On 2018-08-31 13:29:29, Ola Lundqvist wrote:
> Hi all LTS contributors
>
> My question is whether removing default ciphers and introducing new
> options is acceptable so late in the release cyckle. My assumption is
> no, but let me know if you have another opinion. More details below.
A priori, I
On 2018-08-31 19:42:15, Abhijith PA wrote:
> Hello Matus
>
> On Friday 31 August 2018 05:25 PM, Matus UHLAR - fantomas wrote:
>> Hello,
>>
>> the debian bug 775720 for squirrelmail was closed by debian maintainer
>> because squirrelmail was removed from archive.
>>
>> However, there were security
Hi,
[reducing CC list]
Thank you very much for the hint on the checksum verification commit
(2fb3722ce), it was really the bit missing. I've added that to the patch
series and rerolled the rest of the patches to add the Verify type (which is
now called VerifyConfig, but we don't have the Verifica
Thank you very much Joey. I took the day off today, but I will
definitely review and update all of this tomorrow.
A.
--
Blind respect for authority is the greatest enemy of truth.
- Albert Einstein
Hi!
TL;DR: test packages ready for git-annex. fix probably incomplete,
patches attached for review.
I've been working for the past day or two on backporting the pending
security fixes for git-annex to Debian jessie as part of the LTS
project. The two security issues are of course CVE-2018-10857 a
On 2018-08-28 19:31:27, Markus Koschany wrote:
> Hello Chris,
>
> the Debian LTS team would like to fix CVE-2018-14424, gdm3 in Jessie. We
> have prepared a patch [1] based on your work which you have attached to
> the Gnome issue tracker. [2] We have noticed [3] that it is still
> possible to "cra
Oh, and I forgot to mention the test packages are available here:
https://people.debian.org/~anarcat/debian/jessie-lts/
Cheers,
A.
Hi!
After asking Markus the status of the gdm3 security upgrade for jessie,
he nicely offered me to take it over since he got stuck.
Using his patches, however, I wasn't able to reproduce the
problems. Sure, it *looks* like gdm is "crashing", but I /think/ it's
actually doing what it's asked. The
On 2018-08-08 17:35:52, Brian May wrote:
> If I got this right, we cannot use $(xyz) unless the value of xyz is
> trusted. Otherwise executing $(xyz) can result in the execution of code
> if xyz is something like "". This
> happens immediately, and even if you don't use the return value.
>
>
> I be
On 2018-08-14 17:27:29, Brian May wrote:
> I have been trying to reproduce this bug (buffer overflow), but instead
> I get increasing memory usage until my computer crashes. With versions
> from Jessie, Stretch, and Sid. So maybe another security issue?
>
> I note that CVE-2017-11613 and CVE-2018-5
On 2018-07-05 18:40:37, Brian May wrote:
> Antoine Beaupré writes:
>
>> I am skeptical as well, and yes, it's a dict (.items()), so it should
>> *not* return constant ordering. But I'm just telling you what I am
>> seeing here. The #mercurial devs proposed
On 2018-07-04 10:52:15, Abhijith PA wrote:
> On Wednesday 04 July 2018 08:00 PM, Antoine Beaupré wrote:
>> I'm surprised you ended up with this result. I sent you an email over a
>> week ago (2018-06-27, id:87muvgi20l@curie.anarc.at) detailing the
>> work I already
On 2018-07-04 11:06:19, Chris Lamb wrote:
>> @wireprotocommand('listkeys', 'namespace')
>> def listkeys(repo, proto, namespace):
>> d = repo.listkeys(encoding.tolocal(namespace)).items()
>> return pushkeymod.encodekeys(d)
>>
>> And in my tests this is returns as a list of tuples,
>> determ
On 2018-07-04 03:41:31, Abhijith PA wrote:
> Hello.
>
> I've prepared LTS security update for dokuwiki. Please review and
> upload. Debdiff is attached. Patch is forward ported from wheezy. I've
> tested by installing in clean jessie machine, created sample wiki pages.
Hi!
I'm surprised you ended
On 2018-07-03 14:16:17, Antoine Beaupré wrote:
> On 2018-06-29 03:41:15, Chris Lamb wrote:
> In the meantime, I postponed working on the package as I had to move on
> to other things and there didn't seem to be a concensus on the packaged
> suggested. I'll go back to it now t
On 2018-06-29 03:41:15, Chris Lamb wrote:
> Antoine,
>
>> >> I am not sure why the test suite fails nor why the output varies from
>> >> one build to the next. Once a package is built, however, it passes the
>> >> test suite reliably.
> […]
>> Sure. I guess I see this from the perspective of "does
On 2018-06-29 21:44:36, Roberto C. Sánchez wrote:
[...]
> This does not appear to be a good approach at the moment, given the
> considerable differences between 8.0 and 8.5.
>
> For the time being, it seems like the best approach is to patch the
> current jessie package for the two outstanding CV
On 2018-06-28 23:04:59, Chris Lamb wrote:
> Hey Antoine,
>
>> I am not sure why the test suite fails nor why the output varies from
>> one build to the next. Once a package is built, however, it passes the
>> test suite reliably.
>
> That may be, but as we only (*) really care about the package bui
On 2018-06-28 21:56:07, Chris Lamb wrote:
> Hey Antoine, :)
>
>> The package I managed to build obviously passes that test suite, and
>> *reliably* [but] it might FTBFS on the buildds
>
> Thanks for working on this. :)
>
> I'm a bit lost by your wording; it "might" FTBFS on the buildds, it
> does n
Hi,
I have worked on porting the security issues fixed in wheezy into jessie
for the Mercurial package, as I previously mentioned here.
I was not able to make the package build reproducibly. The test suite
fails during the build because of an ordering issue in the `hg serve`
output and I cannot f
On 2018-06-07 09:45:06, Chris Lamb wrote:
> Hi Antoine,
>
>> A peculiar thing with the patchset is that it adds the --debug flag to
>> the test suite: I don't know why, but it's the only way to make it pass
>> the (new) test-http-permissions.t tests. Otherwise it just hangs there
>> forever.
>
> Pe
On 2018-06-07 22:51:07, Moritz Muehlenhoff wrote:
> On Thu, Jun 07, 2018 at 08:08:06AM -0400, Antoine Beaupré wrote:
>> On 2018-06-07 04:45:06, Chris Lamb wrote:
>> > Hi Antoine,
>> >
>> >> A peculiar thing with the patchset is that it adds the --debug fla
On 2018-06-24 15:02:26, Ola Lundqvist wrote:
> Hi Antoine and others
>
> Thank you for this. I modified also the cache location later in the file so
> you do not have to wget it separately.
>
> My question is how we should handle this?
>
> Should we add all "unfixed in jessie but fixed in wheezy" p
On 2018-06-25 18:40:06, Roberto C. Sánchez wrote:
> Security Team & Tomcat Maintainers,
>
> I began working on a jessie LTS update for tomcat8 and sought some
> guidance from Markus Koschany, as he prepared a tomact7 update recently.
> He pointed out that the tomcat8 package in jessie is based on t
On 2018-06-15 10:27:45, Moritz Muehlenhoff wrote:
> On Fri, Jun 15, 2018 at 04:34:14PM +1000, Brian May wrote:
>> Moritz Muehlenhoff writes:
>>
>> > On Wed, Jun 13, 2018 at 05:19:40PM +1000, Brian May wrote:
[...]
>> That generates a report of all packages that we need to check. I assume
>> we
I've finalized a prototype during my research on this problem, which I
have detailed on GitLab, as it's really code that should be merged. It
would also benefit from wider attention considering it affects more than
LTS now. Anyways, the MR is here:
https://salsa.debian.org/security-tracker-team/se
On 2018-06-08 03:29:38, Brian May wrote:
> Antoine Beaupré writes:
>
>> Right now, it seems that all scripts that hammer at those files do so
>> with their own ad-hoc parsing code. Is that the recommended way of
>> chopping those files up? Or is there a better parsing l
On 2018-06-08 02:55:14, Brian May wrote:
> Chris Lamb writes:
>> Other work that can be done in the meantime include improving our
>> triage scripts -- I still have a half-draft of the "renamed packages"
>> script, for example.
>>
>> IIRC I believe the subject to search for is "Improvement needed
Sorry for resurrecting this old thread, but I've been looking at how to
deal with renamed packages in CVE triaging again. When we last talked
about this, we observed how we were sometimes missing packages during
triage, e.g. `tiff3` that was present in wheezy. That's not an issue
anymore since whee
On 2018-06-07 16:38:21, Chris Lamb wrote:
> Hi Antoine,
>
>> I'm not sure how that avoids duplicate work. Just writing to the BTS
>> does not make it very explicit that we're working on the package, unles
>> we explicitely say so ("hi, i'm working on this")
>
> I think you missed the bit where I w
On 2018-06-07 15:42:17, Chris Lamb wrote:
> Hi Antoine et al.,
>
>> After staring at that thing and trying to deal with a few of those, I am
>> a little unsure how to actually coordinate this work for now.
>
> I agree that that foo-needed.txt files are a little confusing right
> now. :)
>
> To ensu
On 2018-06-06 11:05:28, Antoine Beaupré wrote:
> Here is the current output:
After staring at that thing and trying to deal with a few of those, I am
a little unsure how to actually coordinate this work for now. All this
will be resolved within a week or two when jessie transitions over to
On 2018-06-07 09:36:29, Antoine Beaupré wrote:
> Oh, and for what it's worth, I've also uploaded the (successful) build
> log here:
>
> https://people.debian.org/~anarcat/debian/jessie-lts/mercurial_3.1.2-2+deb8u5_amd64-2018-06-07T00:41:12Z.build
>
> Warning: that is a
On 2018-06-07 11:23:45, Didier 'OdyX' Raboud wrote:
> Le jeudi, 7 juin 2018, 16.13:39 h CEST Antoine Beaupré a écrit :
>> Hi again,
>>
>> Next in line: cups. Two fairly simple patches and this time the test
>> suite passes without a fuss, provided that the
fix remote code execution through DNS rebinding
+ * CVE-2017-18248: fix remote crash through invalid username
+
+ -- Antoine Beaupré Thu, 07 Jun 2018 09:23:48 -0400
+
cups (1.7.5-11+deb8u2) jessie; urgency=high
* Disable SSLv3 and RC4 by default to address POODLE vulnerability
diff -Nru cu
Oh, and for what it's worth, I've also uploaded the (successful) build
log here:
https://people.debian.org/~anarcat/debian/jessie-lts/mercurial_3.1.2-2+deb8u5_amd64-2018-06-07T00:41:12Z.build
Warning: that is about 5MB of logs.
a.
--
The history of any one part of the earth, like the life of a
On 2018-06-07 04:45:06, Chris Lamb wrote:
> Hi Antoine,
>
>> A peculiar thing with the patchset is that it adds the --debug flag to
>> the test suite: I don't know why, but it's the only way to make it pass
>> the (new) test-http-permissions.t tests. Otherwise it just hangs there
>> forever.
>
> Pe
Hi!
As part of the preparation work for jessie-lts, I started looking at the
issues that were fixed in wheezy but not jessie. One of those is the
mercurial package, which has been marked partly no-dsa, but also has
simply unfixed issues.
I have therefore worked on backporting the patches into jes
Hi,
So on june 1st, a few changes were made to the security tracker that
made it harder to figure out which packages can be forward-ported from
Jessie, breaking the `lts-needs-forward-port.py` script. I have figured
out how to reverse this locally, so if people want to work on that,
here's how to
On 2018-05-31 19:28:59, Chris Lamb wrote:
> Antoine,
>
>> Ah, then it might be relevant to push such a change. Should we add this
>> to dla-needed.txt?
>
> Please do so that it does not get lost. :)
>
> I would suggest adding a note indicating that its inclusion is not
> necessarily to imply an upl
On 2018-05-31 19:20:40, Chris Lamb wrote:
> Hi Antoine,
>
>> >
>> > I remember uploading (or helping to upload?) a version that removed
>> > the StartCom certs, but a quick glance a couple of days ago suggested
>> > that we were missing a handful of newer, although somewhat less
>> > serious, CAs.
On 2018-05-31 19:05:02, Chris Lamb wrote:
> Hi Antoine et al.,
>
>> > (Hm, would it make sense to update/sync ca-certificates just before we
>> > EOL wheezy?)
>>
>> I'm not sure. I lost track of what happened with that the last time -
>> I remember working on trying to coordinate an update for som
On 2018-05-30 20:21:38, Salvatore Bonaccorso wrote:
> On Wed, May 30, 2018 at 07:42:02PM +0200, Markus Koschany wrote:
>> Hi,
>>
>> [...]
>> >>From what I understand, the next steps here are:
>> >
>> > 1. send the announcement (tomorrow, markus?)
>>
>> I will send the announcement on 01.06. aro
On 2018-05-30 17:36:16, Chris Lamb wrote:
> Hi Antoine,
>
>> So wheezy is EOL starting from tomorrow, as will probably be announced
>> then.
>
> (Hm, would it make sense to update/sync ca-certificates just before we
> EOL wheezy?)
I'm not sure. I lost track of what happened with that the last time
So wheezy is EOL starting from tomorrow, as will probably be announced
then.
This brings the question of whatever happens to the pending work in
dla-needed.txt, which is probably at an all time lowest size. Here's the
whole thing, for the record:
--
enigmail (Abhijith PA)
--
firefox-esr (Emilio P
Should we provide updates for the spectre/meltdown v4 in the
intel-microcode package?
It's non-free, so technically it's not supported even by the security
team, but considering the severity of those vulnerabilities, I guess we
should make an exception?
A, with his frontdesk hat.
--
Perl is "so
On 2018-04-25 15:18:52, Guido Günther wrote:
> Hi Antoine,
> On Thu, Apr 19, 2018 at 12:32:35PM -0400, Antoine Beaupré wrote:
>> Hi,
>>
>> I have taken a look at the libvorbis issues pending in wheezy (and
>> accidentally in jessie) and backported a few patches. T
Hi,
An early report as I've run out of hours sooner than expected...
* frontdesk: one week of triage and a discussion about postponed
packages and calibre maintenance
and review. i also reviewed the ruby work later on and looked at the
Firebird package
* qemu: triaged out CVE-2018-78
(OOM) via a crafted wav file.
+ * CVE-2018-5146: out-of-bounds memory write in the codeboook parsing
+code of the Libvorbis multimedia library could result in the execution
+ of arbitrary code.
+
+ -- Antoine Beaupré Thu, 19 Apr 2018 11:59:46 -0400
+
libvorbis (1.3.2-1.3) unstable; urge
Reviewing the upstream issue a little more, I stumbled upon this comment
from upstream:
https://bugs.launchpad.net/calibre/+bug/1753870/comments/7
Quote:
> For export data, it is pointless, since, as I said export data
> contains the entire calibre config, which in turn contains lots of
> execut
On 2018-04-18 17:14:33, Brian May wrote:
> I have a version available for testing:
> https://people.debian.org/~bam/debian/pool/main/c/calibre/
>
> I tried to test it myself, but I couldn't find how to start the export
> bookmarks or import bookmarks functions from the UI in the short time I
> had
On 2018-04-18 12:47:52, Santiago R.R. wrote:
> Hi Antoine!
>
> El 17/04/18 a las 11:58, Antoine Beaupré escribió:
>> Also, after talking with my old colleagues, I just realized that they
>> might be using Ruby 1.8 and not 1.9.1. It seems we have triaged those
>> out of
On 2018-04-04 19:54:14, Damyan Ivanov wrote:
> -=| Chris Lamb, 04.04.2018 08:39:52 +0100 |=-
>> Dear maintainer(s),
>>
>> The Debian LTS team would like to fix the security issues which are
>> currently open in the Wheezy version of firebird2.5:
>> https://security-tracker.debian.org/tracker/sourc
Also, after talking with my old colleagues, I just realized that they
might be using Ruby 1.8 and not 1.9.1. It seems we have triaged those
out of the picture, but maybe all 1.8 packages are affected by a bunch
of those issues too? This looks suspiciously sparse:
https://security-tracker.debian.or
Hi Santiago!
I've done a summary review of the packages you built here, and things
look generally well. I wonder how the test suite is doing: last I dealt
with the ruby suite, it was a mess and I could only check if things were
*worse* than before. Are there any new regressions in the test suite?
On 2018-04-16 17:12:03, Brian May wrote:
> Antoine Beaupré writes:
>
>> But you're right, maybe we can just patch that out for now. It just
>> seems the version in calibre is really, really old and I doubt anyone is
>> actually using it. But I could be wrong!
Hi,
I've done a small update of the qemu packages to fix a rather serious
vulnerability:
https://security-tracker.debian.org/tracker/CVE-2018-7550
The fix is pretty trivial but I figured I would share it here because I
do not have a very good way of testing this directly here.
As usual, the sig
On 2018-04-12 10:17:25, Raphael Hertzog wrote:
> Hi,
>
> On Wed, 11 Apr 2018, Antoine Beaupré wrote:
>> 1. removing the package from dla-needed.txt
>> 2. adding the package as unsupported in debian-security-support
>> 3. (do we send end-of-life announcements to
On 2018-03-22 09:19:31, Hugo Lefeuvre wrote:
> * Start working on tiff and tiff3:
>
> - Investigate, debug/prepare and test patch for CVE-2018-7456 (git master
> version). This issue was very long to debug because it required me
> to have a good understanding of the TIFF standard which I
On 2018-04-10 17:28:26, Brian May wrote:
> If I understand the upstream patch correctly, this replaces pickle with
> json for bookmarks and metadata information. It looks like this patch
> was applied to sid.
>
> Won't this break existing installs by making existing data inaccessible?
>
> Maybe we
On 2018-04-10 14:33:28, Ola Lundqvist wrote:
> Hi Salvatore
>
> Great. Thanks. Then we do not need to do anything more to libgcrypt. I'll
> remove it from dla-needed.txt.
Assuming you forgot to do so, I went ahead and removed it from
dla-needed.txt and marked it as no-dsa in wheezy.
A.
--
Argui
Did you forget to issue a DLA for this one? I see the package is not
claimed in dla-needed.txt either...
a.
On 2018-04-11 18:23:46, Thijs Kinkhorst wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Format: 1.8
> Date: Wed, 11 Apr 2018 13:24:23 +0200
> Source: squirrelmail
> Binary: s
On 2018-04-11 15:27:33, Antoine Beaupré wrote:
> Note that the script does *not* detect `postponed` at all right now,
> which means postponed issues are in a state worse than `no-dsa` right
> now: they just go off the radar completely.
Okay, nevermind: postponed comes out as "nods
Hi!
During triage, I realized I am sometimes a little hesitant in marking a
package as no-dsa even though it's fairly obviously how it should be
triaged. Take those two CVEs for example:
https://security-tracker.debian.org/tracker/CVE-2018-2767
mysql-5.5: fix should come with the bulk of fixes i
I had 9.75 hours allocated in march and used all hours on the following.
* frontdesk work: minor catchup at the beginning of the month
* mercurial upload (DLA-1331-1), also fixed regression in the test
suite, spotted by Chris Lamb (thanks!)
* dovecot: tested the package provided by Thorste
On 2018-03-31 14:11:13, Alexander Wirt wrote:
> On Sat, 31 Mar 2018, Abhijith PA wrote:
>
>> Hello.
>> I received this mail after sending DLA. Is it something set up by our
>> sponsors ? Or spam.
> Such autoresponders are not allowed on l.d.o. I unsubscribed the user from
> all lists.
I've a
I will upload the mercurial package as is (after checking the
random_seed target stuff) tomorrow, unless someone tells me so.
a.
--
L'adversaire d'une vraie liberté est un désir excessif de sécurité.
- Jean de la Fontaine
On 2018-03-27 07:38:43, Brian May wrote:
> Antoine Beaupré writes:
>
>> I'm not sure. The security team marked that as "no-dsa (minor issue)"
>> for jessie and stretch, and fixed in pycryptodome 3.4.11-1... Couldn't
>> we reuse the fixes from cryptodome
On 2018-03-26 22:40:38, Thorsten Alteholz wrote:
> Hi everybody,
>
> I uploaded version 1:2.1.7-7+deb7u2 of dovecot to:
>
> https://people.debian.org/~alteholz/packages/wheezy-lts/dovecot/
>
> It contains patches for CVE-2017-14461, CVE-2017-15130 and CVE-2017-15132.
>
> Please give it a try and te
Hi,
I have uploaded a test version of the Mercurial package in the usual
location:
https://people.debian.org/~anarcat/debian/wheezy-lts/
The main reason for the update is to fix this:
https://security-tracker.debian.org/tracker/CVE-2018-1000132
But there's also a fix to a regression introduced
On 2018-02-20 07:33:27, Brian May wrote:
> Any comments? Where should we go from here?
I'm not sure. The security team marked that as "no-dsa (minor issue)"
for jessie and stretch, and fixed in pycryptodome 3.4.11-1... Couldn't
we reuse the fixes from cryptodome to get this working properly? Or is
On 2018-03-05 17:03:23, Brian May wrote:
> Antoine Beaupré writes:
>
>> +tiff
>> + NOTE: incomplete fix of CVE-2017-18013
>> +--
>
> Hello,
>
> Is there any information available as to why this was an incomplete fix?
This is a reference to CVE-2018-74
On 2018-03-01 07:56:45, Roberto C. Sánchez wrote:
[...]
> I suppose another possibility would be to backport the patches to gcc
> 4.7 instead of 4.6 and switch the kernel build to gcc 4.7. Would that be
> considered to introduce less risk than bringing gcc 4.9 into wheezy at
> this stage?
Maybe
On 2018-03-01 07:22:34, Sebastiaan Couwenberg wrote:
> On 02/28/2018 10:49 PM, Antoine Beaupre wrote:
>> Would you like to take care of this yourself?
>
> I already did, see:
>
> https://lists.debian.org/debian-lts/2018/02/msg00092.html
>
> Thanks for ignoring those messages.
Oops! Sorry for over
On 2018-02-21 21:12:31, Fabian Grünbichler wrote:
> On 02/21/2018 08:40 PM, Antoine Beaupré wrote:
>> Hi,
>>
>> Trying to do a recap here to update the wiki page correctly:
>>
>> https://wiki.debian.org/DebianSecurity/SpectreMeltdown
>>
>>
On 2018-02-25 13:57:07, Roberto C. Sánchez wrote:
> On Sun, Feb 25, 2018 at 07:04:12PM +0100, Moritz Mühlenhoff wrote:
>> On Sun, Feb 25, 2018 at 08:54:06AM -0500, Roberto C. Sánchez wrote:
>> > Hi all,
>> >
>> > Please see my rather long-winded summary of the current state of the
>> > gcc-4.6/gcc
Hi,
Trying to do a recap here to update the wiki page correctly:
https://wiki.debian.org/DebianSecurity/SpectreMeltdown
See if you can fill in the blanks I've found...
Spectre v2
--
My understanding of retpoline is that it was designed to fix spectre v2
(CVE-2017-5715), yet it's not cl
On 2017-12-22 13:53:46, Rhonda D'Vine wrote:
> Hi there,
>
> * Emilio Pozuelo Monfort [2017-12-19 20:04:57 CET]:
>> On 26/10/17 22:59, Thorsten Alteholz wrote:
>> > as the irssi issues are already fixed upstream[1], I added you to
>> > dla-needed.txt
>> > for it.
>> >
>> > If you don't want
On 2018-02-15 21:34:48, Ben Hutchings wrote:
> On Wed, 2018-02-14 at 22:23 -0500, Roberto C. Sánchez wrote:
>> On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote:
>> > Hello.
>> >
>> > I prepared LTS security update for leptonlib. Please review and upload.
>> > You can find debdiff along
Hi,
I propose to mark the frontaccounting package to be marked as
unsupported. I have already patched the git repo so this will be done in
the next upload of the debian-security-support package, unless someone
objects here. For what it's worth, the package is not used by any LTS
sponsor.
An unpat
Hi!
Markus reminded me today that I was frontdesk for the week: I had
completely forgotten. :( For some reason, I hadn't noted this down in my
agenda which means the event simply doesn't exist in this case. I have
reviewed my other allocations and they're all well written down in my
agenda, so thi
On 2018-01-26 00:31:19, Ben Hutchings wrote:
> On Thu, 2018-01-25 at 10:17 -0500, Antoine Beaupré wrote:
> [...]
>> > OS vendors (RH/SUSE)
>> > Upstream projects (Xen, Linux etc)
>>
>> I believe those already follow the CVE process and eventually converge
&g
On 2018-01-25 16:27:58, Moritz Mühlenhoff wrote:
> Antoine Beaupré wrote:
>> So, regarding the first two (and similar), someone needs to teach those
>> folks about proper security tracking here... ;) Should I contact them
>> directly?
>
> Who in particular? Node a
On 2018-01-25 08:41:43, Paul Wise wrote:
> On Thu, Jan 25, 2018 at 1:12 AM, Antoine Beaupré wrote:
>
>> Okay, so this is a broader, recurring problem we have with the security
>> tracker right now... From my perspective, I've always and only used CVEs
>> as unique id
On 2018-01-25 09:07:37, Salvatore Bonaccorso wrote:
> Hi Antoine,
>
> On Wed, Jan 24, 2018 at 12:12:41PM -0500, Antoine Beaupré wrote:
>> So picking one thing from this thread and adding the security tracker
>> people in the loop, so we can focus on *one* topic here. :)
>&
On 2018-01-19 10:52:05, Antoine Beaupré wrote:
> Hi!
>
> As part of an audit on my own website (!) running Bootstrap 3.3.4, I
> have found that the jQuery release I was using (1.11.2) was vulnerable
> to multiple security issues. This was detected by Sonarwhal, which in
> tur
So picking one thing from this thread and adding the security tracker
people in the loop, so we can focus on *one* topic here. :)
On 2018-01-21 14:09:01, Paul Wise wrote:
> On Fri, Jan 19, 2018 at 11:52 PM, Antoine Beaupré wrote:
>
>> I have found that Snyk had issues in its database
Hi!
As part of an audit on my own website (!) running Bootstrap 3.3.4, I
have found that the jQuery release I was using (1.11.2) was vulnerable
to multiple security issues. This was detected by Sonarwhal, which in
turns uses Snyk.io to make such security assesments. Tracking that down,
I have foun
On 2017-11-24 11:58:42, Antoine Beaupré wrote:
> On 2017-11-24 11:49:34, Antoine Beaupré wrote:
>> I think I got a pretty good patchset now, attached.
>
> Well well... debdiff clearly doesn't like libreoffice - it crashes with:
>
> cp: erreur d'écriture de
&g
On 2017-11-27 20:38:20, Roberto C. Sánchez wrote:
> On Thu, Nov 23, 2017 at 02:51:56PM -0500, Antoine Beaupré wrote:
>>
>> So I ended up adding it to the debian/rules file, but that wasn't enough
>> either - I had to add "export" to every line so it shows u
On 2017-11-24 11:49:34, Antoine Beaupré wrote:
> I think I got a pretty good patchset now, attached.
Well well... debdiff clearly doesn't like libreoffice - it crashes with:
cp: erreur d'écriture de './libreoffice_3.5.4+dfsg2.orig-translations.tar.xz':
Aucun e
On 2017-11-24 10:14:20, Raphael Hertzog wrote:
> Hi,
>
> On Thu, 23 Nov 2017, Antoine Beaupré wrote:
>> > sal_uInt16 nLevelAnz;
>> > rIn >> nLevelAnz;
>> > if ( nLevelAnz > 5 )
>> > {
>> &g
On 2017-11-23 15:10:17, Roberto C. Sánchez wrote:
> On Thu, Nov 23, 2017 at 02:51:56PM -0500, Antoine Beaupré wrote:
>>
>> Fun times. So I'm stuck now - I reported the CVE issues upstream so
>> they're at least aware of the issue:
>>
>> https://github.
On 2017-11-14 08:58:33, Roberto C. Sánchez wrote:
> All,
>
> Some of the last few updates I have done have required building the
> package with ASAN in order to reproduce the bug and/or confirm the fix.
>
> After some searches did not come up with anything that captured the
> issues I have encounte
On 2017-11-14 16:48:48, Raphael Hertzog wrote:
> Hello Emilio,
>
> as the libreoffice entry is the oldest one without update[1] I decided
> to take a look at the issues (even though it's assigned to you).
>
> For CVE-2017-CVE-2017-12607 I believe that wheezy is not affected as the patch
> shown bel
On 2017-11-14 08:58:33, Roberto C. Sánchez wrote:
> All,
>
> Some of the last few updates I have done have required building the
> package with ASAN in order to reproduce the bug and/or confirm the fix.
>
> After some searches did not come up with anything that captured the
> issues I have encounte
On 2017-10-31 15:45:31, Raphael Hertzog wrote:
> On Tue, 31 Oct 2017, Antoine Beaupré wrote:
>> I'll take care of it then. Should I just reuse the old DLA id? or
>> simply mention the old DLA id in the announcement? Or mention all the
>> CVEs fixed in the old DLA
On 2017-10-31 17:40:30, Hugo Lefeuvre wrote:
> Hi,
>
>> In my case, I also previously had issues because I added a new signing
>> subkey that took some time to propagate across Debian's infrastructure.
>>
>> The main issue is we have currently no way of noticing when a number is
>> skipped. It wou
On 2017-10-31 14:13:13, Raphael Hertzog wrote:
> On Tue, 31 Oct 2017, Antoine Beaupré wrote:
>> > Please send it again and add a small sentence explaining that you send an
>> > old advisory that never made it to the list... IOW if you expect
>> > confusion, add
On 2017-10-31 11:56:31, Raphael Hertzog wrote:
> Hi,
>
> On Sat, 28 Oct 2017, Brian May wrote:
>> I didn't realize until after I uploaded the newer version associated
>> with DLA-1140-1. So I tried sending DLA-1130-1 again, followed by
>> DLA-1140-1.
>>
>> Unfortunately DLA-1140-1 made it to the l
101 - 200 of 435 matches
Mail list logo