squeeze update of ntp?
Hello dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Squeeze version of ntp: https://security-tracker.debian.org/tracker/source-package/ntp Would you like to take care of this yourself? Note that all of the squeeze-relevant issues are still open in the "newer" Debian releases (wheezy through sid). It would be nice to know if you have planned some work on these to avoid duplication. The LTS workflow is defined here: http://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. Thank you very much. Damyan Ivanov, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup signature.asc Description: PGP signature
Re: [pkg-ntp-maintainers] squeeze update of ntp?
-=| Kurt Roeckx, 13.02.2016 11:49:24 +0100 |=- > On Sat, Feb 13, 2016 at 10:06:23AM +0000, Damyan Ivanov wrote: > > Hello dear maintainer(s), > > > > The Debian LTS team would like to fix the security issues which are > > currently open in the Squeeze version of ntp: > > https://security-tracker.debian.org/tracker/source-package/ntp > > I was under the impression that squeeze LTS support ended? Ends on 29 February. See https://lists.debian.org/debian-announce/2016/msg2.html > > Note that all of the squeeze-relevant issues are still open in the > > "newer" Debian releases (wheezy through sid). > > I'm waiting for upstream to actually fix things. I estimate it's > going to take 2 months. When this happens, do you plan to do a wheezy-lts upload too? (wheeszy will gain LTS support in March). BTW CVE-2016-0727 seems to me to be Debian-specific, since the cron job is part of debian/. In case you missed it, there is a patch for it at http://www.halfdog.net/Security/2015/NtpCronjobUserNtpToRootPrivilegeEscalation/ > They're all not that important. Cheers, dam signature.asc Description: Digital signature
Accepted tiff 3.9.4-5+squeeze14 (source all amd64) into squeeze-lts
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sat, 30 Jan 2016 11:39:29 + Source: tiff Binary: libtiff4 libtiffxx0c2 libtiff4-dev libtiff-tools libtiff-opengl libtiff-doc Architecture: source all amd64 Version: 3.9.4-5+squeeze14 Distribution: squeeze-lts Urgency: medium Maintainer: Jay Berkenbilt <q...@debian.org> Changed-By: Damyan Ivanov <d...@debian.org> Description: libtiff-doc - TIFF manipulation and conversion documentation libtiff-opengl - TIFF manipulation and conversion tools libtiff-tools - TIFF manipulation and conversion tools libtiff4 - Tag Image File Format (TIFF) library libtiff4-dev - Tag Image File Format library (TIFF), development files libtiffxx0c2 - Tag Image File Format (TIFF) library -- C++ interface Changes: tiff (3.9.4-5+squeeze14) squeeze-lts; urgency=medium . * Non-maintainer upload by the Squeeze LTS Team * Fix CVE-2015-8781, CVE-2015-8782 and CVE-2015-8783: out-of-band read/write when decoding invalid data * Fix CVE-2015-8784: potential out-of-bound write in NeXTDecode() Checksums-Sha1: b42b2dd34862101a8aed4431aaebe6f9f15830e1 1861 tiff_3.9.4-5+squeeze14.dsc 1a31c10cf91beb032f65dc8e0c4760a261a2c930 44194 tiff_3.9.4-5+squeeze14.debian.tar.gz f497a3015d0bf525880ea3688dc56a39043b93a6 385566 libtiff-doc_3.9.4-5+squeeze14_all.deb fbc45e393f818f7f3f9898b5c2aaf4d5754088c9 196488 libtiff4_3.9.4-5+squeeze14_amd64.deb be03b1c5ecaefff5358334858e3b0cf32be66361 60098 libtiffxx0c2_3.9.4-5+squeeze14_amd64.deb 29d323ed3869adbf1858113e38878ed1169dd07b 324562 libtiff4-dev_3.9.4-5+squeeze14_amd64.deb 659003adbde10788eccc76f90598f8b5ee6e5835 304096 libtiff-tools_3.9.4-5+squeeze14_amd64.deb 9de9d327a190320cf78bb5255fdccb0fa2c3357a 65558 libtiff-opengl_3.9.4-5+squeeze14_amd64.deb Checksums-Sha256: 169aa6175fef670e35f8066f5981a1b705f2957f17015ef4af597cd0e5ba4869 1861 tiff_3.9.4-5+squeeze14.dsc 32b0b71af77e03d554455dc26b55f4a47906bc4c702431cff42531d34c29eec1 44194 tiff_3.9.4-5+squeeze14.debian.tar.gz e8d1f201b33b56460dbac5125f36e5f0d0d1173dd9a6ed4ecd85b0ac8899dd8e 385566 libtiff-doc_3.9.4-5+squeeze14_all.deb 9d59576c853d62c361bf9419601143dc62b4dcaec7603001d42f636c9854484a 196488 libtiff4_3.9.4-5+squeeze14_amd64.deb a2ac1d27d90d3c3faac550931022e2abaeff7063e32157ae501688703a9584ee 60098 libtiffxx0c2_3.9.4-5+squeeze14_amd64.deb 70e7d269fb021c6ee72c52ba405073db4af32acb9302d22c8b2182ced41ef5c0 324562 libtiff4-dev_3.9.4-5+squeeze14_amd64.deb a67d01ded1cba0fe882572527c94c4ef60a4645a88c7b33445d4308db9549dac 304096 libtiff-tools_3.9.4-5+squeeze14_amd64.deb f9683c0d2d801023aad7b06fbdd3d406475b7f584205e5f56d79e34238fe227e 65558 libtiff-opengl_3.9.4-5+squeeze14_amd64.deb Files: 1414db1ede39978fa07fc9b49dac63c5 1861 libs optional tiff_3.9.4-5+squeeze14.dsc 1b62e706b18deb53f6add1ec7f99d67b 44194 libs optional tiff_3.9.4-5+squeeze14.debian.tar.gz a691a3a078e9a52928c4d16057c6c923 385566 doc optional libtiff-doc_3.9.4-5+squeeze14_all.deb 799cec09c0b76d36c9fcded83c10083d 196488 libs optional libtiff4_3.9.4-5+squeeze14_amd64.deb 2cc6071e406b105e1d81af38f6b483ae 60098 libs optional libtiffxx0c2_3.9.4-5+squeeze14_amd64.deb e3b92af994160e8b02225b3bae71b6bf 324562 libdevel optional libtiff4-dev_3.9.4-5+squeeze14_amd64.deb 6381ec59e02c202b9aecd768756fab73 304096 graphics optional libtiff-tools_3.9.4-5+squeeze14_amd64.deb 96affdcbdd9335118f937ffe1c7a79b8 65558 graphics optional libtiff-opengl_3.9.4-5+squeeze14_amd64.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJWrLXOAAoJENu+nU2Z0qAEi84P/00nSgGagwpR0mwBVWcsm7ba tT22SGjzc5c1r01+sGkGOV14m46Pn3uGhhoRhLzHTAV40CRYYviIrmBsaxSAR3TB mH7r55NAUMgeAex3pL4TFvLOx5Nj8sYX4CCJ5S6Y6Nokq7RvCtR+wDzQLKhe6GvF NaE9tT6uyqR/vNdYRuAGhChH8xluMhqJI0+/tw14q/qUH58uMmtDUn6G2az95yWY HFlGN47dJrKWNhZLWxLfy5rGgrQ5BQvuvAv+ONSDCiBzj7lYW48SoSeViktAp8ho J+PdpMfq2y0fiWM1uuu+GMndDYToc8neMHs9ecA5Yn17x8ut2Q50jc8ENe5srFtJ YtlHPArAx2+jL6yGkEymonO78Omz3mXp5t4wNnDR1a6A9QcqWzTZzm8wWe6jcvIw lp7qgF/qbscF3YKgv8+AUzpDhwClUOgmK0hILgLFTnsLgt6o2vQtpIgS8rQha4Ls SmlRIfsKS7BFRRT/fhddvs0XITPHyEZueIkaLtTariRe3VuTSAKW9i6vIQGCSFac 4rn/OUEQNHwokLTv8UiYBE5suu+XpCx0c+CE83gr/Pb7wD5C4/GehdXD/qZWvnDk buBnjZwPudTXMNurYb7XL4hVTBiqLbeRG0zXaxU5/xwXny4q4rcy2+cKAi4oOyzJ 8GXPyR6UlORXrrI1Ni1B =4wIO -END PGP SIGNATURE-
LTS work report, February 2016
Here's the summary of my work on Debian LTS for February 2016: * investigating about update of ntp * update libebml in squeeze-lts This is my first month working on Debian LTS and I managed to work only 3.9 hours out of the allocated 11.25. The reason for this was mostly me not trying hard enough to find packages to work on. As a way to compensate this, I plan to spend some time on the triaging part of the process in March. -- Damyan
LTS report for March 2016
I had 7.35hh left from February allocation. I ended up using none of them, due to various, mostly personal reasons. The perspective for April is not better, so I marked myself as inactive in contributors.yaml. Since these are leftover hours from February, I intent to return them to the April allocation pool (Available:2016:04), please advise if this is the right thing to do. For the future, I intent to do some LTS work as an unpaid volunteer, both to make up for the fail-start, and to have some proof that I can keep it up. -- Damyan signature.asc Description: Digital signature
Re: Wheezy update of firebird2.5?
-=| Ola Lundqvist, 25.03.2017 22:46:35 +0100 |=- > Dear maintainer(s), > > The Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of firebird2.5: > https://security-tracker.debian.org/tracker/CVE-2017-6369 Please feel free to take this over writh the great LTS team. In case it would be of any help, the changes needed for the jessie upload are available at https://anonscm.debian.org/cgit/pkg-firebird/2.5.git/log/?h=jessie -- dam signature.asc Description: Digital signature
Re: Wheezy update of firebird2.5?
-=| Brian May, 08.05.2018 17:19:56 +1000 |=- > Damyan Ivanov <d...@debian.org> writes: > > The only fix upstream has is to disable UDFs in firebird.conf -- > > https://salsa.debian.org/firebird-team/firebird3.0/blob/master/debian/patches/deb/cve-2017-11509.patch > > > > (probebly needs adaptation for firebird2.5, but you get the idea). > > The patch appears to apply fine without dramas. Attached is the debdiff > from the previous LTS release. > > Just compiling it now, but don't expect any problems. > > Damyan, > > Assuming I have write access to the firebird2.5 respository, do you have > any objections if I push my changes (including the previous LTS release) > to the wheezy branch in the git repository? Sure! I have added you to https://salsa.debian.org/firebird-team/firebird2.5 so feel free to push you work. Thanks! -- Damyan
Re: Wheezy update of firebird2.5?
-=| Chris Lamb, 04.04.2018 08:39:52 +0100 |=- > Dear maintainer(s), > > The Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of firebird2.5: > https://security-tracker.debian.org/tracker/source-package/firebird2.5 > > Would you like to take care of this yourself? Sorry, no. AFAIS, the only open vulnerability is CVE-2017-11509. Moritz from the security team advised against updating that for stable, and the issue is still open in unstable. According to the researchers discovering it, upstream refused to fix it :( so the only "fix" I am aware of is the change in the default config to disable the vulnerable functionality. You can find the patch for firebird3.0 at https://salsa.debian.org/firebird-team/firebird3.0/commit/5ad1c64f67ce9f091a2b747fa54519ef7d144698 It is perhaps not directly applicable to firebid2.5, but should help regardless. Good luck!
Re: Wheezy update of firebird2.5?
-=| Antoine Beaupré, 17.04.2018 12:59:26 -0400 |=- > I don't quite know where to go from here. I was somewhat hoping that > Wheezy would be magically not vulnerable to this issue, but obviously, > there's something wrong here that should probably be fixed. The only fix upstream has is to disable UDFs in firebird.conf -- https://salsa.debian.org/firebird-team/firebird3.0/blob/master/debian/patches/deb/cve-2017-11509.patch (probebly needs adaptation for firebird2.5, but you get the idea). -- dam