Hi,
Am 02.06.19 um 01:53 schrieb Roberto C. Sánchez:
> Hello all,
>
> I would like some input from the group on how to handle the remaining
> CVEs (all of which have been tagged no-dsa) on libspring-java:
[...]
> That leaves CVE-2018-11039, CVE-2018-11040, CVE-2018-1199, and
> CVE-2018-1257. O
Hello,
Am 18.06.19 um 10:05 schrieb Brian May:
> The upstream patch patches "c->description" which is not used in
> Jessie. OK, so probably not vulnerable.
[...]
I requested feedback from upstream about CVE-2019-12779 before.
https://github.com/ClusterLabs/libqb/issues/338
It seems they do not
Hello,
Am 26.06.19 um 09:59 schrieb duncanwebb:
> Package: unattended-upgrades
> Version: 0.83.3.2+deb8u1
> Severity: serious
> Justification: normal
>
> Dear Maintainer,
>
> Jessie uses python 3.4 and python 3.4 does not support f"" strings
>
> So now unattended upgrades no longer performs sec
Hello,
last but not least, the 60 second video. The designer has already
proposed some ideas and some elements are clear and ready. However
before he really puts every piece together, there is still some
information he needs.
First of all, do we want to keep the same logical order for our video o
Hello,
Am 03.07.19 um 14:59 schrieb Sylvain Beucler:
[...]
> I'm surprised that `grep -ir node` doesn't find any match in the
> 'debian-security-support' repo.
> Did I miss something or is it something we should do?
I think we should add nodejs to security-support-ended.deb8. This would
make it m
Hello,
after a conversation at DebConf19, I have created a new file
org/lts-do-call-me. We have previously sent out many emails asking
whether a maintainer would like to take care of the security update. We
still do it but less frequently. It turned out that many did either not
react, or were glad
Am 17.07.19 um 16:46 schrieb Roberto C. Sánchez:
> On Wed, Jul 17, 2019 at 11:26:56AM -0300, Markus Koschany wrote:
>>
>> lts-do-call-me contains all maintainers and/or source
>> packages that should be handled by the maintainer. Please contact all
>> maintainers in t
Hello Sylvain,
Am 17.07.19 um 12:56 schrieb Sylvain Beucler:
[...]
> Would you be so kind as to update the wiki
> https://wiki.debian.org/LTS/Development
> to clarify what front-desk needs to do / not to do?
I have updated the paragraph about "Contact the maintainer".
> I'm not sure what the wor
Hi Bill,
Am 26.07.19 um 20:12 schrieb Bill Blough:
> On Wed, Jul 17, 2019 at 11:26:56AM -0300, Markus Koschany wrote:
>>
>> lts-do-call-me contains all maintainers and/or source
>> packages that should be handled by the maintainer. Please contact all
>> maintainers in t
Hi Salvatore,
Am 28.07.19 um 04:37 schrieb Salvatore Bonaccorso:
[...]
> There is a functional regression by this update in unzip, with a patch
> provided by Mark Adler, cf. #932404:
>
> To reproduce the issue:
>
> wget
> http://ftp.mozilla.org/pub/firefox/releases/68.0.1/linux-x86_64/en-US/fir
Hello Salvatore,
my last email regarding unzip, CVE-2019-13232, apparently remained
unanswered [1] but I feel it needs a clarification hence I am resending it.
I don't understand why CVE-2019-13232 was marked as
unimportant. According to the security tracker documentation the
definition for unimp
Hi Salvatore,
Am 03.08.19 um 09:12 schrieb Salvatore Bonaccorso:
[...]
> The classification was done here:
>
> https://salsa.debian.org/security-tracker-team/security-tracker/commit/0891eec1447b20c9f45d18754f733df2081bbda3
>
> I though agree with Moritz's classification on this. Should users
>
Am 03.08.19 um 10:55 schrieb Sylvain Beucler:
[...]
> When an early fix is more likely to introduce regressions than protect
> users from real-world attacks, don't we mark it as 'postponed'?
We only postpone a fix if there is a minor issue and it is not worth
fixing via a standalone update. Ever
Am 08.08.19 um 00:50 schrieb Sylvain Beucler:
> Hi,
>
> So I reworked CVE-2017-5647, which involved 5 new commits related to
> non-blocking I/O (NIO2 and COMET).
> Stable build.
>
> Then I got upstream to renew their new certs that were expiring tomorrow (!)
> https://bz.apache.org/bugzilla/show_
Hello Ryan,
Am 14.08.19 um 21:36 schrieb Ryan Tandy:
> Dear LTS team,
>
> I propose updating openldap in jessie to fix two no-DSA CVEs and one
> additional important bug. The same changes have been accepted for the
> next point releases of buster (#934507) and stretch (#934508).
>
> The issues a
Hi,
Am 16.08.19 um 22:40 schrieb Holger Levsen:
> On Fri, Aug 16, 2019 at 08:11:58PM +0000, Markus Koschany wrote:
>> Markus Koschany pushed to branch master at Debian Security Tracker /
>> security-tracker
>>
>> Commits:
>> bc35662f by Markus Koschany at 2019-
Am 16.08.19 um 01:53 schrieb Ryan Tandy:
> On Wed, Aug 14, 2019 at 10:13:06PM +0200, Markus Koschany wrote:
>> Thank you for preparing an update for openldap in Jessie. I will take
>> care of all necessary paper work and upload the package for you.
>
> Great. Thank you! I up
Hello,
Am 19.08.19 um 11:23 schrieb Thomas Elsner:
> Hi,
>
> Markus Koschany schrieb am 15.08.19 um 23:57:
>> Package: openjdk-7
>> Version: 7u231-2.6.19-1~deb8u1
>> CVE ID : CVE-2019-2745 CVE-2019-2762 CVE-2019-2769 CVE-2019-2816
>
> I&
Hello,
Am 06.10.19 um 18:14 schrieb Микаел Бак:
> Hi,
>
> Is there a problem with this server?
>
> My apticron script gives me errors:
> W: Failed to fetch
> http://deb.freexian.com/extended-lts/dists/wheezy-lts/Release.gpg
> Connection failed
>
> TIA,
> Mikael
Yes, there is a (DNS) problem wi
Hi,
Am 12.11.19 um 18:11 schrieb Roberto C. Sánchez:
[...]
> With that in mind, does this seem like a package for which we should
> declare the end of support?
That sounds reasonable to me.
Cheers,
Markus
signature.asc
Description: OpenPGP digital signature
Am 13.11.19 um 05:28 schrieb Roberto C. Sánchez:
> On Tue, Nov 12, 2019 at 06:53:19PM +0100, Markus Koschany wrote:
>> Hi,
>>
>> Am 12.11.19 um 18:11 schrieb Roberto C. Sánchez:
>> [...]
>>> With that in mind, does this seem like a package for which we s
Hi,
Am 20.11.19 um 17:13 schrieb Abhijith PA:
> Hello Markus,
>
> There isn't any open vulnerabilities in libapache2-mod-auth-openidc.
> Last one was announced in DLA-1996-1. Any particular reason for keeping
> it in dla-needed.txt.
It was automatically removed from dla-needed.txt when I reserve
Hello,
I have uploaded a new version of OpenJDK 7 to
https://people.debian.org/~apo/openjdk7/amd64/
including all binaries and sources, along with a signed .changes file.
Please let me know if you find any regressions from the current released
version 7u231-2.6.19-1~deb8u2.
Regards,
Markus
Hello,
I have uploaded a new version of squid3 to
https://people.debian.org/~apo/squid3/amd64/
including all binaries and sources, along with a signed .changes file.
Please let me know if you find any regressions from the current released
version 3.4.8-6+deb8u8.
Regards,
Markus
signature
Hi Mike,
Am 20.12.19 um 13:33 schrieb Mike Gabriel:
> The Debian LTS team recently reviewed the security issue(s) affecting your
> package in Jessie:
> https://security-tracker.debian.org/tracker/CVE-2019-19905
>
> We decided that a member of the LTS team should take a look at this
> package, alt
Hi Chris,
(sorry forgot to CC debian-lts)
I think that was a mistake. We definitely should fix apache-log4j1.2 in
all distributions because a lot of packages depend on it. However the
vulnerability surfaces only when you use the (optional) option to log to
a remote server. I am quite sure that mo
Am 29.12.19 um 19:24 schrieb Holger Levsen:
> On Sun, Dec 29, 2019 at 07:13:15PM +0100, Markus Koschany wrote:
>> I also recommend to let me handle triaging work because I am officially
>> frontdesk at the moment. You can always grab a package and work on it
>> but let fro
Am 20.02.20 um 18:08 schrieb Emilio Pozuelo Monfort:
...]
> Yes, this was mentioned in the release notes for jessie and stretch:
>
> https://www.debian.org/releases/jessie/amd64/release-notes/ch-information.en.html#libv8
> https://www.debian.org/releases/stretch/amd64/release-notes/ch-informatio
Hello,
Am 01.07.20 um 17:50 schrieb Utkarsh Gupta:
[...]
>
> Right now, this package has been claimed in dla-needed.txt by Markus
> and in dsa-needed.txt by jmm.
> Although I think jmm is working on Stretch and Markus is working on
> Jessie. But to be very explicit (since explicit is better than
Hello,
Am 01.07.20 um 11:27 schrieb Ansgar:
> Hi,
>
> since LTS for Jessie has ended according to [1], can we disable uploads
> and prepare for archiving the release?
>
> I want to:
>
> 1. Stop accepting anything.
> 2. Have one Release with no Valid-Until for archive.d.o (to try to
>make so
Am 01.07.20 um 18:48 schrieb Utkarsh Gupta:
[...]
> Let me know what you think.
Please don't drop imagemagick or squid3 from dla-needed.txt or any other
package. This should be done by the people who have claimed the packages
because they know what they are working on. In less than two weeks we
Am 01.07.20 um 19:14 schrieb Ansgar:
> On Wed, 2020-07-01 at 18:38 +0200, Markus Koschany wrote:
>> Am 01.07.20 um 11:27 schrieb Ansgar:
>>> since LTS for Jessie has ended according to [1], can we disable uploads
>>> and prepare for archiving the release?
> [...]
&g
Am 01.07.20 um 19:31 schrieb Emilio Pozuelo Monfort:
[...]
> Perhaps it would have made sense to not EOL jessie until stretch had actually
> become LTS.
^^
This. I don't understand why we don't wait for Stretch becoming LTS,
having upload privileges for
Hello,
I have uploaded a new version of squid3 for Stretch to people.debian.org.
https://people.debian.org/~apo/lts/squid3/stretch/
It contains many bug fixes. Let me know if you find any regressions from
the current released version 3.5.23-5+deb9u1.
Regards,
Markus
signature.asc
Descriptio
Hello publicity and translation teams,
I have drafted a new announcement, "Debian 8 Long Term Support reaching
end-of-life". I would like you to review the draft and the i18n teams to
translate the content when it is approved by you. You can find the text
here:
https://salsa.debian.org/publicity-
Am 02.07.20 um 20:06 schrieb Moritz Muehlenhoff:
>> Security support for Stretch LTS will be handed over on July 18, 2020,
>> after the last point release.
>
> What's that supposed to mean? Support for oldstable ends on the 6th
>
> And why was this not send to team@s.d.o?
>
> Cheers,
>
Am 02.07.20 um 20:39 schrieb Moritz Mühlenhoff:
> On Thu, Jul 02, 2020 at 08:24:42PM +0200, Markus Koschany wrote:
>> Sorry, but I was assuming that the official end of oldstable is on July
>> 18 when Debian 9.13 is released.
>>
>> https://lists.debian.org/debia
Hi Chris,
Am 03.07.20 um 09:45 schrieb Chris Lamb:
> [adding t...@security.debian.org to CC due to parallel thread]
>
> Hi Markus,
>
>> The supported architectures include amd64, i386, armel, armhf
>> and arm64 now.
>
> On this point (at line 36) file, as this is an announcement of a
> transiti
Hi,
Am 06.07.20 um 15:25 schrieb Emilio Pozuelo Monfort:
> Hi Markus,
>
> On 02/07/2020 17:42, Markus Koschany wrote:
>> I have drafted a new announcement, "Debian 8 Long Term Support reaching
>> end-of-life". I would like you to review the draft and the i18n te
Hello Roberto,
Am 25.09.20 um 21:25 schrieb Roberto C. Sánchez:
> Hello fellow LTS people,
>
> I am working on an update for the squid3 package. At this time there
> are 4 open CVEs, of which 3 have patches that apply with little or no
> change required. However, the patch for CVE-2020-15049 do
Am 25.09.20 um 22:24 schrieb Roberto C. Sánchez:
> On Fri, Sep 25, 2020 at 10:04:59PM +0200, Markus Koschany wrote:
>> Hello Roberto,
>>
>> Am 25.09.20 um 21:25 schrieb Roberto C. Sánchez:
>>> Hello fellow LTS people,
>>>
>>> I am working on an up
[adding Andreas and Kevin to CC who helped with testing past squid3 updates]
Hello,
I have uploaded a new version of squid3 for Stretch to people.debian.org.
https://people.debian.org/~apo/lts/squid3/stretch/
It contains fixes for CVE-2020-15049, CVE-2020-15810, CVE-2020-15811 and
CVE-2020-2460
Thank you all for testing the new squid release. It was released as
DLA-2394-1 today.
Regards,
Markus
signature.asc
Description: OpenPGP digital signature
Hello,
zsh 5.3.1-4+deb9u4 was sucessfully uploaded to stretch-security thirteen hours
ago but it still remains in status "uploaded" for all supported architectures
except arch all. Who can "install" the packages into the archive or is another
upload necessary?
Regards,
Markus
signature.asc
Hello,
Am Mittwoch, den 02.12.2020, 11:11 +0200 schrieb Anssi Kolehmainen:
> zsh package has appeared in security.debian.org and now it is installable
> again.
I am glad this problem could be solved hence I am going to close this bug
report now.
Regards,
Markus
signature.asc
Description: This
Hello Lee, hello security team,
I have been working on security updates of ansible in Stretch and my intention
was to fix the remaining issues in Buster as well. However testing those
upstream patches proved to be rather difficult in older releases. I believe it
is generally possible to fix most o
Hi Lee,
Am Dienstag, den 02.02.2021, 03:56 +0100 schrieb Lee Garrett:
[...]
> Backporting a new feature release will be disruptive, as ansible
> deprecates many things within 2 feature releases. Meaning that an
> upgrade in oldstable from 2.2 to 2.7 will likely break the playbooks for
> most user
Am Mittwoch, den 20.01.2021, 04:32 -0500 schrieb Robert Edmonds:
[...]
> I would be OK with promoting an unbound package based on 1.9.6-2 (the
> last 1.9.x package) to buster, if that's OK with the release team.
Hello Robert,
As you know we have had a request from users to "resurrect" unbound in
-
Debian LTS Advisory DLA-2553-1debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
February 09, 2021 https://wiki.debian.org/LTS
Hi Robert,
Am Samstag, den 06.02.2021, 19:46 -0500 schrieb Robert Edmonds:
[...]
> Hi, Markus:
>
> I'm OK with both of these plans.
>
> For the proposed 1.9.6 buster update, can you send me git commits based
> against
> https://salsa.debian.org/dns-team/unbound/-/tree/branches/1.9.0-2_deb10
> ?
Hi,
Am Mittwoch, den 17.02.2021, 12:43 -0500 schrieb Robert Edmonds:
[...]
> Hi,
>
> It looks like #982671 / #982672 was assigned by the BTS to src:unbound
> rather than src:unbound1.9. I attempted to re-assign the bug to
> src:unbound1.9 with notfound/found but I don't think that worked since I
Hello,
Am Mittwoch, den 17.02.2021, 14:09 -0500 schrieb Robert Edmonds:
> Hi,
>
> #982671 / #982672 is incorrectly reported against the python-unbound
> package. It should instead be against the unbound binary package because
> this functionality is in the unbound daemon.
Please feel free to rea
Am Mittwoch, den 17.02.2021, 15:21 -0500 schrieb Robert Edmonds:
> Markus Koschany wrote:
[...]
> > Please feel free to reassign and/or adjust the bug report as necessary.
>
> I get the following error message from the BTS. Do I need to do
> "reassign 982671 unbound1.9&quo
Hi,
Am Donnerstag, den 25.02.2021, 20:01 +0100 schrieb Moritz Mühlenhoff:
> Am Thu, Feb 25, 2021 at 05:30:05PM +0100 schrieb Sylvain Beucler:
> > - This problem is similar/related to tracking embedded code copies.
> > See https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/2
> > With on
Hi,
Am Montag, den 19.04.2021, 13:15 +0530 schrieb Utkarsh Gupta:
> Hello,
>
> There are 18 no-dsa marked entries for jackson-databind for buster,
> the same ones I fixed for jessie and also the same ones that I intend
> to work on for stretch. It'd be thus unfair if those are pending in
> buster
Hello ftp team,
I tried to upload a Stretch security update of edk2 but it was rejected with
the following error message. Could it be related to the fact that edk2 was
previously in Jessie/non-free? How could this issue be resolved for Stretch?
Processing raised an exception: Multiple rows were
Hi,
Am Donnerstag, den 29.04.2021, 20:59 +0200 schrieb Salvatore Bonaccorso:
> On Thu, Apr 29, 2021 at 06:29:33PM +0200, Sylvain Beucler wrote:
> > Hi,
> >
> > I saw a batch of new CVEs were tracked for 'unbound', but not for the
> > stretch-specific 'unbound1.9' package[1].
> >
> > I can go ahe
Hi Emilio,
Am Mittwoch, den 02.06.2021, 12:26 +0200 schrieb Emilio Pozuelo Monfort:
> I think it is time
> we declare the block list unsupported, asking users to switch to the allow
> list.
>
> Thoughts?
I believe it is sensible to switch to the whitelist by default after we have
tested the re
Am Montag, dem 09.08.2021 um 06:38 -0400 schrieb Roberto C. Sánchez:
[...]
>
> It was completely my fault. According to Raphaël and Thorsten, Markus
> was not responding to emails. I assumed that because Raphaël requested
> someone get in touch with Thorsten, that I should simply contact
> Thors
Hi Utkarsh et al,
I have prepared a security update of ruby-kaminari to fix CVE-2020-11082. I
have tested this update by creating a rails app with kaminari and the
pagination feature including the updated blacklist appears to be working as
intended. As the maintainer could you take a look at it an
Hi,
Am Freitag, dem 27.08.2021 um 14:03 +0200 schrieb Sylvain Beucler:
> Hi,
>
> I wrote an analysis in June
> https://lists.debian.org/debian-lts/2021/06/msg00024.html
> https://lists.debian.org/debian-lts/2021/06/msg00040.html
>
> I believe we should postpone these CVEs with the goal of tracki
Am Samstag, dem 11.09.2021 um 03:49 -0500 schrieb Matt Roberds:
> Package: qemu-system-x86
> Version: 1:2.8+dfsg-6+deb9u15
> Severity: important
> X-Debbugs-Cc: debian-lts@lists.debian.org
>
> Hello all!
>
> Quick version:
> ==
>
> I recently upgraded the qemu packages on my host fro
Hi all,
so far I have not found any regressions in Debian packages which depend on
libxstream-java. I propose to switch to the whitelist in all suites because
this is the only reasonable way to secure XStream. I have prepared an update
for Stretch. Anton, could you take a look at it because I saw
Hi,
Am Mittwoch, dem 22.09.2021 um 20:57 +0200 schrieb Sylvain Beucler:
[...]
> >
> > I am pretty surprised because I had concluded that all reverse-dependencies
> > would break, due to not white-listing any app-specific class:
> > https://lists.debian.org/debian-lts/2021/06/msg00040.html
> >
>
Hi,
Am Donnerstag, dem 23.09.2021 um 19:40 +0200 schrieb Anton Gladky:
> Hi Markus,
>
> I have applied your patch and the pipelines are passed [1]. So, at least
> nothing breaks from the "build side of view".
thanks to all who have contributed to this thread.
I have just uploaded a new securit
Hello,
I have picked up salt in dla-needed.txt and I wondered why there hasn't been
any progress in the last months. Upstream appears to have released security
patches for version 2016.11.3 and 2018.3.5 which is quite close to what we have
in Debian.
The patches for Stretch are
https://gitlab.co
Hi Sylvain,
Am Freitag, dem 03.12.2021 um 14:28 +0100 schrieb Sylvain Beucler:
> Hi,
>
> This year I worked on libspring-java twice for LTS&ELTS. In both case
> upstream provided limited information for the CVEs, and for 5 of them
> we're unable to determine the fixes.
> https://deb.freexian.co
Hello,
I have prepared a security update of nvidia-graphics-drivers which can be found
here. [1]
The new upstream release 390.144 apparently fixes all currently open CVE in
Stretch. [2] Due to the non-free nature of Nvidia's graphics drivers we have to
trust the vendor in this regard. So far I ha
Hello,
I believe we should mark guacamole-client as end-of-life in Stretch but I would
like to hear your opinion too. Guacamole in Stretch is a five year old web
application with four open CVE. Upstream recommends to upgrade to the latest
1.4.0 release and does not provide further details about sp
Hello,
Am Mittwoch, dem 02.02.2022 um 17:22 +0100 schrieb Sylvain Beucler:
> I would be warry of popcon for this kind of server package, since
> there's one instance for potentially a lot of (web) users.
>
> That being said, given all your other arguments above, it sounds like
> maintaining orp
Hello,
Just a heads-up. New CVE have been reported for MariaDB 10.3. It is likely that
10.1 in Stretch is affected as well. Otto Kekäläinen (maintainer) is currently
investigating if it is feasible to backport a newer MariaDB version to Stretch
because 10.1 is no longer supported upstream. Do we h
Am Samstag, dem 19.03.2022 um 10:55 +0100 schrieb Christopher Huhn:
> Hi y'all
>
> It looks like the bind9 security update for Stretch is severely broken,
> cf. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007945
>
> We had to emergency downgrade to get our DNS servers working again.
Than
Hi Anton,
Am Dienstag, dem 17.05.2022 um 06:35 +0200 schrieb Anton Gladky:
> Hello Markus,
>
> thanks for the update! Could you please push your last change into the
> git-repo [1] and tag an upload?
Done.
signature.asc
Description: This is a digitally signed message part
Hi Ola,
adding the security team to CC to get some feedback from them
Am Dienstag, dem 12.07.2022 um 13:58 +0200 schrieb Ola Lundqvist:
> [...]
> We (as LTS team) are obviously not responsible for buster yet.
>
> But are we responsible for anything? It looks like we are in a limbo.
>
> What sh
Am Dienstag, dem 12.07.2022 um 19:24 +0200 schrieb Salvatore Bonaccorso:
> Hey,
>
> On Tue, Jul 12, 2022 at 06:12:04PM +0200, Markus Koschany wrote:
>
> >
> > I assume adding no-dsa packages to dla-needed.txt is OK if they can be
> > included
> > in the nex
Hi,
Am Mittwoch, dem 03.08.2022 um 11:54 +0200 schrieb Sylvain Beucler:
>
>
> This one I'm unsure: Markus, does this apply to a particular ansible
> version, or only stretch's?
> - ansible Lack of an effective test suite makes proper support impossible
I think the test suite in Buster is more
Hi,
I have prepared two security updates of Asterisk, a Private Branch Exchange,
one for Bullseye and one for Buster. The update will address 27 CVE in Buster
and 20 CVE in Bullseye. This is also a new upstream release, version 16.28.0,
which required to refresh existing patches and make some adju
Hello,
Am Dienstag, dem 25.10.2022 um 13:48 +0200 schrieb Marc SCHAEFER:
> Hello,
>
> I would like to test (mainly on buster), but so far I have not found the
> time to do so.
>
> When do you intend to release this:
I can wait a few days more but wanted to release at the end of the month at the
Hi Bernhard,
Am Dienstag, dem 25.10.2022 um 17:56 + schrieb Schmidt, Bernhard:
> Hi Markus,
>
> thanks for taking care of this. I've installed your packages on our
> company PBX. ~500 phones connected using SIP/TLS and SRTP.
Thank you for testing!
> - There are a lot of changed configuratio
Hi Ola,
Am Montag, dem 31.10.2022 um 12:55 +0100 schrieb Ola Lundqvist:
>
> Any other thoughts?
I agree this is a possible breaking change. I suggest we fix unstable first and
investigate the further implications. I will do that soon. I have updated the
security tracker with information about th
Hello Bernhard,
Am Dienstag, dem 25.10.2022 um 17:56 + schrieb Schmidt, Bernhard:
> I will keep it running this way and report back tomorrow.
Did you find any other issues with the new Asterisk release? Shall I go ahead
with the upload?
Regards,
Markus
signature.asc
Description: This is a
I have just released DLA-3194-1. Thanks to all who have contributed to this
thread.
Regards,
Markus
signature.asc
Description: This is a digitally signed message part
Dear ftp team,
I have recently uploaded hugo 0.55.6+really0.54.0-1+deb10u1 and gitlab-
workhorse 7.6.0+debian-1+deb10u1 to security-master. Both packages got rejected
because of non-existing source packages go-md2man and golang-github-mitchellh-
copystructure. Could you just manually inject these
Am Sonntag, dem 14.05.2023 um 12:16 +0200 schrieb Thorsten Alteholz:
> Hi Markus,
>
> On 14.05.23 09:50, Markus Koschany wrote:
> > Could you just manually inject these packages into the security
> > archive please?
>
> there were others missing as well, but I hope
Hello Daniel,
Am Donnerstag, dem 25.05.2023 um 08:02 +0200 schrieb Salvatore Bonaccorso:
> >
> > These two commits in upstream addressed this:
> > https://github.com/Netatalk/netatalk/commit/9d0c21298363e8174cdfca657e66c4d10819507b
> > https://github.com/Netatalk/netatalk/commit/4140e5495bac42ecb
Am Donnerstag, dem 25.05.2023 um 19:22 -0700 schrieb Daniel Markstedt:
> [...]
> Thank you very much for taking swift action on this!
> Please forgive my ignorance here, but are these patches active already
> if I apt install netatalk (3.1.12~ds-3+deb10u1) on Buster?
> Or do they have to be picked
Version: 3.1.12~ds-3+deb10u2
Thanks for your report and the detailed replies. I could reproduce the problem
and identify a wrongly applied commit in libatalk/adouble/ad_open.c. After
applying a new patch to fix it, the AppleDouble v2 format seems to work as
intended again. I'm going to close this
Hello ftp team,
I have uploaded a security update of golang-go.crypto today that required to
rebuild several reverse-dependencies. Most of those packages were rejected
because of non-existing source packages.
Could you just manually inject these packages into the security
archive again please?
T
Hello,
Am Montag, dem 17.07.2023 um 15:28 +0200 schrieb Lennart Ackermans:
> Hi,
> The recent security update of erlang on Buster goes from 21.2.6 to 22.2.7.
> This is a major update that can break dependencies. Was this a mistake or was
> this intentional?
The upgrade was intentional.
> If it
Am Montag, dem 17.07.2023 um 18:12 +0200 schrieb Lennart:
> Hi Markus,
>
> Thanks for your reply. What is the LTS team's policy for security bugs?
> Under which conditions are packages upgraded and under which conditions
> are current versions patched? Information about this would be especially
Hi Sven,
Am Donnerstag, dem 27.07.2023 um 13:54 +0200 schrieb Sven Bartscher:
> Hi,
>
> A while back I reported #1039489 in the BTS and I would like to fix the
> issue for Buster in an LTS update.
>
> Following the guide on [1] it seems I need to get the issue added to the
> dla-needed.txt by
Am Donnerstag, dem 27.07.2023 um 17:08 +0200 schrieb Sven Bartscher:
> I've uploaded the changes to buster-security and to the Perl team's git
> repository.
Thanks for your contribution. I have just released DLA-3509-1.
Cheers,
Markus
signature.asc
Description: This is a digitally signed mess
Am Freitag, dem 11.08.2023 um 22:45 -0700 schrieb Daniel Markstedt:
> Package: netatalk
> Version: 3.1.12~ds-3+deb10u2
> X-Debbugs-Cc: t...@security.debian.org,debian-lts@lists.debian.org
>
> Dear Debian Security team,
>
> Would you be able to help me get the following critical regression fix
> i
Hi all,
I am currently in the process of updating rar and unrar-nonfree to address some
security vulnerabilities. I have already uploaded unrar-nonfree to buster-
security but the builders don't seem to automatically build these packages,
even though the XS-Autobuild flag is set to yes. I have tri
Hi,
Am Donnerstag, dem 17.08.2023 um 01:54 +0200 schrieb Aurelien Jarno:
>
> Historically there was non support of non-free for -security suites.
> We recently added support for >= bullseye suites, we can look at doing
> the same for buster, but if your request is urgent, it might be better
> to
Hello,
Am Mittwoch, dem 20.09.2023 um 10:17 +0200 schrieb Emilio Pozuelo Monfort:
>
>
> I'm unsure about the version here. I see buster/bullseye have:
>
> libyang | 0.16.105-1+deb10u1 | oldoldstable | source
> libyang | 1.0.225-1.1 | oldstable | source
>
> So if you
>
> Let me know if you want me to take care of the above.
Feel free to take care of it.
Regards,
Markus
signature.asc
Description: This is a digitally signed message part
Hi,
> > Ist there any chance that the patched version (0.103.10) will be back-
> > ported from bullseye?
Thanks for the heads-up. We will update clamav in Buster to 0.103.10 as well to
include the patches for libclamunrar.
Regards,
Markus
signature.asc
Description: This is a digitally signed
Hi Santiago,
Am Dienstag, dem 28.11.2023 um 22:56 + schrieb Santiago Ruano Rincón:
> Hi there,
>
> ...
>
> > =
> > data/dla-needed.txt
> > =
>
> ...
>
> > +tor
> > + NOTE: 20231119: Added by Front-Desk (apo)
> > +--
>
Hi Samuel,
I have recently triaged CVE-2023-28322 and CVE-2023-27534 for curl as ignored
for Buster because I believe those are minor issues. Since you expressed
interest as the maintainer of curl to fix potential security vulnerabilities, I
am asking you for your assessment. Are you (or someone e
1 - 100 of 428 matches
Mail list logo
