Levsen wrote:
> On Fri, Feb 01, 2019 at 01:58:04PM -0500, Antoine Beaupré wrote:
[...]
> can you please put that on wiki.d.o/LTS/Development?!
This is now done. I added a new section to the wiki
https://wiki.debian.org/LTS/Devel
On 2019-02-18 09:27:37, Russ Allbery wrote:
> Does this plan sound good to everyone? I'll follow up with the proposed
> diffs for stable and oldstable.
Works for me (LTS), although I won't be the one performing the upgrade
(I've unclaimed the package for other reasons).
Thanks for your work!
On 2019-02-14 10:08:40, Russ Allbery wrote:
> Roman Medina-Heigl Hernandez writes:
>
>> Added Russ (rssh maintainer).
>
>> I cannot probe it but I guess chances are high that the issue is present
>> both in stable and oldstable (I cannot find a good reason to filter
>> different commands:
> https://www.debian.org/security/lts/
> MIME-Version: 1.0
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: 8bit
>
> As discussed in https://bugs.debian.org/859122 DLAs and DSAs will be
> separated in different supages. This needs adaption for the URL
&
On 2019-02-09 11:39:18, Elena ``of Valhalla'' wrote:
> On 2019-02-07 at 11:44:45 -0500, Antoine Beaupré wrote:
>> Hi,
>>
>> Recently, python-gnupg was triaged for maintenance in Debian LTS, which
>> brought my attention to this little wrapper around GnuPG th
On 2019-02-09 14:39:50, Holger Levsen wrote:
> Hi Laura,
>
> many many thanks for your work on this, including and especially this
> writeup!
>
> some comments below, where I dont say anything I mean 'yay"! :)
>
> On Sat, Feb 09, 2019 at 03:55:44AM +0100, Laura Arjona Reina wrote:
>> * The
On 2019-02-09 03:55:44, Laura Arjona Reina wrote:
> Hello all
>
> Holger Levsen merged the generated DLAs and I've worked to create the
> /lts tree to show them separated from the DSA. I have moved to this new
> /lts folder the DLAs from years 2014, 2015 and 2016 that we had already,
> and remove
On 2019-02-11 10:57:20, Holger Levsen wrote:
> hi,
>
> I've just unclaimed faad2 and systemd as the last documented activity on these
> packages was more than two weeks ago...
>
> If you intend to continue working on them, please just reclaim them and
> update the note.
Hehe... "arroseur arrosé"
Package: libreoffice
Version: 1:4.3.3-2+deb8u12
CVE ID : CVE-2018-16858
Alex Infuehr discovered a directory traversal vulnerability which could
result in the execution of Python script code when opening a malformed
document.
For Debian 8 "Jessie", this problem has been
-librelogo
Architecture: source amd64 all
Version: 1:4.3.3-2+deb8u12
Distribution: jessie-security
Urgency: high
Maintainer: Debian LibreOffice Maintainers
Changed-By: Antoine Beaupré
Description:
browser-plugin-libreoffice - office productivity suite -- Mozilla plugin
fonts-opensymbol - OpenSymbol
Maintainers
Changed-By: Antoine Beaupré
Description:
bsdcpio- Implementation of the 'cpio' program from FreeBSD
bsdtar - Implementation of the 'tar' program from FreeBSD
libarchive-dev - Multi-format archive and compression library (development
files)
libarchive13 - Multi-format
On 2019-02-07 18:32:39, Markus Koschany wrote:
> Please do not CC me. I am subscribed.
>
> Am 07.02.19 um 18:23 schrieb Antoine Beaupré:
> [...]
>> Well, I don't think we should make such calls without announcing it and
>> documenting the new workflow clearly, first off.
On 2019-02-07 17:58:48, Markus Koschany wrote:
> Hello,
>
> Am 07.02.19 um 17:32 schrieb Antoine Beaupré:
> [...]
>> Am I missing something here? Did we change this practice, or is this an
>> oversight?
>
> I have been part of the team for three years now, from my
On 2019-02-07 16:48:56, Holger Levsen wrote:
> On Thu, Feb 07, 2019 at 11:44:45AM -0500, Antoine Beaupré wrote:
>> But maybe, instead, we should just mark it as unsupported in
>> debian-security-support and move on. There are few packages depending on
>> it, in jessie:
On 2019-02-07 11:44:45, Antoine Beaupré wrote:
> https://dev.gentoo.org/~mgorny/articles/evolution-uid-trust-extrapolation.html
> https://blogs.gentoo.org/mgorny/2019/01/29/identity-with-openpgp-trust-model/
Oops, that second link should have been:
https://dev.gentoo.org/~mgorny/articles/
Hi,
Recently, python-gnupg was triaged for maintenance in Debian LTS, which
brought my attention to this little wrapper around GnuPG that I'm
somewhat familiar with.
Debian is marked as "vulnerable" for CVE-2019-6690 in Jessie and Stretch
right now, with buster and sid marked as fixed, as you
Hi,
I was under the impression that we were supposed to contact maintainers
when we add packages to dla-needed.txt, as part of the triage work. That
is, at least, the method documented here:
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
Confident that people doing the
On 2019-02-06 23:42:12, Chris Lamb wrote:
> Hi Antoine,
>
>> all golang Debian packages are (as elsewhere) statically compiled
>> and linked so we'd need to rebuild all the rdeps
>
> Hm. Can we avoid /all/ the rdeps? I mean, grep the rdeps for ones
> that use this library?
Yeah, that's what I was
On 2019-02-06 22:17:26, Chris Lamb wrote:
> It was discovered that there was a denial of service vulnerability
> or possibly even the ability to conduct private key recovery
> attacks within in the elliptic curve cryptography handling in the
> Go programming language libraries.
Hello Chris!
Have
Package: netmask
Version: 2.3.12+deb8u1
Debian Bug : 921565
A buffer overflow was found in netmask which would crash when called
with arbitrarily long inputs.
For Debian 8 "Jessie", this problem has been fixed in version
2.3.12+deb8u1.
We recommend that you upgrade your
On 2019-02-06 21:52:35, Guilhem Moulin wrote:
> Hi anarcat,
>
> On Wed, 06 Feb 2019 at 14:13:23 -0500, Antoine Beaupré wrote:
>> 4. issue a DLA when the package is accepted
>
> I wouldn't mind if you or another LTS team member were talking care of
> this one :-)
Alri
On 2019-02-06 01:59:58, Guilhem Moulin wrote:
> Dear LTS team,
Hi Guilhem!
> A buffer overflow vulnerability was recently found in the netmask
> package (a small utility that helps determining network masks):
>
> https://github.com/tlby/netmask/issues/3
>
> The Security Team argued that the
Package: rssh
Version: 2.3.4-4+deb8u2
CVE ID : CVE-2019-3463 CVE-2019-3464
More vulnerabilities were found by Nick Cleaton in the rssh code that
could lead to arbitrary code execution under certain circumstances.
CVE-2019-3463
reject rsync --daemon and --config
Hi,
It looks like no advisory was sent out for this upload.
I noticed this while auditing the website for missing advisories. Yu'll
be happy to know that with the current patchset, this is the only older
advisory missing until the 2018 gap due to the mailing list crash. :)
See also:
Hello,
Here's my report for January.
## sbuild regression
My first stop this month was to notice a problem with sbuild from
buster running on jessie chroots ([bug #920227][]). After discussions
on IRC, where fellow Debian Developers basically fabricated me a patch
on the fly, I sent [merge
On 2019-02-03 22:09:20, Ola Lundqvist wrote:
> If someone have an idea on how I may have screwed this up myself I'm happy
> to know. :-)
After a quick glance, this might be gmail obsessing over DMARC. Typical
problems all mailing lists providers have suffered since this infamous
standard came up
Hi,
I've reviewed both patches and they look sane. I did some smoke tests on
the package (installed it and mariadb in a VM) and it seems to run
okay. I also did an naive attempt at exploiting CVE-2018-19970 but
couldn't succeed, which can either mean I failed or the flaw is
fixed. :)
Good job,
I'm looking at the update process for DLAs on the main website again. In
#859122, I've mentioned that I have, again, updated the MR to include
all DLAs up to DLA-1657-1. The www team folks tell me they will review
that this weekend.
But that mass-import process is kind of clunky: every time I
On 2018-12-19 18:05:36, Antoine Beaupré wrote:
> The DLAs are visible here:
>
> https://www-staging.debian.org/security/2018/dla-1580
>
> One thing that's unclear is how the entries get added to the main list
> in:
>
> https://www-staging.debian.org/security/20
Package: debian-security-support
Version: 2019.02.01~deb8u1
debian-security-support, the Debian security support coverage checker,
has been updated in jessie.
This marks the end of life of the Enigmail package in jessie. After many
months of work to try backporting the various
-By: Antoine Beaupré
Description:
debian-security-support - Debian security support coverage checker
Changes:
debian-security-support (2019.02.01~deb8u1) jessie-security; urgency=medium
.
* Team upload.
* rebuild for jessie
* revert incompatible debhelper changes
Checksums-Sha1
On 2019-01-22 15:21:19, Daniel Kahn Gillmor wrote:
> On Tue 2019-01-22 14:44:50 -0500, Antoine Beaupré wrote:
>> I'm not sure we should remove *both* enigmail and thunderbird from
>> jessie. I understand there are problems with the a.m.o version, but then
>> that's somewhat ou
Package: systemd
Version: 215-17+deb8u9
CVE ID : CVE-2018-16864 CVE-2018-16865
Debian Bug : 918841 918848
Multiple vulnerabilities were found in the journald component of
systemd which can lead to a crash or code execution.
CVE-2018-16864
An allocation of memory
systemd Maintainers
Changed-By: Antoine Beaupré
Description:
gir1.2-gudev-1.0 - libgudev-1.0 introspection data
libgudev-1.0-0 - GObject-based wrapper library for libudev
libgudev-1.0-dev - libgudev-1.0 development files
libpam-systemd - system and service manager - PAM module
libsystemd-daemon
On 2018-12-20 14:30:49, Daniel Kahn Gillmor wrote:
> fwiw, i agree with jmm that encouraging users to upgrade to stable is
> the best outcome here. The question is, what are we doing to the folks
> who (for whatever reason) can't make that switch.
>
> On Thu 2018-12-20 17:01:30 +0100, Moritz
On 2018-12-27 14:16:22, Holger Levsen wrote:
> Hi Abhijith, Antoine,
>
> I just ran "./bin/review-update-needed --lts --unclaim 1814400 --exclude
> linux linux-4.9" today and it unclaimed pdns/pdns-recursor as the last
> NOTE entries were more than 3 weeks ago. However Abhijith wrote here:
>
> On
[Ugh. Sorry about that last email, the markup was terrible - I
copy-pasted from Emacs' markdown mode which ellipsises links... Here's a
better formatted one.]
## Enigmail / GnuPG 2.1 backport
I've spent a significant amount of time working on the Enigmail
backport for a third consecutive month.
Hi!
This is my monthly report, published on the mailing list as I haven't
found time to do my personal report on my blog in over a month now...
## Enigmail / GnuPG 2.1 backport
I've spent a significant amount of time working on the Enigmail
backport for a third consecutive month. I first
On 2018-12-20 14:30:49, Daniel Kahn Gillmor wrote:
> fwiw, i agree with jmm that encouraging users to upgrade to stable is
> the best outcome here. The question is, what are we doing to the folks
> who (for whatever reason) can't make that switch.
>
> On Thu 2018-12-20 17:01:30 +0100, Moritz
On 2018-12-19 18:05:36, Antoine Beaupré wrote:
> On 2018-12-19 11:09:10, Antoine Beaupré wrote:
>> On 2018-12-19 14:58:29, Holger Levsen wrote:
>>> On Wed, Dec 19, 2018 at 09:52:19AM -0500, Antoine Beaupré wrote:
>>>> > I also note #859122
On 2018-12-19 11:09:10, Antoine Beaupré wrote:
> On 2018-12-19 14:58:29, Holger Levsen wrote:
>> On Wed, Dec 19, 2018 at 09:52:19AM -0500, Antoine Beaupré wrote:
>>> > I also note #859122 is not marked 'patch'.
>>> fixed.
>>
>> :)
>>
>>> &
On 2018-12-19 17:03:26, Holger Levsen wrote:
> On Wed, Dec 19, 2018 at 11:40:07AM -0500, Antoine Beaupré wrote:
> [...]
> I've now also re-read this thread (for the 2nd time today..) and first
> I'd like to notice that all the concerns were only brought up in the
> last week, so i
On 2018-12-18 14:34:06, Emilio Pozuelo Monfort wrote:
[...]
> Looking at a jessie -> jessie-new diff, I see that several -dbg packages are
> gone in your backports.
Yes. That's because they were switched to dbgsym in stretch, but that
mecanism wasn't supported in jessie. I did a "fast" backport
On 2018-12-19 16:21:46, Holger Levsen wrote:
> Hi Antoine, dkg,
>
> On Sat, Dec 15, 2018 at 01:09:39PM +0100, Moritz Mühlenhoff wrote:
>> On Fri, Dec 14, 2018 at 09:08:42AM +0100, Emilio Pozuelo Monfort wrote:
>> > However given the impact of these library updates, I was wondering
>> > if we have
On 2018-12-19 14:58:29, Holger Levsen wrote:
> On Wed, Dec 19, 2018 at 09:52:19AM -0500, Antoine Beaupré wrote:
>> > I also note #859122 is not marked 'patch'.
>> fixed.
>
> :)
>
>> >> I've requested access as an individual, for what that's worth.
>>
On 2018-12-19 14:44:02, Holger Levsen wrote:
> Hi Antoine,
>
> On Tue, Dec 11, 2018 at 10:15:15AM -0500, Antoine Beaupré wrote:
[...]
> I also note #859122 is not marked 'patch'.
fixed.
[...]
>> I've requested access as an individual, for what that's worth.
>
> you
On 2018-12-14 09:08:42, Emilio Pozuelo Monfort wrote:
> On 13/12/2018 21:14, Antoine Beaupré wrote:
>> Hi,
>>
>> This is the latest update in the Thunderbird / Enigmail changes that are
>> happening in jessie. I have built a series of test packages, partly from
&
Hi,
This is the latest update in the Thunderbird / Enigmail changes that are
happening in jessie. I have built a series of test packages, partly from
stretch (gnupg2, enigmail) and partly from backports (libassuan,
libgcrypt, libgpg-error, npth) and uploaded them here:
Gah. Forgot to fix the CC here as well, sorry for the noise.
On 2018-12-11 10:05:53, Antoine Beaupré wrote:
> On 2018-12-10 17:44:51, Mike Gabriel wrote:
>> Hi,
>>
>> I'd like to discuss the possible pathways for getting FreeRDP fixed in
>> Debian jessie L
On 2018-11-20 15:30:21, Holger Levsen wrote:
> On Mon, Nov 19, 2018 at 07:07:26PM -0500, Antoine Beaupré wrote:
>> The process broke down a while back, and reasons don't matter. We need
>> to figure out how to fix this.
>>
>> So I opened #859122 to import the miss
On 2018-12-10 17:44:51, Mike Gabriel wrote:
> Hi,
>
> I'd like to discuss the possible pathways for getting FreeRDP fixed in
> Debian jessie LTS (and Debian stretch, too).
>
> Last week I talked to Bernhard Miklautz (one of the FreeRDP upsteam
> maintainers and the actual packager of FreeRDPv2
On 2018-12-03 20:40:08, Ben Hutchings wrote:
[...]
> I don't see this as an acceptable option for LTS. We could maybe add a
> xen-4.8 package if it was popular in jessie-backports, but that doesn't
> excuse us from having to support 4.4.
As I was repeatedly told during my work on Enigmail /
On 2018-11-28 22:44:52, Moritz Muehlenhoff wrote:
> On Wed, Nov 28, 2018 at 12:59:11PM +0100, Peter Dreuw wrote:
>> Hi out there,
>> Another option would be backporting the Xen
>> 4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10 (and following) package from
>> Stretch to Jessie.
>
> What would be the
On 2018-11-26 21:20:14, Holger Levsen wrote:
> On Mon, Nov 26, 2018 at 04:04:48PM -0500, Antoine Beaupré wrote:
>> Did you try "--exclude linux linux 4.9"? That should work.
>
> doh, it does. Thanks! (Though I think thats somewhat unusual... but meh.)
that's the way a
On 2018-11-26 20:48:07, Holger Levsen wrote:
> On Fri, Nov 23, 2018 at 11:06:43AM -0500, Antoine Beaupré wrote:
>> $ ./bin/review-update-needed --exclude linux linux-4.9 --lts --unclaim 3w
>> [...]
>> Editing file to unclaim: salt
>>
>> I've pushed that, I hope
On 2018-11-22 21:00:15, Holger Levsen wrote:
> On Thu, Nov 22, 2018 at 11:54:16AM -0500, Antoine Beaupré wrote:
>> Right. That's the one I had in mind as well. :)
>
> :)
>
>> So how *do* we make that "whitelist"? Commandline param? And what will
>> i
On 2018-11-22 17:32:09, Holger Levsen wrote:
> On Thu, Nov 22, 2018 at 10:54:41AM -0500, Antoine Beaupré wrote:
>> On 2018-11-20 12:55:16, Daniel Kahn Gillmor wrote:
>> > All that said, i don't think that upgrading jessie to the versions of
>> > these libraries
param? And what will
it list? Packages? People? Package/people combination?
Before you answer, consider that all entries are manually maintained and
I sometimes write my name "Antoine Beaupre", "Antoine Beaupré" or
"anarcat" depending on what I remember I used last, and t
On 2018-11-20 16:06:53, Holger Levsen wrote:
> hi,
>
> this reply is mostly about using the tool itself, see below. I will now write
> another mail about the results from using it...
>
[...]
> So, third, what did "./bin/review-update-needed --unclaim --lts" do? Too
> much, so I ran (in a sid
On 2018-11-20 12:55:16, Daniel Kahn Gillmor wrote:
> All that said, i don't think that upgrading jessie to the versions of
> these libraries that are in debian stretch will break jessie. I do wish
> we had more substantive autopkgtest-style coverage in jessie, so that we
> could feel more
On 2018-11-20 15:19:45, Ben Hutchings wrote:
> On Mon, 2018-11-19 at 15:48 -0500, Antoine Beaupré wrote:
>> On 2018-11-13 22:02:45, Ben Hutchings wrote:
>> > On Tue, 2018-11-13 at 12:31 -0500, Daniel Kahn Gillmor wrote:
>> > > On Mon 2018-11-12 15:16:3
Hi!
Many of you probably already know this website and its precious RSS
feed:
https://www.debian.org/security/
Few of you might already know that DLAs are *supposed* to show up in
there as well, and did for a while. For example, here's a few DLAs in
2014:
https://www.debian.org/security/2014/
An early report, this month, as I've ran out of work hours earlier than
expected...
GnuPG & Enigmail
To get Enigmail working properly with the Thunderbird upload from last
week, we need GnuPG 2.1 in jessie. I [backported GnuPG 2.1][] to Debian
jessie directly, using work already
Package: systemd
Version: 215-17+deb8u8
CVE ID : CVE-2018-1049 CVE-2018-15686 CVE-2018-15688
Debian Bug : 912005 912008
systemd was found to suffer from multiple security vulnerabilities
ranging from denial of service attacks to possible root privilege
escalation.
systemd Maintainers
Changed-By: Antoine Beaupré
Description:
gir1.2-gudev-1.0 - libgudev-1.0 introspection data
libgudev-1.0-0 - GObject-based wrapper library for libudev
libgudev-1.0-dev - libgudev-1.0 development files
libpam-systemd - system and service manager - PAM module
libsystemd-daemon
On 2018-11-19 22:32:17, Alexander Wirt wrote:
> I can't stress thos often enough. Jessie-backports doesn't exist anymore.
> They are unsupported for months and I do really hope that they get archived
> soon.
I'm sorry I implied we might use backports for this. I didn't mean to: I
mean we should
On 2018-11-13 22:02:45, Ben Hutchings wrote:
> On Tue, 2018-11-13 at 12:31 -0500, Daniel Kahn Gillmor wrote:
>> On Mon 2018-11-12 15:16:39 -0500, Antoine Beaupré wrote:
>>
>> > * libgcrypt20 (part of GnuTLS, 1.6 -> 1.7)
>>
>> libgcrypt is not a part of
Hi,
As I'm running out of time to work on this problem for the month, I
figured I would at least try to wrap up the conversation we had on the
topic here so we can find a solution to move forward on.
The current situation is that I have a backport of GnuPG 2.1 available
for testing here:
Hi,
Tl;DR: partial fixes for systemd issues pending upload, test packages at
usual location.
I've been working for the last two days on backporting the four pending
CVEs for systemd. Those are:
CVE-2018-1049 In systemd prior to 234 a race condition exists between .mount
and ...
Package: spamassassin
Version: 3.4.2-0+deb8u1
CVE ID : CVE-2016-1238 CVE-2017-15705 CVE-2018-11780 CVE-2018-11781
Debian Bug : 784023 865924 883775 889501 891041 908969 908970 908971 913571
Multiple vulnerabilities were found in Spamassassin, which could lead
to Remote
-By: Antoine Beaupré
Description:
sa-compile - Tools for compiling SpamAssassin rules into C
spamassassin - Perl-based spam filter using text analysis
spamc - Client for SpamAssassin spam filtering daemon
Closes: 784023 865924 883775 889501 891041 908969 908970 908971 913571
Changes
On 2018-11-13 18:41:47, Emilio Pozuelo Monfort wrote:
> I can think of two options:
>
> 1) Ship them in a private dir (e.g. /usr/lib/gnupg2/), and link them to those
> libs. Then ld should add an RPATH, otherwise an LD_LIBRARY_PATH hack could be
> used.
>
> 2) Statically link the libraries into
On 2018-11-13 13:24:39, Ben Hutchings wrote:
> On Mon, 2018-11-12 at 15:16 -0500, Antoine Beaupré wrote:
>> Hi,
>>
>> So I've been looking at Enigmail again, after a long journey helping
>> people in stable getting that stuff fixed. It's pretty obvious there's
>&
Hi,
So I've been looking at Enigmail again, after a long journey helping
people in stable getting that stuff fixed. It's pretty obvious there's
no way to upload that without first doing a GnuPG 2.1 backport into
jessie.
That, it turns out, requires *four* more source package
backports.
On 2018-11-11 23:03:07, Emilio Pozuelo Monfort wrote:
> On 11/11/2018 15:47, Antoine Beaupré wrote:
>> On 2018-11-11 13:21:05, Emilio Pozuelo Monfort wrote:
>>> Hi Antoine,
>>>
>>> On 09/11/2018 20:37, Antoine Beaupré wrote:
>>>> On 2018-11-05
On 2018-11-11 13:21:05, Emilio Pozuelo Monfort wrote:
> Hi Antoine,
>
> On 09/11/2018 20:37, Antoine Beaupré wrote:
>> On 2018-11-05 16:26:44, Emilio Pozuelo Monfort wrote:
>>> Hi,
>>>
>>> On 30/10/2018 16:46, Antoine Beaupré wrote:
>>>> W
On 2018-11-05 16:26:44, Emilio Pozuelo Monfort wrote:
> Hi,
>
> On 30/10/2018 16:46, Antoine Beaupré wrote:
>> Which brings us to Thunderbird (and Firefox) themselves. The last I
>> heard of this is that LLVM was NEW in jessie. I wrote Emilio to see if
>> he ne
On 2018-11-06 10:57:12, Holger Levsen wrote:
> On Tue, Nov 06, 2018 at 02:25:37PM +0700, Daniel Kahn Gillmor wrote:
>> On Tue 2018-10-30 11:46:35 -0400, Antoine Beaupré wrote:
>> > 5. backport the required GnuPG patchset from stretch to jessie
>> fwiw, i don't see how this
Package: phpldapadmin
Version: 1.2.2-5.2+deb8u1
CVE ID : CVE-2017-11107
Debian Bug : 867719
It was discovered that there was a cross-site scripting (XSS) vulnerability in
phpldapadmin, a web-based interface for administering LDAP servers.
For Debian 8 "Jessie", this
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Wed, 31 Oct 2018 13:30:20 -0400
Source: phpldapadmin
Binary: phpldapadmin
Architecture: source all
Version: 1.2.2-5.2+deb8u1
Distribution: jessie-security
Urgency: medium
Maintainer: Fabio Tranchitella
Changed-By: Antoine Beaupré
Hi,
As discussed with the SpamAssassin (SA) maintainer, we are following
upstream's advice of upgrading to the latest 3.4.2 release in jessie.
There's a stable update pending in stretch (#912198) which served as a
basis for this upload. I've kept to the strict minimal set of changes
but also
Package: gnutls28
Version: 3.3.30-0+deb8u1
CVE ID : CVE-2018-10844 CVE-2018-10845 CVE-2018-10846
A set of vulnerabilities was discovered in GnuTLS which allowed
attackers to do plain text recovery on TLS connections with certain
cipher types.
CVE-2018-10844
It was
+deb8u1
Distribution: jessie-security
Urgency: medium
Maintainer: Debian GnuTLS Maintainers
Changed-By: Antoine Beaupré
Description:
gnutls-bin - GNU TLS library - commandline utilities
gnutls-doc - GNU TLS library - documentation and examples
guile-gnutls - GNU TLS library - GNU Guile bindings
Hi,
In the last month, I have work with dkg (in CC) to see how to
(ultimately) deal with the end of life of Firefox and Thunderbird ESR as
we know them in jessie. He has been hard at work updating GnuPG in
stable (#910398) so that Enigmail works with that older version of GnuPG
without
Last call for testing on this, I'll upload the 3.3.30 package on Monday
if there's no objection until then.
On 2018-10-23 14:00:14, Antoine Beaupré wrote:
> Hi,
>
> After the lengthy discussion[1] regarding the pending security issues in
> GnuTLS (CVE-2018-10844, CVE-2018-10845, CV
On 2018-10-26 13:02:57, Thadeu Lima de Souza Cascardo wrote:
>> > 5) Is that not true anymore with Extended LTS and CIP?
>>
>> Sorry, what is not true? #4? If so, I think people should *still*
>> install the latest supported Debian release (stable or stretch right
>> now) and not LTS or ELTS,
On 2018-10-23 14:03:37, Peter Dreuw wrote:
> The testing packages are available here:
>
> https://share.credativ.com/~pdr/xen-test/
One more thing about those... The .deb packages are provided completely
without signatures. I understand that the site is protected by HTTPS,
but it is customary
On 2018-10-24 19:33:45, Peter Dreuw wrote:
> Am 24.10.18 um 17:24 schrieb Antoine Beaupré:
>> On 2018-10-23 14:03:37, Peter Dreuw wrote:
>>> Hello, everyone,
>>>
>>> I prepared another set of fixes based on the current Xen package on
>>>
On 2018-10-24 11:24:28, Antoine Beaupré wrote:
> On 2018-10-23 14:03:37, Peter Dreuw wrote:
>> Hello, everyone,
>>
>> I prepared another set of fixes based on the current Xen package on
>> jessie-security (4.4.4lts2-0+deb8u1, DLA-1549).
>>
>> These fixes
On 2018-10-23 19:26:32, Ben Hutchings wrote:
> On Tue, 2018-10-23 at 14:00 -0400, Antoine Beaupré wrote:
>> Hi,
>>
>> After the lengthy discussion[1] regarding the pending security issues in
>> GnuTLS (CVE-2018-10844, CVE-2018-10845, CVE-2018-10846), I have
>&g
Ah, and I pushed my changes here:
https://salsa.debian.org/debian/gnutls/tree/gnutls28_jessie_3.3.30+
A.
--
We should act only in such away that if everyone
else acted as we do, we would accept the results.
- Emmanuel Kant
Hi,
After the lengthy discussion[1] regarding the pending security issues in
GnuTLS (CVE-2018-10844, CVE-2018-10845, CVE-2018-10846), I have
determined it might be simpler to just upgrade to the latest upstream
3.3.x version for which upstream is still providing updates. Upstream
agrees with the
Hi Steve!
On 2018-10-23 04:26:18, Steve McIntyre wrote:
> So I'm worried that those of us who have *not* volunteered to support
> LTS are being pressured into spending our time on it anyway. What can
> we do to fix that? How/where do we clarify for our users (and
> developers!) what LTS means,
On 2018-09-25 16:03:45, Antoine Beaupré wrote:
> On 2018-09-19 19:16:32, Noah Meyerhans wrote:
>> On Wed, Sep 19, 2018 at 08:26:28PM +0200, Ola Lundqvist wrote:
>>> The Debian LTS team would like to fix the security issues which are
>>> currently open in the Whe
I contacted three parties to try and settle this:
* the original authors of the paper
* the GnuTLS upstream
* the RedHat security team
The original authors "still stand behind what is written in the paper"
and believe only a constant-time implementation is the proper fix. They
point to
On 2018-09-27 10:51:25, Antoine Beaupré wrote:
> So thinking about this again, I see three options:
>
> 1. Make Enigmail work with GnuPG 2 in Debian and ship the result in
> jessie-securtiy. As mentioned above, I think this has huge
> implications and risks breaking unrelat
On 2018-09-27 17:27:46, Markus Koschany wrote:
> Am 27.09.18 um 17:12 schrieb Antoine Beaupré:
> [...]
>> I wonder what that was all about...
>>
>> Was the solution for stretch finally to remove enigmail from stable and
>> use backports?
>
> AFAIK he hasn'
1 - 100 of 464 matches
Mail list logo
