On 11/02/2019 02:38, Steve McIntyre wrote:
> On Fri, Feb 08, 2019 at 11:23:54AM +0100, Emilio Pozuelo Monfort wrote:
>>
>> I have done an automated install (ncurses frontend, installing GNOME) using
>> the
>> netinst/amd64 image, with an LVM encrypted volume. I have a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Thu, 31 Jan 2019 09:53:40 +0100
Source: coturn
Binary: coturn
Architecture: source amd64
Version: 4.2.1.2-1+deb8u1
Distribution: jessie-security
Urgency: medium
Maintainer: Debian VoIP Team
Changed-By: Emilio Pozuelo Monfort
systemd Maintainers
Changed-By: Emilio Pozuelo Monfort
Description:
gir1.2-gudev-1.0 - libgudev-1.0 introspection data
libgudev-1.0-0 - GObject-based wrapper library for libudev
libgudev-1.0-dev - libgudev-1.0 development files
libpam-systemd - system and service manager - PAM module
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: systemd
Version: 215-17+deb8u10
CVE ID : CVE-2019-6454
Chris Coulson discovered a flaw in systemd leading to denial of service.
An unprivileged user could take advantage of this issue to crash PID1 by
sending a
Hi,
There is a vulnerability in ghostscript that allows maliciously crafted files to
bypass the sandbox and execute arbitrary code:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1729
I would be wary of backporting the fix to our old version of ghostscript as the
code has changed
Hi Steve,
On 22/01/2019 14:50, Steve McIntyre wrote:
> On Tue, Jan 22, 2019 at 01:44:12PM +, Ben Hutchings wrote:
>> However, APT is used during initial installation and we don't have any
>> provision for updating installer images during LTS. So we're either
>> going to have to revisit that
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: firefox-esr
Version: 60.5.0esr-1~deb8u1
CVE ID : CVE-2018-18500 CVE-2018-18501 CVE-2018-18505
Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: spice
Version: 0.12.5-1+deb8u7
CVE ID : CVE-2019-3813
Debian Bug : 920762
Christophe Fergeau discovered an out-of-bounds read vulnerability in
spice, a SPICE protocol client and server library, which might
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: postgis
Version: 2.1.4+dfsg-3+deb8u1
CVE ID : CVE-2017-18359
It was found that the function ST_AsX3D in PostGIS, a module that
adds spatial objects to the PostgreSQL object-relational database, did
not handle empty
mariadb-test
mariadb-connect-engine-10.0 mariadb-oqgraph-engine-10.0
Architecture: source amd64 all
Version: 10.0.38-0+deb8u1
Distribution: jessie-security
Urgency: medium
Maintainer: Debian MySQL Maintainers
Changed-By: Emilio Pozuelo Monfort
Description:
libmariadbd-dev - MariaDB embedded
On 03/01/2019 11:20, Emilio Pozuelo Monfort wrote:
> On 03/01/2019 10:40, Otto Kekäläinen wrote:
>> Hello!
>>
>> to 3. tammik. 2019 klo 3.40 Robie Basak (robie.ba...@canonical.com)
>> kirjoitti:
>>>
>>> Hi Otto and the LTS team,
>>>
>>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: mariadb-10.0
Version: 10.0.38-0+deb8u1
CVE ID : CVE-2019-2529 CVE-2019-2537
Several issues have been discovered in the MariaDB database server. The
vulnerabilities are addressed by upgrading MariaDB to the new
Distribution: jessie-security
Urgency: medium
Maintainer: Peter Spiess-Knafl
Changed-By: Emilio Pozuelo Monfort
Description:
libvncclient0 - API to write one's own vnc server - client library
libvncclient0-dbg - debugging symbols for libvncclient
libvncserver-config - API to write one's own vnc
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: libvncserver
Version: 0.9.9+dfsg2-6.1+deb8u5
CVE ID : CVE-2018-15126 CVE-2018-20748 CVE-2018-20749 CVE-2018-20750
A vulnerability was found by Kaspersky Lab in libvncserver, a C library
to implement VNC
On 10/04/2019 12:50, Sylvain Beucler wrote:
> Hi Salvatore,
>
> On 08/04/2019 22:18, Sylvain Beucler wrote:
>> On 08/04/2019 21:56, Holger Levsen wrote:
>>> On Mon, Apr 08, 2019 at 09:51:19PM +0200, Salvatore Bonaccorso wrote:
Recently I noticed that for a no-dsa (either for no-dsa or the
Hi,
During the month of March, I spent 26 hours working on LTS on the following
tasks:
libsndfile security update
prepared firmware-nonfree update
ntfs-3g security update
firefox-esr security updates
bash security update
ghostscript coordination
openjdk-7 security update
drupal7 security
On 26/03/2019 11:08, Jakob Hirsch wrote:
> Hi,
>
> so I noticed this morning that jessie-updates is gone from the mirrors.
> After some research, I found that this was kind of announced in
> https://lists.debian.org/debian-devel-announce/2019/03/msg6.html.
> Question is now, what should I put
Hi,
On 10/04/2019 13:29, Emilio Pozuelo Monfort wrote:
> Hi john,
>
> On 10/04/2019 13:00, john wrote:
>> Hi,
>> Samba update for ELTS is broken on i386 arch as some packages remain at old
>> version and therefore there are broken dependencies:
>
> Thanks for th
Hi,
On 14/05/2019 17:03, Brian May wrote:
> Emilio Pozuelo Monfort writes:
>
>> It looks like the recent jquery update introduced a regression on the
>> minified
>> file. I see that you change how the minified file is built, which is likely
>> to
>> be re
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: samba
Version: 2:4.2.14+dfsg-0+deb8u13
CVE ID : CVE-2018-16860
Isaac Boukris and Andrew Bartlett discovered that the S4U2Self Kerberos
extension used in Samba's Active Directory support was susceptible to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: sox
Version: 14.4.1-5+deb8u4
CVE ID : CVE-2019-8354 CVE-2019-8355 CVE-2019-8356 CVE-2019-8357
Debian Bug : 927906
Several issues were found in SoX, the Swiss army knife of sound processing
programs, that could
+deb8u4
Distribution: jessie-security
Urgency: medium
Maintainer: Pascal Giard
Changed-By: Emilio Pozuelo Monfort
Description:
libsox-dev - Development files for the SoX library
libsox-fmt-all - All SoX format libraries
libsox-fmt-alsa - SoX alsa format I/O library
libsox-fmt-ao - SoX Libao
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: php5
Version: 5.6.40+dfsg-0+deb8u4
CVE ID : CVE-2019-11039 CVE-2019-11040
Two vulnerabilities were found in PHP, a widely-used open source general
purpose scripting language.
CVE-2019-11039
An integer
-security
Urgency: medium
Maintainer: Debian PHP Maintainers
Changed-By: Emilio Pozuelo Monfort
Description:
libapache2-mod-php5 - server-side, HTML-embedded scripting language (Apache 2
module)
libapache2-mod-php5filter - server-side, HTML-embedded scripting language
(apache 2 filter mo
libphp5
On 30/05/2019 09:37, Hugo Lefeuvre wrote:
> Hi,
>
> Apparently, wireshark 1.12.1+g01b65bf-4+deb8u19 failed to build on armel. I
> have absolutely no idea of what happened. At first glance it looks like tar
> segfaulted[0] :-)
>
> Is it possible to restart the build for armel?#
Given back.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: poppler
Version: 0.26.5-2+deb8u10
CVE ID : CVE-2019-10872 CVE-2019-12293 CVE-2019-12360
Several vulnerabilities have been found in the poppler PDF rendering
library, which could result in denial of service or
Hi,
During the month of May, I spent 33h on LTS working on the following tasks:
- openjdk-7 security update
- qemu security update
- security-tracker reviews
- sqlite3 triage
- sox: backported patches, run into stability bug in jessie not happening in
sid, bisected it but fix was too invasive so
libpoppler-qt5-1 libpoppler-qt5-dev libpoppler-cpp0
libpoppler-cpp-dev poppler-utils poppler-dbg
Architecture: source amd64 all
Version: 0.26.5-2+deb8u10
Distribution: jessie-security
Urgency: medium
Maintainer: Loic Minier
Changed-By: Emilio Pozuelo Monfort
Description:
gir1.2-poppler-0.18 - GObject
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: thunderbird
Version: 1:60.7.0-1~deb8u1
CVE ID : CVE-2018-18511 CVE-2019-5798 CVE-2019-7317 CVE-2019-9797
CVE-2019-9800 CVE-2019-9816 CVE-2019-9817 CVE-2019-9819
CVE-2019-9820
-By: Emilio Pozuelo Monfort
Description:
calendar-google-provider - Google Calendar support for lightning
icedove- mail/news client with RSS and integrated spam filter support
icedove-dbg - Debug Symbols for Icedove
icedove-l10n-all - All language packages for Icedove (meta) - Transitional
Urgency: medium
Maintainer: Utopia Maintenance Team
Changed-By: Emilio Pozuelo Monfort
Description:
dbus - simple interprocess messaging system (daemon and utilities)
dbus-1-dbg - simple interprocess messaging system (debug symbols)
dbus-1-doc - simple interprocess messaging system
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: thunderbird
Version: 1:60.7.2-1~deb8u1
CVE ID : CVE-2019-11707 CVE-2019-11708
Multiple security issues have been found in Thunderbird which may lead
to the execution of arbitrary code if malformed email messages are
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: firefox-esr
Version: 60.7.1esr-1~deb8u1
CVE ID : CVE-2019-11707
Samuel Gross discovered a type confusion bug in the JavaScript engine of
the Mozilla Firefox web browser, which could result in the execution of
-security
Urgency: medium
Maintainer: Maintainers of Mozilla-related packages
Changed-By: Emilio Pozuelo Monfort
Description:
firefox-esr - Mozilla Firefox web browser - Extended Support Release (ESR)
firefox-esr-dbg - Debugging symbols for Firefox ESR
firefox-esr-l10n-ach - Acoli language package
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: thunderbird
Version: 1:60.7.1-1~deb8u1
CVE ID : CVE-2019-11703 CVE-2019-11704 CVE-2019-11705 CVE-2019-11706
Multiple security issues have been found in Thunderbird which may lead
to the execution of arbitrary code
On 25/04/2019 03:54, Emilio Pozuelo Monfort wrote:
> Hi,
>
> I prepared an update for qemu, with the following fixes:
>
> * CVE-2018-20815: information disclosure in tcp_emu().
> * CVE-2019-9824: heap buffer overflow in load_device_tree().
> * CVE-2018-11806: heap-base
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: qemu
Version: 1:2.1+dfsg-12+deb8u11
CVE ID : CVE-2018-11806 CVE-2018-18849 CVE-2018-20815 CVE-2019-9824
Debian Bug : 901017 912535
Several vulnerabilities were found in QEMU, a fast processor emulator:
-binfmt qemu-utils qemu-guest-agent qemu-kvm
Architecture: source amd64
Version: 1:2.1+dfsg-12+deb8u11
Distribution: jessie-security
Urgency: medium
Maintainer: Debian QEMU Team
Changed-By: Emilio Pozuelo Monfort
Description:
qemu - fast processor emulator
qemu-guest-agent - Guest-side qemu
On 13/05/2019 12:09, Emilio Pozuelo Monfort wrote:
> It was not clear to me at the time of upload if it was addressed in 7u221. It
> was not mentioned in the upstream announcement. I asked upstream for
> clarification on its status, it may be that that CVE is Oracle specific and
> do
Hi,
During the month of April I spent 8h on LTS, preparing and testing the qemu
update, and also starting with the openjdk-7 update. I will catch up on the
remaining hours this month.
For ELTS I spent 8.5h on frontdesk & triaging, finalising the firmware-nonfree
update (fighting the python2/3
Hi Brian,
It looks like the recent jquery update introduced a regression on the minified
file. I see that you change how the minified file is built, which is likely to
be related. Can you take a look? Also see the recently filed bug #928827.
Thanks,
Emilio
On 10/05/2019 16:00, Keith Erekson
On 13/05/2019 10:55, Sylvain wrote:
> Thanks Ola.
>
> Emilio, can you confirm your latest upload also addresses CVE-2019-2697?
>
> It's MITRE page points to:
> https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
> "Mateusz Jurczyk of Google Project Zero: CVE-2019-2697,
On 22/05/2019 19:54, PICCORO McKAY Lenz wrote:
> currently still are security updats for jessie (debian LTS) and wheeze
> (ExLTS) why those packages are not uploaded to archive debian ?
>
> by example i can find the updated kernel 3.16 for wheeze by ExLTS
> collaboration but not in
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: firefox-esr
Version: 60.7.0esr-1~deb8u1
CVE ID : CVE-2018-18511 CVE-2019-5798 CVE-2019-7317 CVE-2019-9797
CVE-2019-9800 CVE-2019-9816 CVE-2019-9817 CVE-2019-9819
CVE-2019-9820
-security
Urgency: medium
Maintainer: Maintainers of Mozilla-related packages
Changed-By: Emilio Pozuelo Monfort
Description:
firefox-esr - Mozilla Firefox web browser - Extended Support Release (ESR)
firefox-esr-dbg - Debugging symbols for Firefox ESR
firefox-esr-l10n-ach - Acoli language package
Architecture: source amd64 all
Version: 7u221-2.6.18-1~deb8u1
Distribution: jessie-security
Urgency: medium
Maintainer: OpenJDK Team
Changed-By: Emilio Pozuelo Monfort
Description:
icedtea-7-jre-jamvm - Alternative JVM for OpenJDK, using JamVM
openjdk-7-dbg - Java runtime based on OpenJDK
Hi,
I prepared an update for qemu, with the following fixes:
* CVE-2018-20815: information disclosure in tcp_emu().
* CVE-2019-9824: heap buffer overflow in load_device_tree().
* CVE-2018-11806: heap-based buffer overflow via incoming fragmented
datagrams (Closes: #901017).
*
On 16/04/2019 04:22, PICCORO McKAY Lenz wrote:
> but seems wheeze are removed from security debian but still april 14 and
> not present at archive debain
It is indeed removed from security.debian.org, however it has been archived:
http://archive.debian.org/debian/dists/wheezy/
Hi, during the month of June I spent 16h (of 17 assigned) on LTS on the
following tasks:
- CVE triaging
- php5 update
- looked at vim update, coordinated with maintainer
- poppler update
- dbus update
- thunderbird update
- firefox-esr update
- another thunderbird update
During the month of July
-security
Urgency: medium
Maintainer: Debian Printing Team
Changed-By: Emilio Pozuelo Monfort
Description:
ghostscript - interpreter for the PostScript language and for PDF
ghostscript-dbg - interpreter for the PostScript language and for PDF - Debug
symbo
ghostscript-doc - interpreter
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: ghostscript
Version: 9.26a~dfsg-0+deb8u4
CVE ID : CVE-2019-10216
Debian Bug : 934638
Netanel reported that the .buildfont1 procedure in Ghostscript, the GPL
PostScript/PDF interpreter, does not properly restrict
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: php5
Version: 5.6.40+dfsg-0+deb8u5
CVE ID : CVE-2019-11041 CVE-2019-11042
Two heap buffer overflows were found in the EXIF parsing code of PHP,
a widely-used open source general purpose scripting language.
For
-security
Urgency: medium
Maintainer: Debian PHP Maintainers
Changed-By: Emilio Pozuelo Monfort
Description:
libapache2-mod-php5 - server-side, HTML-embedded scripting language (Apache 2
module)
libapache2-mod-php5filter - server-side, HTML-embedded scripting language
(apache 2 filter mo
libphp5
Version: 1.8.1+dfsg1-4+deb8u2
Distribution: jessie-security
Urgency: medium
Maintainer: MATE Packaging Team
Changed-By: Emilio Pozuelo Monfort
Description:
atril - MATE document viewer
atril-common - MATE document viewer (common files)
atril-dbg - MATE document viewer (debugging symbols
: jessie-security
Urgency: medium
Maintainer: Debian GNOME Maintainers
Changed-By: Emilio Pozuelo Monfort
Description:
evince - Document (PostScript, PDF) viewer
evince-common - Document (PostScript, PDF) viewer - common files
evince-dbg - Document (PostScript, PDF) viewer - debugging
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: atril
Version: 1.8.1+dfsg1-4+deb8u2
CVE ID : CVE-2017-1000159 CVE-2019-11459 CVE-2019-1010006
A few issues were found in Atril, the MATE document viewer.
CVE-2017-1000159
When printing from DVI to PDF, the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: firefox-esr
Version: 60.9.0esr-1~deb8u1
CVE ID : CVE-2019-9812 CVE-2019-11740 CVE-2019-11742 CVE-2019-11743
CVE-2019-11744 CVE-2019-11746 CVE-2019-11752
Multiple security issues have been found in
-security
Urgency: medium
Maintainer: Debian Printing Team
Changed-By: Emilio Pozuelo Monfort
Description:
ghostscript - interpreter for the PostScript language and for PDF
ghostscript-dbg - interpreter for the PostScript language and for PDF - Debug
symbo
ghostscript-doc - interpreter
-security
Urgency: medium
Maintainer: Maintainers of Mozilla-related packages
Changed-By: Emilio Pozuelo Monfort
Description:
firefox-esr - Mozilla Firefox web browser - Extended Support Release (ESR)
firefox-esr-dbg - Debugging symbols for Firefox ESR
firefox-esr-l10n-ach - Acoli language package
Hi,
During the month of August I spent 31 hours on the following tasks:
- php5 update
- ghostscript update
- CVE triaging
- evince update
- atril update
- preparatory work for firefox ESR 68 and thunderbird 68
As for ELTS I spent 8.5h on the following:
- php5 update
- CVE triaging
-
-By: Emilio Pozuelo Monfort
Description:
calendar-google-provider - Google Calendar support for lightning
icedove- mail/news client with RSS and integrated spam filter support
icedove-dbg - Debug Symbols for Icedove
icedove-l10n-all - All language packages for Icedove (meta) - Transitional
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: thunderbird
Version: 1:60.9.0-1~deb8u1
CVE ID : CVE-2019-11739 CVE-2019-11740 CVE-2019-11742 CVE-2019-11743
CVE-2019-11744 CVE-2019-11746 CVE-2019-11752
Multiple security issues have been found in
On 07/09/2019 10:01, Pascal Hambourg wrote:
> Hello,
>
> It seems that the i386 build failed.
Thanks for the notice. I'll take a look at it.
Emilio
-By: Emilio Pozuelo Monfort
Description:
calendar-google-provider - Google Calendar support for lightning
icedove- mail/news client with RSS and integrated spam filter support
icedove-dbg - Debug Symbols for Icedove
icedove-l10n-all - All language packages for Icedove (meta) - Transitional
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: firefox-esr
Version: 60.8.0esr-1~deb8u1
CVE ID : CVE-2019-9811 CVE-2019-11709 CVE-2019-11711 CVE-2019-11712
CVE-2019-11713 CVE-2019-11715 CVE-2019-11717 CVE-2019-11730
Multiple security issues have
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: thunderbird
Version: 1:60.8.0-1~deb8u1
CVE ID : CVE-2019-9811 CVE-2019-11709 CVE-2019-11711 CVE-2019-11712
CVE-2019-11713 CVE-2019-11715 CVE-2019-11717 CVE-2019-11730
Multiple security issues have
-security
Urgency: medium
Maintainer: Maintainers of Mozilla-related packages
Changed-By: Emilio Pozuelo Monfort
Description:
firefox-esr - Mozilla Firefox web browser - Extended Support Release (ESR)
firefox-esr-dbg - Debugging symbols for Firefox ESR
firefox-esr-l10n-ach - Acoli language package
-security
Urgency: medium
Maintainer: Maintainers of Mozilla-related packages
Changed-By: Emilio Pozuelo Monfort
Description:
firefox-esr - Mozilla Firefox web browser - Extended Support Release (ESR)
firefox-esr-dbg - Debugging symbols for Firefox ESR
firefox-esr-l10n-ach - Acoli language package
On 30/09/2019 06:40, Sylvain Beucler wrote:
> Hello,
>
> On 27/09/2019 23:12, Pascal Hambourg wrote:
>> Sorry to insist again, but is there any hope that the i386 build will
>> be available ?
>
> It seems this is a memory issue on the builder:
>
> virtual memory exhausted: Operation not
: medium
Maintainer: LLVM Packaging Team
Changed-By: Emilio Pozuelo Monfort
Description:
clang-6.0 - C, C++ and Objective-C compiler
clang-6.0-doc - C, C++ and Objective-C compiler - Documentation
clang-6.0-examples - Clang examples
clang-format-6.0 - Tool to format C/C++/Obj-C code
clang-tidy
Changed-By: Emilio Pozuelo Monfort
Description:
nodejs-mozilla - evented I/O for V8 javascript
Changes:
nodejs-mozilla (8.11.1~dfsg0-2~deb8u1) jessie-security; urgency=medium
.
* Backport to jessie.
* Lower debhelper requirement.
* Repack to embed gyp again as it's not available on jessie
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Thu, 17 Oct 2019 09:30:03 +0200
Source: gcc-mozilla
Binary: gcc-mozilla
Architecture: source amd64
Version: 6.4.0-0+deb8u1
Distribution: jessie-security
Urgency: medium
Maintainer: Debian GCC Maintainers
Changed-By: Emilio Pozuelo
: medium
Maintainer: Debian Rust Maintainers
Changed-By: Emilio Pozuelo Monfort
Description:
libstd-rust-1.34 - Rust standard libraries
libstd-rust-dev - Rust standard libraries - development files
rust-doc - Rust systems programming language - Documentation
rust-gdb - Rust debugger (gdb
iceowl-l10n-sq iceowl-l10n-sr iceowl-l10n-sv-se
iceowl-l10n-tr iceowl-l10n-uk iceowl-l10n-vi iceowl-l10n-zh-cn
iceowl-l10n-zh-tw
Architecture: source amd64 all
Version: 1:68.2.2-1~deb8u1
Distribution: jessie-security
Urgency: medium
Maintainer: Carsten Schoenert
Changed-By: Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: thunderbird
Version: 1:68.2.2-1~deb8u1
CVE ID : CVE-2019-11755 CVE-2019-11757 CVE-2019-11759
CVE-2019-11760 CVE-2019-11761 CVE-2019-11762
CVE-2019-11763 CVE-2019-11764 CVE-2019-15903
On 14/11/2019 19:51, Roberto C. Sánchez wrote:
> On Thu, Nov 14, 2019 at 01:31:27PM -0500, Roberto C. Sánchez wrote:
>> On Thu, Nov 14, 2019 at 05:19:03PM +, Holger Levsen wrote:
>>> On Wed, Nov 13, 2019 at 08:24:55AM -0500, Roberto C. Sánchez wrote:
> We usually mark affected CVE as in
Hi,
During the month of October I spent 72 hours on finishing the Firefox ESR 68
update. That update took so much time due to the necessary toolchain updates,
which included rust & cargo, LLVM, and GCC, and to several issues which were
encountered with some of those components and with some old
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: firefox-esr
Version: 68.2.0esr-1~deb8u1
CVE ID : CVE-2019-11757 CVE-2019-11759 CVE-2019-11760 CVE-2019-11761
CVE-2019-11762 CVE-2019-11763 CVE-2019-11764 CVE-2019-15903
Multiple security issues have
Hi,
During the month of November I worked on the Thunderbird update after the
toolchain update work for Firefox ESR 68 made that possible. I also spent time
working on build fixes for Firefox (on armhf for jessie, as well as various
other issues on stretch). Those will also benefit Thunderbird.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: firefox-esr
Version: 68.3.0esr-1~deb8u1
CVE ID : CVE-2019-17005 CVE-2019-17008 CVE-2019-17010 CVE-2019-17011
CVE-2019-17012
Multiple security issues have been found in the Mozilla Firefox web
: medium
Maintainer: Laurent Bigonville
Changed-By: Emilio Pozuelo Monfort
Description:
libssh-4 - tiny C SSH library (OpenSSL flavor)
libssh-dbg - tiny C SSH library. Debug symbols
libssh-dev - tiny C SSH library. Development files (OpenSSL flavor)
libssh-doc - tiny C SSH library. Documentation
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: libssh
Version: 0.6.3-4+deb8u4
CVE ID : CVE-2019-14889
Debian Bug : 946548
It was found that libssh, a tiny C SSH library, does not sufficiently
sanitize path parameters provided to the server, allowing an
-By: Emilio Pozuelo Monfort
Description:
sa-compile - Tools for compiling SpamAssassin rules into C
spamassassin - Perl-based spam filter using text analysis
spamc - Client for SpamAssassin spam filtering daemon
Changes:
spamassassin (3.4.2-0+deb8u2) jessie-security; urgency=medium
.
* Non
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: thunderbird
Version: 1:68.3.0-2~deb8u1
CVE ID : CVE-2019-17005 CVE-2019-17008 CVE-2019-17010 CVE-2019-17011
CVE-2019-17012
Multiple security issues have been found in Thunderbird which could
iceowl-l10n-sq iceowl-l10n-sr iceowl-l10n-sv-se
iceowl-l10n-tr iceowl-l10n-uk iceowl-l10n-vi iceowl-l10n-zh-cn
iceowl-l10n-zh-tw
Architecture: source amd64 all
Version: 1:68.3.0-2~deb8u1
Distribution: jessie-security
Urgency: medium
Maintainer: Carsten Schoenert
Changed-By: Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Wed, 16 Oct 2019 18:58:09 +0200
Source: cmake-mozilla
Binary: cmake-mozilla
Architecture: source amd64
Version: 3.5.0-1~deb8u1
Distribution: jessie-security
Urgency: medium
Maintainer: Debian CMake Team
Changed-By: Emilio Pozuelo
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Thu, 24 Oct 2019 12:09:54 +0200
Source: cargo
Binary: cargo cargo-doc
Architecture: source amd64 all
Version: 0.35.0-2~deb8u1
Distribution: jessie-security
Urgency: medium
Maintainer: Rust Maintainers
Changed-By: Emilio Pozuelo
Hi,
During the month of September I spent 30 hours on the following tasks:
- firefox ESR 60 update
- thunderbird ESR 60 update
- ghostscript update
- firefox ESR 68 preparations for jessie and stretch (LLVM 7, cargo, rust,
cbindgen, nasm, nodejs)
As for ELTS I spent 4 hours on frontdesk triage.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: libdatetime-timezone-perl
Version: 1:1.75-2+2019c
This update includes the changes in tzdata 2019c for the
Perl bindings. For the list of changes, see DLA-1957-1.
For Debian 8 "Jessie", this problem has been fixed in
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: tzdata
Version: 2019c-0+deb8u1
This update includes the changes in tzdata 2018c. Notable
changes are:
- Brazil has canceled DST and will stay on standard time indefinitely.
- Fiji's next DST transitions will be
On 13/12/2019 05:41, Brian May wrote:
> Brian May writes:
>
>> Apparently the fix for ibus creates a regression in glibc that must get
>> fixed also:
>>
>> https://gitlab.gnome.org/GNOME/glib/merge_requests/1176
>>
>> However this patch patches GIO in glibc, and it looks like glibc in
>> Jessie
On 20/12/2019 00:49, Simon McVittie wrote:
> (LTS team: full quote of bug report below)
>
> On Thu, 19 Dec 2019 at 21:41:59 +, McIntyre, Vincent (CASS, Marsfield)
> wrote:
>> Dear LTS Maintainer,
>
> If a bug is specific to a LTS package, please report it to the
> debian-lts mailing list
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: firefox-esr
Version: 68.5.0esr-1~deb8u1
CVE ID : CVE-2020-6796 CVE-2020-6798 CVE-2020-6800
Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: python-pysaml2
Version: 2.0.0-1+deb8u3
CVE ID : CVE-2020-5390
Debian Bug : 949322
It was discovered that pysaml2, a Python implementation of SAML to be
used in a WSGI environment, was susceptible to XML
On 19/02/2020 10:45, Emilio Pozuelo Monfort wrote:
> btw I wonder if that script shouldn't leave elsewhere, such as in the webwml
> repo or in the security-tracker.
I have moved it to the security-tracker in [1]. I made it more useful for DSAs
by ignoring regression updates, as
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: openjdk-7
Version: 7u251-2.6.21-1~deb8u1
CVE ID : CVE-2020-2583 CVE-2020-2590 CVE-2020-2593 CVE-2020-2601
CVE-2020-2604 CVE-2020-2654 CVE-2020-2659
Several vulnerabilities have been discovered in
Hi all,
I think we can all agree that the problem here is that there was an unexpected
issue (a security upload getting rejected) that required sort of immediate work
from a third party (an ftp-master). I don't think we should make a big deal of
this, as this can happen with any other two teams in
On 01/03/2020 00:28, Holger Levsen wrote:
> On Sat, Feb 29, 2020 at 10:46:48PM +, Holger Levsen wrote:
>>> I have moved it to the security-tracker in [1].
>> hah.
>
> hah and now that I want to use it I realize you moved the MR only... grrr.
> ok, we'll see how this goes.
And it's finally
On 02/03/2020 12:57, Emilio Pozuelo Monfort wrote:
> On 01/03/2020 00:28, Holger Levsen wrote:
>> On Sat, Feb 29, 2020 at 10:46:48PM +, Holger Levsen wrote:
>>>> I have moved it to the security-tracker in [1].
>>> hah.
>>
>> hah and now that I want
Hi,
During the month of February, I spent 29h on LTS on the following tasks:
- firefox-esr update
- thunderbird update
- clamav update
- spamassassin update
- missing webwml script improvements
- jackson-databind update
- python-reportlab update
- CVE triage
- python-pysaml2 update
- openjdk-7
401 - 500 of 903 matches
Mail list logo