Re: cacti LTS

-2016-3172: Fix sql injection in tree.php. +debian/patches/CVE-2016-3659-sql-injection.patch ++ CVE-2016-3659: Fix sql injection in graph_view.php. + + -- Emilio Pozuelo Monfort <po...@debian.org> Sat, 25 Jun 2016 21:57:43 +0200 + cacti (0.8.8a+dfsg-5+deb7u8) wheezy-security; urgency

Re: claiming tiff

On 26/06/16 02:19, Bálint Réczey wrote: > Hi, > > There are newly discovered vulnerabilities in tiff [1]. > > I no one objects I plan looking into them and working with the > maintainer(s) to get them fixed in Wheezy LTS and in newer > releases. I looked at this yesterday. These CVEs aren't

Re: cacti LTS

On 26/06/16 09:23, Paul Gevers wrote: > Hi Emilio > > On 25-06-16 22:03, Emilio Pozuelo Monfort wrote: >>> Just in case somebody starts working on it, I'd like to review proposed >>> uploads of cacti to LTS. CVE-2016-2313 was initially wrongly fixed (a >>>

Re: claiming tiff

On 26/06/16 16:10, Bálint Réczey wrote: > Added that information in dla-needed.txt. Thanks. I added links to each cve in data/CVE/list but forgot to add a note to dla-needed. > In that case I don't claim them yet. Let's see how upstream responds. OK. Cheers, Emilio

Re: Coordinating uploads with identical tarballs

On 01/08/16 21:29, Moritz Mühlenhoff wrote: > Hi, > when making uploads with an identical tarball in lts and stable-security > you really need to coordinate with t...@security.debian.org! Due to dak's > crappy orig tarball handling only of the uploads can be made with the > tarball included and if

Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling

On 02/08/16 23:57, Ola Lundqvist wrote: > Hi Chris > > The reason I do not simply set the umask to a fixed value is to use the same > principle as upstream. That is honor the umask set bu the user. There may be > reasons why group read and/or write should be set for example. > > I agree with

Re: Icedtea plugin

On 31/07/16 19:41, Roberto C. Sánchez wrote: > On Sun, Jul 31, 2016 at 07:34:28PM +0200, Emilio Pozuelo Monfort wrote: >> Hi, >> >> Currently, icedtea-plugin depends on icedtea-6-plugin, i.e. Java6. Given >> openjdk-6 is unsupported, we should change it to depend on

Re: Wheezy update of gdk-pixbuf?

Hi, On 15/07/16 00:26, b...@decadent.org.uk wrote: > Hello dear maintainer(s), > > the Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of gdk-pixbuf: > https://security-tracker.debian.org/tracker/source-package/gdk-pixbuf > > Would you like

Re: Icedtea plugin

On 02/08/16 19:48, Emilio Pozuelo Monfort wrote: > On 01/08/16 23:26, Markus Koschany wrote: >> On 01.08.2016 23:01, Emilio Pozuelo Monfort wrote: >>> On 31/07/16 19:41, Roberto C. Sánchez wrote: >>>> On Sun, Jul 31, 2016 at 07:34:28PM +0200, Emilio P

Re: Security update of firefox-esr for Wheezy

On 04/08/16 23:02, Mike Hommey wrote: > On Thu, Aug 04, 2016 at 07:50:28PM +0200, Guido Günther wrote: >> Hi, >> On Thu, Aug 04, 2016 at 06:32:14PM +0900, Mike Hommey wrote: >>> On Thu, Aug 04, 2016 at 11:04:47AM +0200, Markus Koschany wrote: Hello Mike, Thank you for preparing the

Re: Icedtea plugin

On 06/08/16 10:38, Markus Koschany wrote: > On 06.08.2016 10:18, Guido Günther wrote: >> Hi, >> On Fri, Aug 05, 2016 at 11:49:33PM +0200, Emilio Pozuelo Monfort wrote: >>> On 02/08/16 19:48, Emilio Pozuelo Monfort wrote: >>>> On 01/08/16 23:26, Markus Kosch

[SECURITY] [DLA 587-1] fontconfig security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: fontconfig Version: 2.9.0-7.1+deb7u1 CVE ID : CVE-2016-5384 Debian Bug : 833570 A possible double free vulnerability was found in fontconfig. The problem was due to insufficient validation when parsing the

Re: Security update of firefox-esr for Wheezy

On 07/08/16 22:17, Raphael Hertzog wrote: > On Sun, 07 Aug 2016, Guido Günther wrote: >> I too think I would be good to support Firefox & Icedove until Wheezy >> goes EOL. Wd could backport gcc 4.8 from Jessie with only C/C++ enabled. > > And obviously, we make no change to gcc-defaults. > >

Re: Redis not uploaded and timely security announcements

On 02/08/16 19:16, Chris Lamb wrote: > Chris Lamb wrote: > >>> DLA-577-1 has been issued two days ago but redis hasn't been uploaded >>> yet. > [..] >> Could these checks be automated instead of relying on a diligent >> front-desk..?) > > I've pushed such a script as bin/lts-missing-uploads.py.

Re: Icedtea plugin

On 01/08/16 23:26, Markus Koschany wrote: > On 01.08.2016 23:01, Emilio Pozuelo Monfort wrote: >> On 31/07/16 19:41, Roberto C. Sánchez wrote: >>> On Sun, Jul 31, 2016 at 07:34:28PM +0200, Emilio Pozuelo Monfort wrote: >>>> Hi, >>>> >>>> Curr

Re: CVE-2016-2313 fix wrong

On 28/07/16 14:59, Matus UHLAR - fantomas wrote: >> On 28/07/16 13:35, Matus UHLAR - fantomas wrote: >>> i believe the fix for CVE-2016-2313 in >>> CVE-2016-2313-authentication-bypass.patch is invalid. > > On 28.07.16 14:26, Emilio Pozuelo Monfort wrote: >&

LTS report for July 2016

This month I was allocated 14.70 hours to work on Debian-LTS. I spent 13h doing the following: - Pushed the update for cacti. Investigated regression, waiting for upstream to comment. - Prepared and uploaded update for tardiff - Investigated gdk-pixbuf vulnerability: wheezy not affected (jessie

LTS report for June 2016

This month I was allocated 16 hours to work on Debian-LTS. I spent this time doing the following: - Prepared, tested and uploaded libxslt. - Prepared and tested an update for clamav. However the maintainer asked me to wait until a regression in the Jessie update can be addressed. - Prepared,

Re: openssl wheezy update

On 01/02/17 00:29, Kurt Roeckx wrote: > On Tue, Jan 31, 2017 at 11:13:55PM +0100, Emilio Pozuelo Monfort wrote: >> Hi Kurt, >> >> I have prepared an update of openssl for wheezy based on 1.0.1t-1+deb8u6. I >> have >> done some smoke testing on it and it se

Accepted ntfs-3g 1:2012.1.15AR.5-2.1+deb7u3 (source amd64 all) into oldstable

Maintainer: Daniel Baumann <daniel.baum...@progress-technologies.net> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: ntfs-3g- read/write NTFS driver for FUSE ntfs-3g-dbg - read/write NTFS driver for FUSE (debug) ntfs-3g-dev - read/write NTFS driver for FUSE (develo

[SECURITY] [DLA 811-1] libplist security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: libplist Version: 1.8-1+deb7u1 CVE ID : CVE-2017-5209 CVE-2017-5545 Debian Bug : 851196 852385 The following vulnerabilities have been fixed in libplist: CVE-2017-5209 Out of bounds read when parsing

Accepted ikiwiki 3.20120629.2+deb7u2 (source all) into oldstable

, in particular t/git-cgi.t. (patch from Lafayette Chamber Singers Webmaster, backported from 3.20140916) . [ Emilio Pozuelo Monfort ] * Upload to wheezy-security. Checksums-Sha1: 3a9e3121597b333b76aee80d244f76475b7591b3 2095 ikiwiki_3.20120629.2+deb7u2.dsc 6b12392969ff8ea2f5a5f3

Re: Print undetermined issues in lts-cve-triage

On 03/02/17 10:58, Guido Günther wrote: > Hi, > while looking at the recent changes in data/CVE/list I noticed a bunch > of gstreamer issues being added but not showing up in the output > produced by lts-cve-triage. Reason was that they're marked as > undetermined. The attached patch adds

[SECURITY] [DLA 812-1] ikiwiki security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: ikiwiki Version: 3.20120629.2+deb7u2 CVE ID : CVE-2016-9646 CVE-2016-10026 CVE-2017-0356 Several vulnerabilities have been found in ikiwiki, a wiki compiler: CVE-2016-9646 Commit metadata forgery

Re: [Secure-testing-commits] r48631 - in data: . CVE

Hi Balint, On 31/01/17 21:46, Balint Reczey wrote: > Log: > wavpack's issues don't affect wheezy > > The first part of the upstream patch is not needed since the > code is very different and not vulnerable. > The second part applies, but does not make any difference when > trying the exploits.

Re: graphicsmagick update

On 16/01/17 20:48, Antoine Beaupré wrote: > Hi, > > I've looked at updating the graphicsmagick (GM) update to fix the issues > outlined in a [recent discussion][1]. The fix to CVE-2016-5240.patch is > trivial. I can also confirm the current GM version in wheezy-security > segfaults with the POC.

LTS report for January

Hi, This month I was allocated 12.75h (plus 2.5h carried from last month). I spent this time doing the following: - DLA 684-2: libx11 regression update - DLA 784-1: gcc-mozilla new package - DLA 800-1: firefox-esr security update - DLA 801-1: libxpm security update - DLA 802-1: openjdk-7

[SECURITY] [DLA 815-1] ntfs-3g security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: ntfs-3g Version: 1:2012.1.15AR.5-2.1+deb7u3 CVE ID : CVE-2017-0358 Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write NTFS driver for FUSE, does not scrub the environment before executing

openssl wheezy update

; urgency=medium + + * Non-maintainer upload by the LTS team. + * Backport changes from 1.0.1t-1+deb8u6: + * Fix CVE-2016-8610 + * Fix CVE-2017-3731 + * Fix CVE-2016-7056 + + -- Emilio Pozuelo Monfort <po...@debian.org> Tue, 31 Jan 2017 22:04:44 +0100 + openssl (1.0.1t-1+deb7u1) wheezy-se

[SECURITY] [DLA 800-1] firefox-esr security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: firefox-esr Version: 45.7.0esr-1~deb7u1 CVE ID : CVE-2017-5373 CVE-2017-5375 CVE-2017-5376 CVE-2017-5378 CVE-2017-5380 CVE-2017-5383 CVE-2017-5386 CVE-2017-5390 CVE-2017-5396

Accepted lcms2 2.2+git20110628-2.2+deb7u2 (source amd64) into oldstable

Moskalenko <ma...@debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: liblcms2-2 - Little CMS 2 color management library liblcms2-dev - Little CMS 2 color management library development headers liblcms2-utils - Little CMS 2 olor management library Changes:

[SECURITY] [DLA 802-1] openjdk-7 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: openjdk-7 Version: 7u121-2.6.8-1~deb7u1 openjdk-7 7u111-2.6.7-2~deb7u1 backported the security fixes from 7u121. openjdk-7 has now been updated to the full 7u121 version, which includes extra bug fixes and other

[SECURITY] [DLA 801-1] libxpm security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: libxpm Version: 1:3.5.10-1+deb7u1 CVE ID : CVE-2016-10164 Tobias Stoeckmann discovered a vulnerability in the libXpm library that could cause a malicious attacker to execute arbitrary code via a specially crafted

[SECURITY] [DLA 803-1] lcms2 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: lcms2 Version: 2.2+git20110628-2.2+deb7u2 CVE ID : CVE-2016-10165 Debian Bug : https://bugs.debian.org/852627 An out of bounds read was found in lcms2, which can lead to heap memory leak or denial of service via

Re: Accepted openjdk-7 7u121-2.6.8-1~deb7u1 (source all amd64) into oldstable

On 27/01/17 22:18, Ola Lundqvist wrote: > Hi Emilio > > I saw that you have uploaded a new openjdk-7 package. Were that > package supposed to fix the current issues reported for openjdk-7 or > was that corrections for earlier version? It doesn't fix the latest round of CVEs. > I'm asking

Re: Accepted tcpdump 4.9.0-1~deb7u1 (amd64 source) into oldstable

On 30/01/17 22:19, Ola Lundqvist wrote: > Hi > > Will you send the DLA or do you want me to do that? Adding Romain to Cc. Cheers, Emilio > > // Ola > > On 30 January 2017 at 19:40, Romain Francoise wrote: > Format: 1.8 > Date: Sun, 29 Jan 2017 22:17:21 +0100 > Source:

Accepted openjdk-7 7u121-2.6.8-1~deb7u1 (source all amd64) into oldstable

openjdk-7-jre-zero Architecture: source all amd64 Version: 7u121-2.6.8-1~deb7u1 Distribution: wheezy-security Urgency: medium Maintainer: OpenJDK Team <open...@lists.launchpad.net> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: icedtea-7-jre-cacao - Transiti

Accepted libxpm 1:3.5.10-1+deb7u1 (source amd64) into oldstable

<debia...@lists.debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: libxpm-dev - X11 pixmap library (development headers) libxpm4- X11 pixmap library libxpm4-dbg - X11 pixmap library (debug package) xpmutils - X11 pixmap utilities Changes: libxpm

Accepted firefox-esr 45.7.0esr-1~deb7u1 (source all amd64) into oldstable

: wheezy-security Urgency: medium Maintainer: Maintainers of Mozilla-related packages <pkg-mozilla-maintain...@lists.alioth.debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: firefox-esr - Mozilla Firefox web browser - Extended Support Release (ESR) fir

Re: postponing php5 issue

On 22/02/17 20:48, Antoine Beaupré wrote: > On 2017-02-21 21:57:23, Emilio Pozuelo Monfort wrote: >> On 20/02/17 23:19, Antoine Beaupré wrote: >>> It seems a bit too much to do a DLA for a single issue in the php5 >>> package (CVE-2016-7478, namely): >>> >

Accepted gst-plugins-bad0.10 0.10.23-7.1+deb7u5 (source all amd64) into oldstable

Architecture: source all amd64 Version: 0.10.23-7.1+deb7u5 Distribution: wheezy-security Urgency: medium Maintainer: Maintainers of GStreamer packages <pkg-gstreamer-maintain...@lists.alioth.debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: gstreamer0.10-plugins-bad

Accepted gst-plugins-base0.10 0.10.36-1.1+deb7u2 (source all amd64) into oldstable

ain...@lists.alioth.debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: gir1.2-gst-plugins-base-0.10 - Description: GObject introspection data for the GStreamer Plugins gstreamer0.10-alsa - GStreamer plugin for ALSA gstreamer0.10-gnomevfs - GStreamer plugin

Accepted gst-plugins-good0.10 0.10.31-3+nmu1+deb7u2 (source all amd64) into oldstable

amd64 Version: 0.10.31-3+nmu1+deb7u2 Distribution: wheezy-security Urgency: medium Maintainer: Maintainers of GStreamer packages <pkg-gstreamer-maintain...@lists.alioth.debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: gstreamer0.10-gconf - GStreamer plugin

Accepted gst-plugins-ugly0.10 0.10.19-2+deb7u1 (source all amd64) into oldstable

: wheezy-security Urgency: medium Maintainer: Maintainers of GStreamer packages <pkg-gstreamer-maintain...@lists.alioth.debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: gstreamer0.10-plugins-ugly - GStreamer plugins from the "ugly" set gstreame

Re: postponing php5 issue

On 20/02/17 23:19, Antoine Beaupré wrote: > It seems a bit too much to do a DLA for a single issue in the php5 > package (CVE-2016-7478, namely): > > https://security-tracker.debian.org/tracker/source-package/php5 > > I looked at the issue and the patch is easily ported, but i suggest we >

Re: Print undetermined issues in lts-cve-triage

On 03/02/17 16:37, Guido Günther wrote: > On Fri, Feb 03, 2017 at 12:25:19PM +0100, Emilio Pozuelo Monfort wrote: >> On 03/02/17 10:58, Guido Günther wrote: >>> Hi, >>> while looking at the recent changes in data/CVE/list I noticed a bunch >>> of gstreamer i

Accepted openjdk-7 7u121-2.6.8-2~deb7u1 (source all amd64) into oldstable

openjdk-7-jre-zero Architecture: source all amd64 Version: 7u121-2.6.8-2~deb7u1 Distribution: wheezy-security Urgency: medium Maintainer: OpenJDK Team <open...@lists.launchpad.net> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: icedtea-7-jre-cacao - Transiti

Re: Fixing CVE-2017-5522 (stack buffer overflow) for mapserver in wheezy

On 19/01/17 08:14, Sebastiaan Couwenberg wrote: > On 01/18/2017 10:17 PM, Ola Lundqvist wrote: >> Yes they are ok for wheezy-security. Thank you for your support. > > I've updated the secure-testing repo for this issue and sent the DLA. I haven't seen the DLA. Did you gpg-sign it? If you sent it

Re: nvidia-graphics-drivers 304.135 proposed packages for wheezy-lts

Hi Andreas, On 26/02/17 00:03, Andreas Beckmann wrote: > Hi, > > here comes the next round: > > On 2017-01-10 16:13, Andreas Beckmann wrote: >> I've prepared a new upstream release of the proprietary nvidia graphics >> driver for wheezy-lts. This will fix several security bugs: > >* New

Accepted cacti 0.8.8a+dfsg-5+deb7u10 (source all) into oldstable

org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: cacti - web interface for graphing of monitoring systems Changes: cacti (0.8.8a+dfsg-5+deb7u10) wheezy-security; urgency=medium . * CVE-2016-2313-guest-auth.patch: + Fix regression in the fix for C

Re: updates to find-work

On 07/09/16 00:01, Brian May wrote: > Hello, > > Do we have any sort of handle formal updates to find-work? > > If not, does anybody have any objections if I were to commit the > following change? It adds a --unassigned command line option that only > lists packages that are not taken by

Re: Security update of firefox-esr for Wheezy

On 08/08/16 10:20, Raphael Hertzog wrote: > On Mon, 08 Aug 2016, Emilio Pozuelo Monfort wrote: >>> Shall we mark gcc-4.8 as unsupported in wheezy, explaining that its only >>> purpose is to enable build of other packages? >> >> That would make sense. &g

LTS report for August 2016

Hi, This month I was allocated 14.75 hours to work on Debian-LTS. I spent 13.5 hours doing the following: - openjdk-7: after some back and forth, finally pushed the update for openjdk-7 - icedtea-web: pushed the update to make icedtea-plugin default to openjdk-7 - fontconfig: prepared, tested

[SECURITY] [DLA 606-1] tiff security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: tiff Version: 4.0.2-6+deb7u6 CVE ID : CVE-2016-3991 CVE-2016-5314 CVE-2016-5315 CVE-2016-5316 CVE-2016-5317 CVE-2016-5320 CVE-2016-5321 CVE-2016-5322 CVE-2016-5323 CVE-2016-5875

Re: status of tzdata packages in wheezy

On 26/10/16 10:58, Emilio Pozuelo Monfort wrote: > Hi Erdem, > > On 26/10/16 08:31, Erdem Bayer wrote: >> Hello >> >> As explained in debian bug 838781, Turkey choosed to change its DST policy >> and >> will not be updating the time at the end of this mon

LTS Report for October 2016

Hi, In this month I was allocated 13h, which I spent doing the following: - Finished the update I had started to libarchive - Tested libxml2 packages - Updated X11 packages (libx11, libxi, libxtst), fixing some regressions in the security patches:

Accepted libxi 2:1.6.1-1+deb7u2 (source amd64) into oldstable

<debia...@lists.debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: libxi-dev - X11 Input extension library (development headers) libxi6 - X11 Input extension library libxi6-dbg - X11 Input extension library (debug package) libxi6-udeb - X11 Input exten

[SECURITY] [DLA 681-1] tzdata new upstream version

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: tzdata Version: 2016h-0+deb7u1 This update includes the changes in tzdata up to 2016h. Notable changes are: - Asia/Gaza and Asia/Hebron (DST ending on 2016-10-29 at 01:00, not 2016-10-21 at 00:00). - Europe/Istanbul

Accepted tzdata 2016h-0+deb7u1 (source all) into oldstable

-gl...@lists.debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: tzdata - time zone and daylight-saving time data tzdata-java - time zone and daylight-saving time data for use by java runtimes Closes: 838781 Changes: tzdata (2016h-0+deb7u1) wheezy-security; urgency=medium

Accepted libdatetime-timezone-perl 1:1.58-1+2016h (source all) into oldstable

pkg-perl-maintain...@lists.alioth.debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: libdatetime-timezone-perl - framework exposing the Olson time zone database to Perl Changes: libdatetime-timezone-perl (1:1.58-1+2016h) wheezy-security; urgency=medium .

[SECURITY] [DLA 702-1] tzdata new upstream version

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: tzdata Version: 2016i-0+deb7u1 This update includes the changes in tzdata 2016i. Notable changes are: - Pacific/Tongatapu (DST starting on 2016-11-06 at 02:00). - Northern Cyprus is now +03 year round, the Asia/Famagusta

[SECURITY] [DLA 700-1] libxslt security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: libxslt Version: 1.1.26-14.1+deb7u2 CVE ID : CVE-2016-4738 Debian Bug : 842570 A heap overread bug was found in libxslt, which can cause arbitrary code execution or denial of service. For Debian 7 "Wheezy",

Accepted libxslt 1.1.26-14.1+deb7u2 (source amd64) into oldstable

: medium Maintainer: Debian XML/SGML Group <debian-xml-sgml-p...@lists.alioth.debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: libxslt1-dbg - XSLT 1.0 processing library - debugging symbols libxslt1-dev - XSLT 1.0 processing library - development kit

Re: testing libxml2 for Wheezy LTS

Hi Thorsten, On 23/10/16 20:04, Thorsten Alteholz wrote: > Hi everybody, > > I uploaded version 2.8.0+dfsg1-7+wheezy7 of libxml2 to: > > https://people.debian.org/~alteholz/packages/wheezy-lts/libxml2/amd64/ > > Please give it a try and tell me about any problems you met. It would be nice >

September report

Hi, September was a bad month for me, and I only managed to spend 1h out of 12.30h, working on the libarchive update. I am returning the rest of the time to the pool so it can be allocated among the contributors next month. Sorry for that and for the delay in the report, I should be back to

[SECURITY] [DLA 712-1] gst-plugins-bad0.10 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: gst-plugins-bad0.10 Version: 0.10.23-7.1+deb7u3 CVE ID : CVE-2016-9445 CVE-2016-9446 CVE-2016-9447 CVE-2016-9445 CVE-2016-9446 Chris Evans discovered that the GStreamer plugin to decode VMware screen

Re: libarchive12: ldconfig warns that libarchive.so.12 is not a symbolic link

gt; virtualbox VM with the build directory mounted as vboxsf share mount. > Apparently, symlinks get screwed up up on vboxsf mounts. > > Another LTS update of libarchive is underway anyway, Emilio Pozuelo > Monfort is working on it. I suggest to wait until his upload, which will > fix the bug

Accepted libarchive 3.0.4-3+wheezy4 (source amd64) into oldstable

Maintainers <ah-libarch...@debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: bsdcpio- Implementation of the 'cpio' program from FreeBSD bsdtar - Implementation of the 'tar' program from FreeBSD libarchive-dev - Multi-format archive and compres

[SECURITY] [DLA 725-1] tzdata new upstream version

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: tzdata Version: 2016j-0+deb7u1 This update includes the changes in tzdata 2016j. Notable changes are: - Saratov, Russia switches from +03 to +04 on 2016-12-04 at 02:00. For Debian 7 "Wheezy", these problems have been

[SECURITY] [DLA 735-1] gst-plugins-base0.10 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: gst-plugins-base0.10 Version: 0.10.36-1.1+deb7u1 CVE ID : CVE-2016-9811 An out of bounds heap read issue was found in gst-plugins-base0.10. For Debian 7 "Wheezy", these problems have been fixed in version

[SECURITY] [DLA 743-1] firefox-esr security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: firefox-esr Version: 45.6.0esr-1~deb7u1 CVE ID : CVE-2016-9893 CVE-2016-9895 CVE-2016-9897 CVE-2016-9898 CVE-2016-9899 CVE-2016-9900 CVE-2016-9901 CVE-2016-9902 CVE-2016-9904

Accepted game-music-emu 0.5.5-2+deb7u1 (source amd64) into oldstable

org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: libgme-dev - Playback library for video game music files - development files libgme0- Playback library for video game music files - shared library Changes: game-music-emu (0.5.5-2+deb7u1) wheezy-security; ur

Accepted firefox-esr 45.6.0esr-1~deb7u1 (source all amd64) into oldstable

: wheezy-security Urgency: medium Maintainer: Maintainers of Mozilla-related packages <pkg-mozilla-maintain...@lists.alioth.debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: firefox-esr - Mozilla Firefox web browser - Extended Support Release (ESR) fir

[SECURITY] [DLA 684-2] libx11 regression update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: libx11 Version: 2:1.5.0-1+deb7u4 A possible invalid free was introduced in libx11 2:1.5.0-1+deb7u3, which could lead to application crashes or other issues. For Debian 7 "Wheezy", these problems have been fixed in version

Accepted libx11 2:1.5.0-1+deb7u4 (source amd64 all) into oldstable

Distribution: wheezy-security Urgency: medium Maintainer: Debian X Strike Force <debia...@lists.debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: libx11-6 - X11 client-side library libx11-6-dbg - X11 client-side library (debug package) libx11-6-udeb - X11

Accepted gcc-mozilla 4.8.4-0deb7u1 (source amd64) into oldstable, oldstable

org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: gcc-mozilla - GCC, the GNU Compiler Collection Changes: gcc-mozilla (4.8.4-0deb7u1) wheezy-security; urgency=medium . * Upload to Debian wheezy for firefox-esr and icedove. Ch

Re: Versioning of new releases in (old)stable (Was: nss security update package ready for review)

On 01/12/16 16:25, Jonas Meurer wrote: > Hi Security and LTS folks, > > Am 01.12.2016 um 15:54 schrieb Salvatore Bonaccorso: >> On Wed, Nov 30, 2016 at 04:05:20PM -0500, Antoine Beaupré wrote: >>> +nss (2:3.26.2-1+debu7u1) UNRELEASED; urgency=high >>> + >>> + * Non-maintainer upload by the LTS

Accepted firefox-esr 45.5.1esr-1~deb7u1 (source all amd64) into oldstable

: wheezy-security Urgency: medium Maintainer: Maintainers of Mozilla-related packages <pkg-mozilla-maintain...@lists.alioth.debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: firefox-esr - Mozilla Firefox web browser - Extended Support Release (ESR) fir

[SECURITY] [DLA 727-1] gst-plugins-good0.10 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: gst-plugins-good0.10 Version: 0.10.31-3+nmu1+deb7u1 CVE ID : CVE-2016-9634 CVE-2016-9635 CVE-2016-9636 Chris Evans discovered that the GStreamer 0.10 plugin used to decode files in the FLIC format allowed execution

[SECURITY] [DLA 730-1] firefox-esr security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: firefox-esr Version: 45.5.1esr-1~deb7u1 CVE ID : CVE-2016-5290 CVE-2016-5291 CVE-2016-5296 CVE-2016-5297 CVE-2016-9064 CVE-2016-9066 Multiple security issues have been found in the Mozilla Firefox

[SECURITY] [DLA 726-1] libdatetime-timezone-perl new upstream version

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: libdatetime-timezone-perl Version: 1:1.58-1+2016j This update includes the changes in tzdata 2016j for the Perl bindings. For the list of changes, see DLA-725-1. For Debian 7 "Wheezy", these problems have been fixed in

Accepted libdatetime-timezone-perl 1:1.58-1+2016j (source all) into oldstable

pkg-perl-maintain...@lists.alioth.debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: libdatetime-timezone-perl - framework exposing the Olson time zone database to Perl Changes: libdatetime-timezone-perl (1:1.58-1+2016j) wheezy-security; urgency=medium .

LTS report for December

Hi, In this month I was allocated 13.5h. I spent 11h doing the following: - DLA-735-1: gst-plugins-base0.10 update - DLA-736-1: gst-plugins-bad0.10 update - DLA-743-1: firefox-esr update - DLA-750-1: game-music-emu update - DLA-685-2: libxi regression update - imagemagick: fixed a wrongly fixed

Re: Wheezy update of imagemagick?

On 28/12/16 23:08, Roberto C. Sánchez wrote: > Hi Ola, > > The issues CVE-2016-8677 and CVE-2016-9559 were fixed by Antione when he > uploaded that latest imagemagick update to LTS. However, the > announcement (DLA-756-1) did not list those issues among the issues that > were addressed by that

Re: Wheezy update of imagemagick?

On 29/12/16 23:19, Ola Lundqvist wrote: > Hi again Emilio > > Sorry for the spam. A new CVE just arrived. I'll add back imagemagick > for you to check CVE-2016-10062 instead. Yes, that's right. Though there wasn't a complete fix as of yesterday (see Salvatore's comment in the upstream bug).

[SECURITY] [DLA 750-1] game-music-emu security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: game-music-emu Version: 0.5.5-2+deb7u1 CVE ID : CVE-2016-9957 CVE-2016-9958 CVE-2016-9959 CVE-2016-9960 CVE-2016-9961 Chris Evans found several issues in the emulation code in game-music-emu that

Re: Wheezy update of ca-certificates?

On 25/03/17 09:32, Paul Wise wrote: > Hi all, > > I note that there have been some CA removals and additions that would > be nice to have in wheezy, in particular the ISRG Root for LE, thoughts? I was just thinking about an update of ca-certificates on wheezy yesterday, but due to the removal

Re: Bug#858973: wheezy-pu: package ejabberd/2.1.10-4+deb7u2

On 29/03/17 10:12, Philipp Huebner wrote: > Package: release.debian.org > Severity: normal > Tags: wheezy > User: release.debian@packages.debian.org > Usertags: pu > > Hi, > > I'm not sure if another point update for Wheezy is planned or if this is > a case for the LTS team, but I would like

Accepted libdatetime-timezone-perl 1:1.58-1+2017a (source all) into oldstable

pkg-perl-maintain...@lists.alioth.debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: libdatetime-timezone-perl - framework exposing the Olson time zone database to Perl Changes: libdatetime-timezone-perl (1:1.58-1+2017a) wheezy-security; urgency=medium .

Accepted tzdata 2017a-0+deb7u1 (source all) into oldstable

-gl...@lists.debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: tzdata - time zone and daylight-saving time data tzdata-java - time zone and daylight-saving time data for use by java runtimes Changes: tzdata (2017a-0+deb7u1) wheezy-security; urgency=medium . * New upst

[SECURITY] [DLA 856-1] tzdata new upstream version

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: tzdata Version: 2017a-0+deb7u1 This update includes the changes in tzdata 2017a. Notable changes are: - Mongolia no longer observes DST. - Magallanes region diverges from Santiago starting 2017-05-13, the

[SECURITY] [DLA 857-1] libdatetime-timezone-perl new upstream version

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: libdatetime-timezone-perl Version: 1:1.58-1+2017a This update includes the changes in tzdata 2017a for the Perl bindings. For the list of changes, see DLA-856-1. For Debian 7 "Wheezy", these problems have been fixed in

Accepted chicken 4.7.0-1+deb7u2 (source amd64) into oldstable

t;e...@debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: chicken-bin - Practical and portable Scheme system - compiler libchicken-dev - Practical and portable Scheme system - development libchicken6 - Practical and portable Scheme system - runtime Change

[SECURITY] [DLA 908-1] chicken security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: chicken Version: 4.7.0-1+deb7u2 CVE ID : CVE-2017-6949 Debian Bug : 858057 It was found that CHICKEN did not sanitize the size argument when allocating SRFI-4 vectors, which could lead to segfaults or buffer

Accepted libcroco 0.6.6-2+deb7u1 (source amd64) into oldstable

<pkg-gnome-maintain...@lists.alioth.debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: libcroco-tools - Cascading Style Sheet (CSS) parsing and manipulation toolkit - ut libcroco3 - Cascading Style Sheet (CSS) parsing and manipulation toolkit l

Mysql 5.5.55

Hi Lars, I see that you already started preparing MySQL 5.5.55 for wheezy in https://anonscm.debian.org/cgit/pkg-mysql/mysql-5.5.git/log/?h=debian/wheezy If you want I can upload the package and send the announcement. Just let me know when you're done with the update (at least I think the

[SECURITY] [DLA 909-1] libcroco security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: libcroco Version: 0.6.6-2+deb7u1 CVE ID : CVE-2017-7960 CVE-2017-7961 Debian Bug : 860961 CVE-2017-7960 A heap-based buffer over-read vulnerability could be triggered remotely via a crafted CSS file to

Re: Wheezy update of batik?

On 23/04/17 21:50, Ola Lundqvist wrote: > Dear maintainer(s), > > The Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of batik: > https://security-tracker.debian.org/tracker/CVE-2017-5662 FWIW I investigated this a bit and there doesn't seem

Accepted libreoffice 1:3.5.4+dfsg2-0+deb7u9 (source all amd64) into oldstable

-evolution libreoffice-filter-binfilter Architecture: source all amd64 Version: 1:3.5.4+dfsg2-0+deb7u9 Distribution: wheezy-security Urgency: high Maintainer: Debian LibreOffice Maintainers <debian-openoff...@lists.debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Descript

[SECURITY] [DLA 906-1] firefox-esr security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: firefox-esr Version: 45.9.0esr-1~deb7u1 CVE ID : CVE-2017-5429 CVE-2017-5432 CVE-2017-5433 CVE-2017-5434 CVE-2017-5435 CVE-2017-5436 CVE-2017-5438 CVE-2017-5439 CVE-2017-5440

  1   2   3   4   5   6   7   8   9   10   >