-2016-3172: Fix sql injection in tree.php.
+debian/patches/CVE-2016-3659-sql-injection.patch
++ CVE-2016-3659: Fix sql injection in graph_view.php.
+
+ -- Emilio Pozuelo Monfort <po...@debian.org> Sat, 25 Jun 2016 21:57:43 +0200
+
cacti (0.8.8a+dfsg-5+deb7u8) wheezy-security; urgency
On 26/06/16 02:19, Bálint Réczey wrote:
> Hi,
>
> There are newly discovered vulnerabilities in tiff [1].
>
> I no one objects I plan looking into them and working with the
> maintainer(s) to get them fixed in Wheezy LTS and in newer
> releases.
I looked at this yesterday. These CVEs aren't
On 26/06/16 09:23, Paul Gevers wrote:
> Hi Emilio
>
> On 25-06-16 22:03, Emilio Pozuelo Monfort wrote:
>>> Just in case somebody starts working on it, I'd like to review proposed
>>> uploads of cacti to LTS. CVE-2016-2313 was initially wrongly fixed (a
>>>
On 26/06/16 16:10, Bálint Réczey wrote:
> Added that information in dla-needed.txt.
Thanks. I added links to each cve in data/CVE/list but forgot to add a note to
dla-needed.
> In that case I don't claim them yet. Let's see how upstream responds.
OK.
Cheers,
Emilio
On 01/08/16 21:29, Moritz Mühlenhoff wrote:
> Hi,
> when making uploads with an identical tarball in lts and stable-security
> you really need to coordinate with t...@security.debian.org! Due to dak's
> crappy orig tarball handling only of the uploads can be made with the
> tarball included and if
On 02/08/16 23:57, Ola Lundqvist wrote:
> Hi Chris
>
> The reason I do not simply set the umask to a fixed value is to use the same
> principle as upstream. That is honor the umask set bu the user. There may be
> reasons why group read and/or write should be set for example.
>
> I agree with
On 31/07/16 19:41, Roberto C. Sánchez wrote:
> On Sun, Jul 31, 2016 at 07:34:28PM +0200, Emilio Pozuelo Monfort wrote:
>> Hi,
>>
>> Currently, icedtea-plugin depends on icedtea-6-plugin, i.e. Java6. Given
>> openjdk-6 is unsupported, we should change it to depend on
Hi,
On 15/07/16 00:26, b...@decadent.org.uk wrote:
> Hello dear maintainer(s),
>
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of gdk-pixbuf:
> https://security-tracker.debian.org/tracker/source-package/gdk-pixbuf
>
> Would you like
On 02/08/16 19:48, Emilio Pozuelo Monfort wrote:
> On 01/08/16 23:26, Markus Koschany wrote:
>> On 01.08.2016 23:01, Emilio Pozuelo Monfort wrote:
>>> On 31/07/16 19:41, Roberto C. Sánchez wrote:
>>>> On Sun, Jul 31, 2016 at 07:34:28PM +0200, Emilio P
On 04/08/16 23:02, Mike Hommey wrote:
> On Thu, Aug 04, 2016 at 07:50:28PM +0200, Guido Günther wrote:
>> Hi,
>> On Thu, Aug 04, 2016 at 06:32:14PM +0900, Mike Hommey wrote:
>>> On Thu, Aug 04, 2016 at 11:04:47AM +0200, Markus Koschany wrote:
Hello Mike,
Thank you for preparing the
On 06/08/16 10:38, Markus Koschany wrote:
> On 06.08.2016 10:18, Guido Günther wrote:
>> Hi,
>> On Fri, Aug 05, 2016 at 11:49:33PM +0200, Emilio Pozuelo Monfort wrote:
>>> On 02/08/16 19:48, Emilio Pozuelo Monfort wrote:
>>>> On 01/08/16 23:26, Markus Kosch
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: fontconfig
Version: 2.9.0-7.1+deb7u1
CVE ID : CVE-2016-5384
Debian Bug : 833570
A possible double free vulnerability was found in fontconfig. The
problem was due to insufficient validation when parsing the
On 07/08/16 22:17, Raphael Hertzog wrote:
> On Sun, 07 Aug 2016, Guido Günther wrote:
>> I too think I would be good to support Firefox & Icedove until Wheezy
>> goes EOL. Wd could backport gcc 4.8 from Jessie with only C/C++ enabled.
>
> And obviously, we make no change to gcc-defaults.
>
>
On 02/08/16 19:16, Chris Lamb wrote:
> Chris Lamb wrote:
>
>>> DLA-577-1 has been issued two days ago but redis hasn't been uploaded
>>> yet.
> [..]
>> Could these checks be automated instead of relying on a diligent
>> front-desk..?)
>
> I've pushed such a script as bin/lts-missing-uploads.py.
On 01/08/16 23:26, Markus Koschany wrote:
> On 01.08.2016 23:01, Emilio Pozuelo Monfort wrote:
>> On 31/07/16 19:41, Roberto C. Sánchez wrote:
>>> On Sun, Jul 31, 2016 at 07:34:28PM +0200, Emilio Pozuelo Monfort wrote:
>>>> Hi,
>>>>
>>>> Curr
On 28/07/16 14:59, Matus UHLAR - fantomas wrote:
>> On 28/07/16 13:35, Matus UHLAR - fantomas wrote:
>>> i believe the fix for CVE-2016-2313 in
>>> CVE-2016-2313-authentication-bypass.patch is invalid.
>
> On 28.07.16 14:26, Emilio Pozuelo Monfort wrote:
>&
This month I was allocated 14.70 hours to work on Debian-LTS. I spent 13h doing
the following:
- Pushed the update for cacti. Investigated regression, waiting for upstream to
comment.
- Prepared and uploaded update for tardiff
- Investigated gdk-pixbuf vulnerability: wheezy not affected (jessie
This month I was allocated 16 hours to work on Debian-LTS. I spent this time
doing the following:
- Prepared, tested and uploaded libxslt.
- Prepared and tested an update for clamav. However the maintainer asked me to
wait until a regression in the Jessie update can be addressed.
- Prepared,
On 01/02/17 00:29, Kurt Roeckx wrote:
> On Tue, Jan 31, 2017 at 11:13:55PM +0100, Emilio Pozuelo Monfort wrote:
>> Hi Kurt,
>>
>> I have prepared an update of openssl for wheezy based on 1.0.1t-1+deb8u6. I
>> have
>> done some smoke testing on it and it se
Maintainer: Daniel Baumann <daniel.baum...@progress-technologies.net>
Changed-By: Emilio Pozuelo Monfort <po...@debian.org>
Description:
ntfs-3g- read/write NTFS driver for FUSE
ntfs-3g-dbg - read/write NTFS driver for FUSE (debug)
ntfs-3g-dev - read/write NTFS driver for FUSE (develo
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: libplist
Version: 1.8-1+deb7u1
CVE ID : CVE-2017-5209 CVE-2017-5545
Debian Bug : 851196 852385
The following vulnerabilities have been fixed in libplist:
CVE-2017-5209
Out of bounds read when parsing
, in particular t/git-cgi.t.
(patch from Lafayette Chamber Singers Webmaster, backported from
3.20140916)
.
[ Emilio Pozuelo Monfort ]
* Upload to wheezy-security.
Checksums-Sha1:
3a9e3121597b333b76aee80d244f76475b7591b3 2095 ikiwiki_3.20120629.2+deb7u2.dsc
6b12392969ff8ea2f5a5f3
On 03/02/17 10:58, Guido Günther wrote:
> Hi,
> while looking at the recent changes in data/CVE/list I noticed a bunch
> of gstreamer issues being added but not showing up in the output
> produced by lts-cve-triage. Reason was that they're marked as
> undetermined. The attached patch adds
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: ikiwiki
Version: 3.20120629.2+deb7u2
CVE ID : CVE-2016-9646 CVE-2016-10026 CVE-2017-0356
Several vulnerabilities have been found in ikiwiki, a wiki compiler:
CVE-2016-9646
Commit metadata forgery
Hi Balint,
On 31/01/17 21:46, Balint Reczey wrote:
> Log:
> wavpack's issues don't affect wheezy
>
> The first part of the upstream patch is not needed since the
> code is very different and not vulnerable.
> The second part applies, but does not make any difference when
> trying the exploits.
On 16/01/17 20:48, Antoine Beaupré wrote:
> Hi,
>
> I've looked at updating the graphicsmagick (GM) update to fix the issues
> outlined in a [recent discussion][1]. The fix to CVE-2016-5240.patch is
> trivial. I can also confirm the current GM version in wheezy-security
> segfaults with the POC.
Hi,
This month I was allocated 12.75h (plus 2.5h carried from last month). I spent
this time doing the following:
- DLA 684-2: libx11 regression update
- DLA 784-1: gcc-mozilla new package
- DLA 800-1: firefox-esr security update
- DLA 801-1: libxpm security update
- DLA 802-1: openjdk-7
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: ntfs-3g
Version: 1:2012.1.15AR.5-2.1+deb7u3
CVE ID : CVE-2017-0358
Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write
NTFS driver for FUSE, does not scrub the environment before executing
; urgency=medium
+
+ * Non-maintainer upload by the LTS team.
+ * Backport changes from 1.0.1t-1+deb8u6:
+ * Fix CVE-2016-8610
+ * Fix CVE-2017-3731
+ * Fix CVE-2016-7056
+
+ -- Emilio Pozuelo Monfort <po...@debian.org> Tue, 31 Jan 2017 22:04:44 +0100
+
openssl (1.0.1t-1+deb7u1) wheezy-se
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: firefox-esr
Version: 45.7.0esr-1~deb7u1
CVE ID : CVE-2017-5373 CVE-2017-5375 CVE-2017-5376 CVE-2017-5378
CVE-2017-5380 CVE-2017-5383 CVE-2017-5386 CVE-2017-5390
CVE-2017-5396
Moskalenko <ma...@debian.org>
Changed-By: Emilio Pozuelo Monfort <po...@debian.org>
Description:
liblcms2-2 - Little CMS 2 color management library
liblcms2-dev - Little CMS 2 color management library development headers
liblcms2-utils - Little CMS 2 olor management library
Changes:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: openjdk-7
Version: 7u121-2.6.8-1~deb7u1
openjdk-7 7u111-2.6.7-2~deb7u1 backported the security fixes from
7u121. openjdk-7 has now been updated to the full 7u121 version,
which includes extra bug fixes and other
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: libxpm
Version: 1:3.5.10-1+deb7u1
CVE ID : CVE-2016-10164
Tobias Stoeckmann discovered a vulnerability in the libXpm library
that could cause a malicious attacker to execute arbitrary code
via a specially crafted
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: lcms2
Version: 2.2+git20110628-2.2+deb7u2
CVE ID : CVE-2016-10165
Debian Bug : https://bugs.debian.org/852627
An out of bounds read was found in lcms2, which can lead to heap memory
leak or denial of service via
On 27/01/17 22:18, Ola Lundqvist wrote:
> Hi Emilio
>
> I saw that you have uploaded a new openjdk-7 package. Were that
> package supposed to fix the current issues reported for openjdk-7 or
> was that corrections for earlier version?
It doesn't fix the latest round of CVEs.
> I'm asking
On 30/01/17 22:19, Ola Lundqvist wrote:
> Hi
>
> Will you send the DLA or do you want me to do that?
Adding Romain to Cc.
Cheers,
Emilio
>
> // Ola
>
> On 30 January 2017 at 19:40, Romain Francoise wrote:
> Format: 1.8
> Date: Sun, 29 Jan 2017 22:17:21 +0100
> Source:
openjdk-7-jre-zero
Architecture: source all amd64
Version: 7u121-2.6.8-1~deb7u1
Distribution: wheezy-security
Urgency: medium
Maintainer: OpenJDK Team <open...@lists.launchpad.net>
Changed-By: Emilio Pozuelo Monfort <po...@debian.org>
Description:
icedtea-7-jre-cacao - Transiti
<debia...@lists.debian.org>
Changed-By: Emilio Pozuelo Monfort <po...@debian.org>
Description:
libxpm-dev - X11 pixmap library (development headers)
libxpm4- X11 pixmap library
libxpm4-dbg - X11 pixmap library (debug package)
xpmutils - X11 pixmap utilities
Changes:
libxpm
: wheezy-security
Urgency: medium
Maintainer: Maintainers of Mozilla-related packages
<pkg-mozilla-maintain...@lists.alioth.debian.org>
Changed-By: Emilio Pozuelo Monfort <po...@debian.org>
Description:
firefox-esr - Mozilla Firefox web browser - Extended Support Release (ESR)
fir
On 22/02/17 20:48, Antoine Beaupré wrote:
> On 2017-02-21 21:57:23, Emilio Pozuelo Monfort wrote:
>> On 20/02/17 23:19, Antoine Beaupré wrote:
>>> It seems a bit too much to do a DLA for a single issue in the php5
>>> package (CVE-2016-7478, namely):
>>>
>
Architecture: source all amd64
Version: 0.10.23-7.1+deb7u5
Distribution: wheezy-security
Urgency: medium
Maintainer: Maintainers of GStreamer packages
<pkg-gstreamer-maintain...@lists.alioth.debian.org>
Changed-By: Emilio Pozuelo Monfort <po...@debian.org>
Description:
gstreamer0.10-plugins-bad
ain...@lists.alioth.debian.org>
Changed-By: Emilio Pozuelo Monfort <po...@debian.org>
Description:
gir1.2-gst-plugins-base-0.10 - Description: GObject introspection data for the
GStreamer Plugins
gstreamer0.10-alsa - GStreamer plugin for ALSA
gstreamer0.10-gnomevfs - GStreamer plugin
amd64
Version: 0.10.31-3+nmu1+deb7u2
Distribution: wheezy-security
Urgency: medium
Maintainer: Maintainers of GStreamer packages
<pkg-gstreamer-maintain...@lists.alioth.debian.org>
Changed-By: Emilio Pozuelo Monfort <po...@debian.org>
Description:
gstreamer0.10-gconf - GStreamer plugin
: wheezy-security
Urgency: medium
Maintainer: Maintainers of GStreamer packages
<pkg-gstreamer-maintain...@lists.alioth.debian.org>
Changed-By: Emilio Pozuelo Monfort <po...@debian.org>
Description:
gstreamer0.10-plugins-ugly - GStreamer plugins from the "ugly" set
gstreame
On 20/02/17 23:19, Antoine Beaupré wrote:
> It seems a bit too much to do a DLA for a single issue in the php5
> package (CVE-2016-7478, namely):
>
> https://security-tracker.debian.org/tracker/source-package/php5
>
> I looked at the issue and the patch is easily ported, but i suggest we
>
On 03/02/17 16:37, Guido Günther wrote:
> On Fri, Feb 03, 2017 at 12:25:19PM +0100, Emilio Pozuelo Monfort wrote:
>> On 03/02/17 10:58, Guido Günther wrote:
>>> Hi,
>>> while looking at the recent changes in data/CVE/list I noticed a bunch
>>> of gstreamer i
openjdk-7-jre-zero
Architecture: source all amd64
Version: 7u121-2.6.8-2~deb7u1
Distribution: wheezy-security
Urgency: medium
Maintainer: OpenJDK Team <open...@lists.launchpad.net>
Changed-By: Emilio Pozuelo Monfort <po...@debian.org>
Description:
icedtea-7-jre-cacao - Transiti
On 19/01/17 08:14, Sebastiaan Couwenberg wrote:
> On 01/18/2017 10:17 PM, Ola Lundqvist wrote:
>> Yes they are ok for wheezy-security. Thank you for your support.
>
> I've updated the secure-testing repo for this issue and sent the DLA.
I haven't seen the DLA. Did you gpg-sign it? If you sent it
Hi Andreas,
On 26/02/17 00:03, Andreas Beckmann wrote:
> Hi,
>
> here comes the next round:
>
> On 2017-01-10 16:13, Andreas Beckmann wrote:
>> I've prepared a new upstream release of the proprietary nvidia graphics
>> driver for wheezy-lts. This will fix several security bugs:
>
>* New
org>
Changed-By: Emilio Pozuelo Monfort <po...@debian.org>
Description:
cacti - web interface for graphing of monitoring systems
Changes:
cacti (0.8.8a+dfsg-5+deb7u10) wheezy-security; urgency=medium
.
* CVE-2016-2313-guest-auth.patch:
+ Fix regression in the fix for C
On 07/09/16 00:01, Brian May wrote:
> Hello,
>
> Do we have any sort of handle formal updates to find-work?
>
> If not, does anybody have any objections if I were to commit the
> following change? It adds a --unassigned command line option that only
> lists packages that are not taken by
On 08/08/16 10:20, Raphael Hertzog wrote:
> On Mon, 08 Aug 2016, Emilio Pozuelo Monfort wrote:
>>> Shall we mark gcc-4.8 as unsupported in wheezy, explaining that its only
>>> purpose is to enable build of other packages?
>>
>> That would make sense.
&g
Hi,
This month I was allocated 14.75 hours to work on Debian-LTS. I spent 13.5 hours
doing the following:
- openjdk-7: after some back and forth, finally pushed the update for openjdk-7
- icedtea-web: pushed the update to make icedtea-plugin default to openjdk-7
- fontconfig: prepared, tested
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: tiff
Version: 4.0.2-6+deb7u6
CVE ID : CVE-2016-3991 CVE-2016-5314 CVE-2016-5315 CVE-2016-5316
CVE-2016-5317 CVE-2016-5320 CVE-2016-5321 CVE-2016-5322
CVE-2016-5323 CVE-2016-5875
On 26/10/16 10:58, Emilio Pozuelo Monfort wrote:
> Hi Erdem,
>
> On 26/10/16 08:31, Erdem Bayer wrote:
>> Hello
>>
>> As explained in debian bug 838781, Turkey choosed to change its DST policy
>> and
>> will not be updating the time at the end of this mon
Hi,
In this month I was allocated 13h, which I spent doing the following:
- Finished the update I had started to libarchive
- Tested libxml2 packages
- Updated X11 packages (libx11, libxi, libxtst), fixing some regressions in the
security patches:
<debia...@lists.debian.org>
Changed-By: Emilio Pozuelo Monfort <po...@debian.org>
Description:
libxi-dev - X11 Input extension library (development headers)
libxi6 - X11 Input extension library
libxi6-dbg - X11 Input extension library (debug package)
libxi6-udeb - X11 Input exten
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: tzdata
Version: 2016h-0+deb7u1
This update includes the changes in tzdata up to 2016h. Notable
changes are:
- Asia/Gaza and Asia/Hebron (DST ending on 2016-10-29 at 01:00,
not 2016-10-21 at 00:00).
- Europe/Istanbul
-gl...@lists.debian.org>
Changed-By: Emilio Pozuelo Monfort <po...@debian.org>
Description:
tzdata - time zone and daylight-saving time data
tzdata-java - time zone and daylight-saving time data for use by java runtimes
Closes: 838781
Changes:
tzdata (2016h-0+deb7u1) wheezy-security; urgency=medium
pkg-perl-maintain...@lists.alioth.debian.org>
Changed-By: Emilio Pozuelo Monfort <po...@debian.org>
Description:
libdatetime-timezone-perl - framework exposing the Olson time zone database to
Perl
Changes:
libdatetime-timezone-perl (1:1.58-1+2016h) wheezy-security; urgency=medium
.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: tzdata
Version: 2016i-0+deb7u1
This update includes the changes in tzdata 2016i. Notable
changes are:
- Pacific/Tongatapu (DST starting on 2016-11-06 at 02:00).
- Northern Cyprus is now +03 year round, the Asia/Famagusta
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: libxslt
Version: 1.1.26-14.1+deb7u2
CVE ID : CVE-2016-4738
Debian Bug : 842570
A heap overread bug was found in libxslt, which can cause arbitrary
code execution or denial of service.
For Debian 7 "Wheezy",
: medium
Maintainer: Debian XML/SGML Group <debian-xml-sgml-p...@lists.alioth.debian.org>
Changed-By: Emilio Pozuelo Monfort <po...@debian.org>
Description:
libxslt1-dbg - XSLT 1.0 processing library - debugging symbols
libxslt1-dev - XSLT 1.0 processing library - development kit
Hi Thorsten,
On 23/10/16 20:04, Thorsten Alteholz wrote:
> Hi everybody,
>
> I uploaded version 2.8.0+dfsg1-7+wheezy7 of libxml2 to:
>
> https://people.debian.org/~alteholz/packages/wheezy-lts/libxml2/amd64/
>
> Please give it a try and tell me about any problems you met. It would be nice
>
Hi,
September was a bad month for me, and I only managed to spend 1h out of 12.30h,
working on the libarchive update. I am returning the rest of the time to the
pool so it can be allocated among the contributors next month.
Sorry for that and for the delay in the report, I should be back to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: gst-plugins-bad0.10
Version: 0.10.23-7.1+deb7u3
CVE ID : CVE-2016-9445 CVE-2016-9446 CVE-2016-9447
CVE-2016-9445
CVE-2016-9446
Chris Evans discovered that the GStreamer plugin to decode VMware screen
gt; virtualbox VM with the build directory mounted as vboxsf share mount.
> Apparently, symlinks get screwed up up on vboxsf mounts.
>
> Another LTS update of libarchive is underway anyway, Emilio Pozuelo
> Monfort is working on it. I suggest to wait until his upload, which will
> fix the bug
Maintainers <ah-libarch...@debian.org>
Changed-By: Emilio Pozuelo Monfort <po...@debian.org>
Description:
bsdcpio- Implementation of the 'cpio' program from FreeBSD
bsdtar - Implementation of the 'tar' program from FreeBSD
libarchive-dev - Multi-format archive and compres
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: tzdata
Version: 2016j-0+deb7u1
This update includes the changes in tzdata 2016j. Notable
changes are:
- Saratov, Russia switches from +03 to +04 on 2016-12-04 at 02:00.
For Debian 7 "Wheezy", these problems have been
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: gst-plugins-base0.10
Version: 0.10.36-1.1+deb7u1
CVE ID : CVE-2016-9811
An out of bounds heap read issue was found in gst-plugins-base0.10.
For Debian 7 "Wheezy", these problems have been fixed in version
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: firefox-esr
Version: 45.6.0esr-1~deb7u1
CVE ID : CVE-2016-9893 CVE-2016-9895 CVE-2016-9897 CVE-2016-9898
CVE-2016-9899 CVE-2016-9900 CVE-2016-9901 CVE-2016-9902
CVE-2016-9904
org>
Changed-By: Emilio Pozuelo Monfort <po...@debian.org>
Description:
libgme-dev - Playback library for video game music files - development files
libgme0- Playback library for video game music files - shared library
Changes:
game-music-emu (0.5.5-2+deb7u1) wheezy-security; ur
: wheezy-security
Urgency: medium
Maintainer: Maintainers of Mozilla-related packages
<pkg-mozilla-maintain...@lists.alioth.debian.org>
Changed-By: Emilio Pozuelo Monfort <po...@debian.org>
Description:
firefox-esr - Mozilla Firefox web browser - Extended Support Release (ESR)
fir
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: libx11
Version: 2:1.5.0-1+deb7u4
A possible invalid free was introduced in libx11 2:1.5.0-1+deb7u3,
which could lead to application crashes or other issues.
For Debian 7 "Wheezy", these problems have been fixed in version
Distribution: wheezy-security
Urgency: medium
Maintainer: Debian X Strike Force <debia...@lists.debian.org>
Changed-By: Emilio Pozuelo Monfort <po...@debian.org>
Description:
libx11-6 - X11 client-side library
libx11-6-dbg - X11 client-side library (debug package)
libx11-6-udeb - X11
org>
Changed-By: Emilio Pozuelo Monfort <po...@debian.org>
Description:
gcc-mozilla - GCC, the GNU Compiler Collection
Changes:
gcc-mozilla (4.8.4-0deb7u1) wheezy-security; urgency=medium
.
* Upload to Debian wheezy for firefox-esr and icedove.
Ch
On 01/12/16 16:25, Jonas Meurer wrote:
> Hi Security and LTS folks,
>
> Am 01.12.2016 um 15:54 schrieb Salvatore Bonaccorso:
>> On Wed, Nov 30, 2016 at 04:05:20PM -0500, Antoine Beaupré wrote:
>>> +nss (2:3.26.2-1+debu7u1) UNRELEASED; urgency=high
>>> +
>>> + * Non-maintainer upload by the LTS
: wheezy-security
Urgency: medium
Maintainer: Maintainers of Mozilla-related packages
<pkg-mozilla-maintain...@lists.alioth.debian.org>
Changed-By: Emilio Pozuelo Monfort <po...@debian.org>
Description:
firefox-esr - Mozilla Firefox web browser - Extended Support Release (ESR)
fir
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: gst-plugins-good0.10
Version: 0.10.31-3+nmu1+deb7u1
CVE ID : CVE-2016-9634 CVE-2016-9635 CVE-2016-9636
Chris Evans discovered that the GStreamer 0.10 plugin used to decode
files in the FLIC format allowed execution
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: firefox-esr
Version: 45.5.1esr-1~deb7u1
CVE ID : CVE-2016-5290 CVE-2016-5291 CVE-2016-5296 CVE-2016-5297
CVE-2016-9064 CVE-2016-9066
Multiple security issues have been found in the Mozilla Firefox
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: libdatetime-timezone-perl
Version: 1:1.58-1+2016j
This update includes the changes in tzdata 2016j for the
Perl bindings. For the list of changes, see DLA-725-1.
For Debian 7 "Wheezy", these problems have been fixed in
pkg-perl-maintain...@lists.alioth.debian.org>
Changed-By: Emilio Pozuelo Monfort <po...@debian.org>
Description:
libdatetime-timezone-perl - framework exposing the Olson time zone database to
Perl
Changes:
libdatetime-timezone-perl (1:1.58-1+2016j) wheezy-security; urgency=medium
.
Hi,
In this month I was allocated 13.5h. I spent 11h doing the following:
- DLA-735-1: gst-plugins-base0.10 update
- DLA-736-1: gst-plugins-bad0.10 update
- DLA-743-1: firefox-esr update
- DLA-750-1: game-music-emu update
- DLA-685-2: libxi regression update
- imagemagick: fixed a wrongly fixed
On 28/12/16 23:08, Roberto C. Sánchez wrote:
> Hi Ola,
>
> The issues CVE-2016-8677 and CVE-2016-9559 were fixed by Antione when he
> uploaded that latest imagemagick update to LTS. However, the
> announcement (DLA-756-1) did not list those issues among the issues that
> were addressed by that
On 29/12/16 23:19, Ola Lundqvist wrote:
> Hi again Emilio
>
> Sorry for the spam. A new CVE just arrived. I'll add back imagemagick
> for you to check CVE-2016-10062 instead.
Yes, that's right. Though there wasn't a complete fix as of yesterday (see
Salvatore's comment in the upstream bug).
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: game-music-emu
Version: 0.5.5-2+deb7u1
CVE ID : CVE-2016-9957 CVE-2016-9958 CVE-2016-9959 CVE-2016-9960
CVE-2016-9961
Chris Evans found several issues in the emulation code in game-music-emu
that
On 25/03/17 09:32, Paul Wise wrote:
> Hi all,
>
> I note that there have been some CA removals and additions that would
> be nice to have in wheezy, in particular the ISRG Root for LE, thoughts?
I was just thinking about an update of ca-certificates on wheezy yesterday, but
due to the removal
On 29/03/17 10:12, Philipp Huebner wrote:
> Package: release.debian.org
> Severity: normal
> Tags: wheezy
> User: release.debian@packages.debian.org
> Usertags: pu
>
> Hi,
>
> I'm not sure if another point update for Wheezy is planned or if this is
> a case for the LTS team, but I would like
pkg-perl-maintain...@lists.alioth.debian.org>
Changed-By: Emilio Pozuelo Monfort <po...@debian.org>
Description:
libdatetime-timezone-perl - framework exposing the Olson time zone database to
Perl
Changes:
libdatetime-timezone-perl (1:1.58-1+2017a) wheezy-security; urgency=medium
.
-gl...@lists.debian.org>
Changed-By: Emilio Pozuelo Monfort <po...@debian.org>
Description:
tzdata - time zone and daylight-saving time data
tzdata-java - time zone and daylight-saving time data for use by java runtimes
Changes:
tzdata (2017a-0+deb7u1) wheezy-security; urgency=medium
.
* New upst
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: tzdata
Version: 2017a-0+deb7u1
This update includes the changes in tzdata 2017a. Notable
changes are:
- Mongolia no longer observes DST.
- Magallanes region diverges from Santiago starting 2017-05-13,
the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: libdatetime-timezone-perl
Version: 1:1.58-1+2017a
This update includes the changes in tzdata 2017a for the
Perl bindings. For the list of changes, see DLA-856-1.
For Debian 7 "Wheezy", these problems have been fixed in
t;e...@debian.org>
Changed-By: Emilio Pozuelo Monfort <po...@debian.org>
Description:
chicken-bin - Practical and portable Scheme system - compiler
libchicken-dev - Practical and portable Scheme system - development
libchicken6 - Practical and portable Scheme system - runtime
Change
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: chicken
Version: 4.7.0-1+deb7u2
CVE ID : CVE-2017-6949
Debian Bug : 858057
It was found that CHICKEN did not sanitize the size argument when
allocating SRFI-4 vectors, which could lead to segfaults or buffer
<pkg-gnome-maintain...@lists.alioth.debian.org>
Changed-By: Emilio Pozuelo Monfort <po...@debian.org>
Description:
libcroco-tools - Cascading Style Sheet (CSS) parsing and manipulation toolkit
- ut
libcroco3 - Cascading Style Sheet (CSS) parsing and manipulation toolkit
l
Hi Lars,
I see that you already started preparing MySQL 5.5.55 for wheezy in
https://anonscm.debian.org/cgit/pkg-mysql/mysql-5.5.git/log/?h=debian/wheezy
If you want I can upload the package and send the announcement. Just let me know
when you're done with the update (at least I think the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: libcroco
Version: 0.6.6-2+deb7u1
CVE ID : CVE-2017-7960 CVE-2017-7961
Debian Bug : 860961
CVE-2017-7960
A heap-based buffer over-read vulnerability could be triggered
remotely via a crafted CSS file to
On 23/04/17 21:50, Ola Lundqvist wrote:
> Dear maintainer(s),
>
> The Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of batik:
> https://security-tracker.debian.org/tracker/CVE-2017-5662
FWIW I investigated this a bit and there doesn't seem
-evolution
libreoffice-filter-binfilter
Architecture: source all amd64
Version: 1:3.5.4+dfsg2-0+deb7u9
Distribution: wheezy-security
Urgency: high
Maintainer: Debian LibreOffice Maintainers <debian-openoff...@lists.debian.org>
Changed-By: Emilio Pozuelo Monfort <po...@debian.org>
Descript
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: firefox-esr
Version: 45.9.0esr-1~deb7u1
CVE ID : CVE-2017-5429 CVE-2017-5432 CVE-2017-5433 CVE-2017-5434
CVE-2017-5435 CVE-2017-5436 CVE-2017-5438 CVE-2017-5439
CVE-2017-5440
1 - 100 of 905 matches
Mail list logo