[SECURITY] [DLA 1264-1] unbound security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: unbound Version: 1.4.17-3+deb7u3 CVE ID : CVE-2017-15105 Debian Bug : 887733 Ralph Dolmans and Karst Koymans found a flaw in the way unbound validated wildcard-synthesized NSEC records. An improperly validated

Accepted unbound 1.4.17-3+deb7u3 (source amd64) into oldoldstable

Maintainer: Robert S. Edmonds <edmo...@debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: libunbound-dev - static library, header files, and docs for libunbound libunbound2 - library implementing DNS resolution and validation python-unbound - library impl

[SECURITY] [DLA 1265-1] krb5 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: krb5 Version: 1.10.1+dfsg-5+deb7u9 CVE ID : CVE-2013-1418 CVE-2014-5351 CVE-2014-5353 CVE-2014-5355 CVE-2016-3119 CVE-2016-3120 Debian Bug : 728845 762479 773226 778647 819468 832572 Kerberos, a

Accepted pound 2.6-2+deb7u2 (source amd64) into oldoldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 12 Feb 2018 22:32:32 +0100 Source: pound Binary: pound Architecture: source amd64 Version: 2.6-2+deb7u2 Distribution: wheezy-security Urgency: high Maintainer: Brett Parker <idu...@sommitrealweird.co.uk> Changed-By:

[SECURITY] [DLA 1280-1] pound security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: pound Version: 2.6-2+deb7u2 CVE ID : CVE-2016-10711 Debian Bug : 888786 A request smuggling vulnerability was discovered in pound that may allow attackers to send a specially crafted http request to a web server

Accepted uwsgi 1.2.3+dfsg-5+deb7u2 (source all amd64) into oldoldstable

+dfsg-5+deb7u2 Distribution: wheezy-security Urgency: high Maintainer: Janos Guljas <ja...@resenje.org> Changed-By: Markus Koschany <a...@debian.org> Description: libapache2-mod-ruwsgi - uwsgi module for Apache2 (mod_Ruwsgi) libapache2-mod-ruwsgi-dbg - debugging symbols for Apache

[SECURITY] [DLA 1276-1] tomcat-native security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: tomcat-native Version: 1.1.24-1+deb7u1 CVE ID : CVE-2017-15698 Jonas Klempel discovered that, when parsing the AIA-Extension field of a client certificate, Apache Tomcat Native did not correctly handle fields longer

Accepted tomcat-native 1.1.24-1+deb7u1 (source amd64) into oldoldstable

ain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: libtcnative-1 - Tomcat native library using the apache portable runtime Changes: tomcat-native (1.1.24-1+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the LTS team. *

[SECURITY] [DLA 1275-1] uwsgi security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: uwsgi Version: 1.2.3+dfsg-5+deb7u2 CVE ID : CVE-2018-6758 Debian Bug : 889753 It was discovered that the uwsgi_expand_path function in utils.c in Unbit uWSGI, an application container server, has a stack-based

Re: [Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add librsvg to dla-needed.txt

Hi, Am 11.02.2018 um 23:08 schrieb Santiago R.R.: > El 11/02/18 a las 18:16, Markus Koschany escribió: >> Markus Koschany pushed to branch master at Debian Security Tracker / >> security-tracker >> >> Commits: >> >> • f8aa9d3d >> by Markus Koscha

Accepted advancecomp 1.15-1+deb7u1 (source amd64) into oldoldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 13 Feb 2018 14:28:04 +0100 Source: advancecomp Binary: advancecomp Architecture: source amd64 Version: 1.15-1+deb7u1 Distribution: wheezy-security Urgency: high Maintainer: Piotr Ozarowski <oza...@gmail.com> Changed-By:

[SECURITY] [DLA 1281-1] advancecomp security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: advancecomp Version: 1.15-1+deb7u1 CVE ID : CVE-2018-1056 Debian Bug : 889270 Joonun Jang discovered that the advzip tool in advancecomp, a collection of recompression utilities, was prone to a heap-based buffer

Re: Extended Long Term Support for Wheezy

Am 20.02.2018 um 18:10 schrieb Raphael Hertzog: > (this reply on debian-lts, not on debian-devel) > > On Tue, 20 Feb 2018, Raphael Hertzog wrote: >> some of the LTS sponsors are looking to extend the support period of >> Debian 7 Wheezy (from a few months up to a full year).i > > FWIW, I

Re: forgot frontdesk - apologies and solutions?

Am 16.02.2018 um 15:47 schrieb Antoine Beaupré: > Hi! > > Markus reminded me today that I was frontdesk for the week: I had > completely forgotten. :( For some reason, I hadn't noted this down in my > agenda which means the event simply doesn't exist in this case. I have > reviewed my other

Re: Extended Long Term Support for Wheezy

Am 20.02.2018 um 18:39 schrieb Vincent Bernat: > ❦ 20 février 2018 18:10 +0100, Raphael Hertzog  : > >>> some of the LTS sponsors are looking to extend the support period of >>> Debian 7 Wheezy (from a few months up to a full year).i >> >> FWIW, I published a blog post with

Re: reportbug: please inform security and lts teams about security update regressions

Am 21.12.2017 um 22:42 schrieb Salvatore Bonaccorso: [...] > Don't worry anymore. It was as well not about all the timeline, I'm > aware when you did the initial ping, but rather on the "we think it > needs a change on security tracker and want this information exposed > ... I want to do the

Re: Wheezy update of irssi?

Am 22.12.2017 um 13:24 schrieb Emilio Pozuelo Monfort: > On 22/12/17 09:49, Chris Lamb wrote: >> Dear maintainer(s), >> >> The Debian LTS team would like to fix the security issues which are >> currently open in the Wheezy version of irssi: >>

Accepted wordpress 3.6.1+dfsg-1~deb7u20 (source all) into oldoldstable

cul...@debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: wordpress - weblog manager wordpress-l10n - weblog manager - language files Changes: wordpress (3.6.1+dfsg-1~deb7u20) wheezy-security; urgency=high . * Non-maintainer upload by the LTS team. * Backport securit

[SECURITY] [DLA 1216-1] wordpress security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: wordpress Version: 3.6.1+dfsg-1~deb7u20 CVE ID : CVE-2017-17091 CVE-2017-17092 CVE-2017-17093 CVE-2017-17094 Debian Bug : 883314 Several vulnerabilities were discovered in wordpress, a web

Re: libidn in data/dla-needed.txt

Hey, Am 22.06.2018 um 00:00 schrieb Chris Lamb: > Dear Thorsten, > > I claimed libidn in data/dla-needed.txt early this morning but somehow > failed to push this to the repository. I note that you subsequently > claimed the package. > > I discovered the above just now after preparing a package.

Accepted openssl 1.0.1t-1+deb8u9 (source all amd64) into oldstable

: high Maintainer: Debian OpenSSL Team Changed-By: Markus Koschany Description: libcrypto1.0.0-udeb - Secure Sockets Layer toolkit - libcrypto udeb (udeb) libssl-dev - Secure Sockets Layer toolkit - development files libssl-doc - Secure Sockets Layer toolkit - development documentation

[SECURITY] [DLA 1449-1] openssl security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: openssl Version: 1.0.1t-1+deb8u9 CVE ID : CVE-2018-0732 CVE-2018-0737 Debian Bug : 895844 Two issues were discovered in OpenSSL, the Secure Sockets Layer toolkit. CVE-2018-0732 Denial of service by a

Accepted busybox 1:1.22.0-9+deb8u4 (source amd64 all) into oldstable

Maintainer: Debian Install System Team Changed-By: Markus Koschany Description: busybox- Tiny utilities for small and embedded systems busybox-static - Standalone rescue shell with tons of builtin utilities busybox-syslogd - Provides syslogd and klogd using busybox busybox-udeb - Tiny utilities

[SECURITY] [DLA 1445-3] busybox regression update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: busybox Version: 1:1.22.0-9+deb8u4 It was found that the security update of busybox announced as DLA-1445-1 to prevent the exploitation of CVE-2011-5325, a symlinking attack, was too strict in case of cpio archives. This

Re: A possible regression in busybox-static version 1:1.22.0-9+deb8u2

Am 31.07.2018 um 04:01 schrieb jhcha54008: > Hi, > > Is it the right place to report a possible regression bug against > busybox-static version 1:1.22.0-9+deb8u2 ? It is. Thank you for contacting us. > 1) It seems it can't gunzip large files. > > $ dpkg -l busybox-static > ... > ii

[SECURITY] [DLA 1452-1] wordpress security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: wordpress Version: 4.1+dfsg-1+deb8u18 CVE ID : CVE-2016-5836 CVE-2018-12895 Debian Bug : 902876 Two vulnerabilities were discovered in wordpress, a web blogging tool. The Common Vulnerabilities and Exposures

Accepted tomcat7 7.0.56-3+really7.0.90-1 (source all) into oldstable

: 7.0.56-3+really7.0.90-1 Distribution: jessie-security Urgency: high Maintainer: Debian Java Maintainers Changed-By: Markus Koschany Description: libservlet3.0-java - Servlet 3.0 and JSP 2.2 Java API classes libservlet3.0-java-doc - Servlet 3.0 and JSP 2.2 Java API documentation libtomcat7-java

Accepted wordpress 4.1+dfsg-1+deb8u18 (source all) into oldstable

Distribution: jessie-security Urgency: high Maintainer: Craig Small Changed-By: Markus Koschany Description: wordpress - weblog manager wordpress-l10n - weblog manager - language files wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files wordpress-theme-twentyfourteen

[SECURITY] [DLA 1453-1] tomcat7 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: tomcat7 Version: 7.0.56-3+really7.0.90-1 CVE ID : CVE-2018-8034 The host name verification in Tomcat when using TLS with the WebSocket client was missing. It is now enabled by default. For Debian 8 "Jessie", this

[SECURITY] [DLA 1442-2] mailman regression update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: mailman Version: 1:2.1.18-2+deb8u4 Debian Bug : 904680 The security update of mailman announced as DLA-1442-1 introduced a regression due to an incomplete fix for CVE-2018-13796 that broke the admin and listinfo

Accepted busybox 1:1.22.0-9+deb8u2 (source amd64 all) into oldstable

Maintainer: Debian Install System Team Changed-By: Markus Koschany Description: busybox- Tiny utilities for small and embedded systems busybox-static - Standalone rescue shell with tons of builtin utilities busybox-syslogd - Provides syslogd and klogd using busybox busybox-udeb - Tiny utilities

Accepted mailman 1:2.1.18-2+deb8u4 (source amd64) into oldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 27 Jul 2018 05:49:39 +0200 Source: mailman Binary: mailman Architecture: source amd64 Version: 1:2.1.18-2+deb8u4 Distribution: jessie-security Urgency: high Maintainer: Mailman for Debian Changed-By: Markus Koschany

Accepted intel-microcode 3.20180703.2~deb8u1 (source amd64) into oldstable

-By: Markus Koschany Description: intel-microcode - Processor microcode firmware for Intel CPUs Changes: intel-microcode (3.20180703.2~deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the LTS team. * Rebuild for jessie-security (no changes) Checksums-Sha1

[SECURITY] [DLA 1445-2] busybox regression update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: busybox Version: 1:1.22.0-9+deb8u3 The security update of busybox announced as DLA-1445-1 introduced a regression due to an incomplete fix for CVE-2015-9261. It was no longer possible to decompress gzip archives which

[SECURITY] [DLA 1467-1] ruby-zip security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: ruby-zip Version: 1.1.6-1+deb8u2 CVE ID : CVE-2018-1000544 Debian Bug : 902720 It was found that rubyzip, a Ruby module for reading and writing zip files, contained a Directory Traversal vulnerability that can

Apache2 CVE-2016-4975

Hello Stefan, I am currently investigating CVE-2016-4975 for Apache2. The issue is already two years old but was only made public yesterday. [1] I skimmed through old commit messages but I could not isolate the fixing commit. However I found this changelog entry [2] from December 13th, 2016 and

Re: Apache2 CVE-2016-4975

Hi Stefan, Am 16.08.2018 um 21:13 schrieb Stefan Fritsch: [...] > In jessie this has been included in 2.4.10-10+deb8u8 and Antoine did the > heroic backport to wheezy. So, there should not be anything to to fix in > Debian. Excellent. Thank you very much for your confirmation. Best, Markus

Re: Removal of 'arm64' from debian-security repo breaks community projects

Hello Lee, at the moment we only support four architectures, amd64, i386, armel and armhf because these are the ones which were requested by users and sponsors of Debian's Long Term support project. I believe we would all love to support even more architectures in the future but this mostly

[SECURITY] [DLA 1465-1] blender security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: blender Version: 2.72.b+dfsg0-3+deb8u1 CVE ID : CVE-2017-2899 CVE-2017-2900 CVE-2017-2901 CVE-2017-2902 CVE-2017-2903 CVE-2017-2904 CVE-2017-2905 CVE-2017-2906 CVE-2017-2907

Accepted blender 2.72.b+dfsg0-3+deb8u1 (source amd64 all) into oldstable

Maintainers Changed-By: Markus Koschany Description: blender- Very fast and versatile 3D modeller/renderer blender-data - Very fast and versatile 3D modeller/renderer - data package blender-dbg - debug symbols for Blender Changes: blender (2.72.b+dfsg0-3+deb8u1) jessie-security; urgency=high

[SECURITY] [DLA 1472-1] libcgroup security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: libcgroup Version: 0.41-6+deb8u1 CVE ID : CVE-2018-14348 Debian Bug : 906308 The cgrulesengd daemon in libcgroup creates log files with world readable and writable permissions due to a reset of the file mode

Re: Jessie security update of libextractor?

Hi Bertrand, Am 20.08.2018 um 21:32 schrieb Bertrand Marc: [...] > I'll prepare source package this week-end, but if it's fine with you > I'll let you take care of the LTS workflow as I am a bit busy these days. Thanks for your reply. It seems Chris Lamb is interested in fixing those issues. I

Re: status of the gdm3 security update

Hello Chris, the Debian LTS team would like to fix CVE-2018-14424, gdm3 in Jessie. We have prepared a patch [1] based on your work which you have attached to the Gnome issue tracker. [2] We have noticed [3] that it is still possible to "crash" gdm3 in Jessie with your POC although we cannot get a

Jessie security update of squirrelmail?

the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of squirrelmail updates for the LTS releases. Thank you very much. Markus Koschany, on behalf of the Debian LTS team. PS: A member of the LTS

Jessie security update of libextractor?

us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of libextractor updates for the LTS releases. Thank you very much. Markus Koschany

[SECURITY] [DLA 1475-1] tomcat-native security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: tomcat-native Version: 1.1.32~repack-2+deb8u2 CVE ID : CVE-2018-8019 CVE-2018-8020 When using an OCSP responder Tomcat Native did not correctly handle invalid responses. This allowed for revoked client certificates

[SECURITY] [DLA 1473-1] otrs2 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: otrs2 Version: 3.3.18-1+deb8u5 CVE ID : CVE-2018-14593 Francesco Sirocco discovered a privilege escalation flaw in otrs2, the Open Ticket Request System. An attacker who is logged into OTRS as a user may escalate

Accepted otrs2 3.3.18-1+deb8u5 (source all) into oldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 21 Aug 2018 13:30:48 +0200 Source: otrs2 Binary: otrs2 otrs Architecture: source all Version: 3.3.18-1+deb8u5 Distribution: jessie-security Urgency: high Maintainer: Patrick Matthäi Changed-By: Markus Koschany Description

Status of PostgreSQL 9.1 in Jessie

Hello Christoph, I just noticed that we ship two versions of PostgreSQL in Jessie, 9.1 and 9.4. Do you plan to release future security updates for 9.1 as well? Do you prefer that we take care of it or shall we mark 9.1 as EOL and recommend to upgrade to 9.4 instead? Regards, Markus

Accepted sympa 6.1.23~dfsg-2+deb8u2 (source amd64) into oldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 24 Jul 2018 21:14:39 +0200 Source: sympa Binary: sympa Architecture: source amd64 Version: 6.1.23~dfsg-2+deb8u2 Distribution: jessie-security Urgency: high Maintainer: Debian Sympa team Changed-By: Markus Koschany

Accepted libarchive-zip-perl 1.39-1+deb8u1 (source all) into oldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 24 Jul 2018 21:08:04 +0200 Source: libarchive-zip-perl Binary: libarchive-zip-perl Architecture: source all Version: 1.39-1+deb8u1 Distribution: jessie-security Urgency: high Maintainer: Debian Perl Group Changed-By: Markus

Accepted mailman 1:2.1.18-2+deb8u3 (source amd64) into oldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 24 Jul 2018 22:02:16 +0200 Source: mailman Binary: mailman Architecture: source amd64 Version: 1:2.1.18-2+deb8u3 Distribution: jessie-security Urgency: high Maintainer: Mailman for Debian Changed-By: Markus Koschany

[SECURITY] [DLA 1440-1] libarchive-zip-perl security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: libarchive-zip-perl Version: 1.39-1+deb8u1 CVE ID : CVE-2018-10860 Debian Bug : 902882 The libarchive-zip-perl package is vulnerable to a directory traversal attack in Archive::Zip. It was found that the

[SECURITY] [DLA 1441-1] sympa security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: sympa Version: 6.1.23~dfsg-2+deb8u2 CVE ID : CVE-2018-1000550 A vulnerability has been discovered in Sympa, a modern mailing list manager, that allows write access to files on the server filesystem. This flaw allows

[SECURITY] [DLA 1499-1] discount security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: discount Version: 2.1.7-1+deb8u1 CVE ID : CVE-2018-11468 CVE-2018-11503 CVE-2018-11504 CVE-2018-12495 Debian Bug : 901912 Several heap-based buffer over-reads were found in discount, an

Accepted discount 2.1.7-1+deb8u1 (source amd64) into oldstable

Ghedini Changed-By: Markus Koschany Description: discount - implementation of the Markdown markup language in C libmarkdown2 - implementation of the Markdown markup language in C (library) libmarkdown2-dbg - implementation of Markdown markup language in C (debug) libmarkdown2-dev

[SECURITY] [DLA 1482-1] libx11 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: libx11 Version: 2:1.6.2-3+deb8u2 CVE ID : CVE-2018-14598 CVE-2018-14599 CVE-2018-14600 Several issues were discovered in libx11, the client interface to the X Windows System. The functions XGetFontPath,

Accepted bouncycastle 1.49+dfsg-3+deb8u3 (source all) into oldstable

: 1.49+dfsg-3+deb8u3 Distribution: jessie-security Urgency: high Maintainer: Debian Java Maintainers Changed-By: Markus Koschany Description: libbcmail-java - Bouncy Castle generators/processors for S/MIME and CMS libbcmail-java-doc - Bouncy Castle generators/processors for S/MIME and CMS

[SECURITY] [DLA 1418-1] bouncycastle security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: bouncycastle Version: 1.49+dfsg-3+deb8u3 CVE ID : CVE-2016-1000338 CVE-2016-1000339 CVE-2016-1000341 CVE-2016-1000342 CVE-2016-1000343 CVE-2016-1000345 CVE-2016-1000346 Several

Accepted openocd 0.5.0-1+deb7u1 (source amd64) into oldoldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 21 Jan 2018 13:27:35 +0100 Source: openocd Binary: openocd Architecture: source amd64 Version: 0.5.0-1+deb7u1 Distribution: wheezy-security Urgency: high Maintainer: Uwe Hermann <u...@debian.org> Changed-By: Markus Ko

Re: MySQL 5.5 EOL before Debian 8 LTS ends

Hi, Am 22.01.2018 um 13:42 schrieb Lars Tangvald: > Hi, > > First off, thanks for handling the 5.5.59 update for Wheezy. I had the > security announcement date mixed up so picked it up too late, sorry. > > MySQL 5.5 is expected to be EOL in December (it was first released > December 15, 2010,

Re: MySQL 5.5 EOL before Debian 8 LTS ends

Am 23.01.2018 um 11:41 schrieb Lars Tangvald: > Hi, > > On 01/22/2018 04:35 PM, Markus Koschany wrote: [...] >> I also think it makes sense to take a smaller step and upgrade from 5.5 >> to 5.6. Are there any known issues with 5.6 or can you share any >> information

Accepted sdl-image1.2 1.2.12-2+deb7u2 (source amd64) into oldoldstable

maintainers <pkg-sdl-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: libsdl-image1.2 - Image loading library for Simple DirectMedia Layer 1.2, libraries libsdl-image1.2-dev - Image loading library for Simple DirectMedia Layer 1.2, devel

[SECURITY] [DLA 1340-1] sam2p security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: sam2p Version: 0.49.1-1+deb7u3 CVE ID : CVE-2018-7487 CVE-2018-7551 CVE-2018-7552 CVE-2018-7553 CVE-2018-7554 Multiple invalid frees and buffer-overflow vulnerabilities were discovered in sam2p, a

[SECURITY] [DLA 1341-1] sdl-image1.2 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: sdl-image1.2 Version: 1.2.12-2+deb7u2 CVE ID : CVE-2017-12122 CVE-2017-14440 CVE-2017-14441 CVE-2017-14442 CVE-2017-14448 CVE-2017-14450 Lilith of Cisco Talos discovered several buffer overflow

[SECURITY] [DLA 1361-1] psensor security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: psensor Version: 0.6.2.17-2+deb7u1 CVE ID : CVE-2014-10073 Debian Bug : 896195 It was discovered that psensor, a server for monitoring hardware sensors remotely, was prone to a directory traversal vulnerability

Accepted psensor 0.6.2.17-2+deb7u1 (source amd64 all) into oldoldstable

<jea...@gmail.com> Changed-By: Markus Koschany <a...@debian.org> Description: psensor- display graphs for monitoring hardware temperature psensor-common - common files for Psensor and Psensor server psensor-server - Psensor server for monitoring hardware sensors remotely Closes: 89

Accepted jruby 1.5.6-5+deb7u2 (source all) into oldoldstable

ain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: jruby - 100% pure-Java implementation of Ruby Changes: jruby (1.5.6-5+deb7u2) wheezy-security; urgency=high . * Non-maintainer upload by the LTS team. * Fix CVE-2018-174: possible Unsafe Object Des

Re: "highly critical" DRUPAL-PSA-2018-001

Am 27.03.2018 um 21:12 schrieb Adrian Zaugg: > > Dear LTS Team > > The Drupal Security Team announced a patch for Drupal 7 and 8 for March, > 28th. The security hole is classified as "highly critical" [1]. They > state that "because exploits might be developed within hours or days" > one should

Accepted zsh 4.3.17-1+deb7u2 (source all amd64) into oldoldstable

pkg-zsh-de...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: zsh- shell with lots of features zsh-dbg- shell with lots of features (debugging symbols) zsh-dev- shell with lots of features (development files) zsh-doc- zsh document

[SECURITY] [DLA 1335-1] zsh security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: zsh Version: 4.3.17-1+deb7u2 CVE ID : CVE-2018-1071 CVE-2018-1083 Debian Bug : 894044 894043 Two security vulnerabilities were discovered in the Z shell. CVE-2018-1071 Stack-based buffer overflow in the

[SECURITY] [DLA 1325-1] drupal7 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: drupal7 Version: 7.14-2+deb7u18 CVE ID : CVE-2018-7600 Jasper Mattsson found a remote code execution vulnerability in the Drupal content management system. This potentially allows attackers to exploit multiple

Re: "highly critical" DRUPAL-PSA-2018-001

Hi! Am 28.03.2018 um 21:50 schrieb Ola Lundqvist: > Hi Markus > > Upstream have now released more information. > > Best regards > > // Ola I have just uploaded a security update for Drupal 7 which will address CVE-2018-7600. The update should be available on the mirrors soon. An announcement

Accepted drupal7 7.14-2+deb7u18 (source all) into oldoldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 28 Mar 2018 22:47:59 +0200 Source: drupal7 Binary: drupal7 Architecture: source all Version: 7.14-2+deb7u18 Distribution: wheezy-security Urgency: high Maintainer: Luigi Gangitano <lu...@debian.org> Changed-By: Markus Ko

Accepted php5 5.4.45-0+deb7u13 (source amd64 all) into oldoldstable

: Debian PHP Maintainers <pkg-php-ma...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: libapache2-mod-php5 - server-side, HTML-embedded scripting language (Apache 2 module) libapache2-mod-php5filter - server-side, HTML-embedded scripting languag

[SECURITY] [DLA 1328-1] xerces-c security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: xerces-c Version: 3.1.1-3+deb7u5 CVE ID : CVE-2017-12627 Debian Bug : 894050 Alberto Garcia, Francisco Oca and Suleman Ali of Offensive Research discovered that the Xerces-C XML parser mishandles certain kinds

[SECURITY] [DLA 1326-1] php5 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: php5 Version: 5.4.45-0+deb7u13 CVE ID : CVE-2018-7584 Wei Lei and Liu Yang of Nanyang Technological University discovered a stack-based buffer overflow in PHP5 when parsing a malformed HTTP response which can be

Accepted xerces-c 3.1.1-3+deb7u5 (source all amd64) into oldoldstable

Maintainer: Jay Berkenbilt <q...@debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: libxerces-c-dev - validating XML parser library for C++ (development files) libxerces-c-doc - validating XML parser library for C++ (documentation) libxerces-c-samples - validating XML pa

[SECURITY] [DLA 1316-1] freeplane security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: freeplane Version: 1.1.3-2+deb7u1 CVE ID : CVE-2018-169 Debian Bug : 893663 Wojciech Reguła discovered that Freeplane, a program for working with mind maps, was affected by a XML External Entity (XXE)

Accepted libvirt 0.9.12.3-1+deb7u3 (source all amd64) into oldoldstable

Maintainer: Debian Libvirt Maintainers <pkg-libvirt-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: libvirt-bin - programs for the libvirt library libvirt-dev - development files for the libvirt library libvirt-doc - documentation for

[SECURITY] [DLA 1315-1] libvirt security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: libvirt Version: 0.9.12.3-1+deb7u3 CVE ID : CVE-2018-1064 CVE-2018-5748 Debian Bug : 887700 Daniel P. Berrange and Peter Krempa of Red Hat discovered a flaw in libvirt, a virtualization API. A lack of

Accepted freeplane 1.1.3-2+deb7u1 (source all) into oldoldstable

pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: freeplane - Java program to create and edit mind maps. libjortho-freeplane-java - Java spell-checking library. Changes: freeplane (1.1.3-2+deb7u1) wheezy-security; urgency=high

[SECURITY] [DLA 1322-1] graphicsmagick security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: graphicsmagick Version: 1.3.16-1.1+deb7u19 CVE ID : CVE-2017-18219 CVE-2017-18220 CVE-2017-18229 CVE-2017-18230 CVE-2017-18231 CVE-2018-9018 Various security issues were discovered in

Accepted graphicsmagick 1.3.16-1.1+deb7u19 (source amd64 all) into oldoldstable

graphicsmagick-libmagick-dev-compat graphicsmagick-dbg Architecture: source amd64 all Version: 1.3.16-1.1+deb7u19 Distribution: wheezy-security Urgency: high Maintainer: Daniel Kobras <kob...@debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: graphicsmagick - collect

Re: Bug#892590: Review graphite2

Hi, Am 19.03.2018 um 16:23 schrieb Rene Engelhard: > On Sun, Mar 18, 2018 at 11:39:57AM +0530, Abhijith PA wrote: >> I prepared LTS security update for graphite2[1]. Debdiff is attached. >> All tests ran successfully. Please review. > > Why would we need one given for jessie and stretch it is

[SECURITY] [DLA 1310-1] exempi security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: exempi Version: 2.2.0-1+deb7u1 CVE ID : CVE-2017-18233 CVE-2017-18234 CVE-2017-18236 CVE-2017-18238 CVE-2018-7728 CVE-2018-7730 Various issues were discovered in exempi, a library to parse XMP

[SECURITY] [DLA 1295-1] drupal7 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: drupal7 Version: 7.14-2+deb7u17 CVE ID : CVE-2017-6927 CVE-2017-6928 CVE-2017-6929 CVE-2017-6932 Debian Bug : 891152 891150 891153 891154 Multiple vulnerabilities have been found in the Drupal

[SECURITY] [DLA 1301-1] tomcat7 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: tomcat7 Version: 7.0.28-4+deb7u18 CVE ID : CVE-2018-1304 CVE-2018-1305 Two security vulnerabilities have been discovered in the Tomcat servlet and JSP engine. CVE-2018-1304 The URL pattern of "" (the empty

Accepted tomcat7 7.0.28-4+deb7u18 (source all) into oldoldstable

: 7.0.28-4+deb7u18 Distribution: wheezy-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: libservlet3.0-java - Servlet 3.0 and JSP 2.2 Java API classes libservlet3.0-java-d

[SECURITY] [DLA 1363-1] ghostscript security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: ghostscript Version: 9.05~dfsg-6.3+deb7u8 CVE ID : CVE-2018-10194 Debian Bug : 896069 It was discovered that the set_text_distance function in base/gdevpdts.c in the pdfwrite component in Ghostscript does not

Re: enigmail will break with TB upgrade

Am 27.09.18 um 04:52 schrieb Antoine Beaupré: [...] > Enigmail's work, then, might be better targeted at helping the folks in > stretch, although I do wonder how we could possibly upgrade GnuPG 2 > (required to get a new version of Enigmail compatible with TB 60) in > jessie without causing all

Re: enigmail will break with TB upgrade

Am 27.09.18 um 17:12 schrieb Antoine Beaupré: [...] > I wonder what that was all about... > > Was the solution for stretch finally to remove enigmail from stable and > use backports? AFAIK he hasn't made a decision yet and I doubt he will use backports because it's not for fixing bugs in

Re: monit/CVE-2016-7067: call for testing

Hello, Am 27.09.18 um 22:58 schrieb Nye Liu: > This patch might be broken: > > https://bugs.launchpad.net/ubuntu/+source/monit/+bug/1786910 > > Please consider addressing it. I think you have reported this issue to the wrong list. The bug is only present in Ubuntu. This issue is no-dsa in

[SECURITY] [DLA 1523-1] asterisk security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: asterisk Version: 1:11.13.1~dfsg-2+deb8u6 CVE ID : CVE-2018-17281 Debian Bug : 909554 Sean Bright discovered that Asterisk, a PBX and telephony toolkit, contained a stack overflow vulnerability in the

Accepted php-horde-kronolith 4.2.2-4+deb8u1 (source all) into oldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 07 Oct 2018 23:06:04 +0200 Source: php-horde-kronolith Binary: php-horde-kronolith Architecture: source all Version: 4.2.2-4+deb8u1 Distribution: jessie-security Urgency: high Maintainer: Horde Maintainers Changed-By: Markus

[SECURITY] [DLA 1536-1] php-horde-core security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: php-horde-core Version: 2.15.0+debian0-1+deb8u2 CVE ID : CVE-2017-16907 Debian Bug : 909800 It was discovered that the Horde Application Framework written in PHP was affected by a Cross-site scripting

[SECURITY] [DLA 1535-1] php-horde security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: php-horde Version: 5.2.1+debian0-2+deb8u4 CVE ID : CVE-2017-16907 Debian Bug : 909739 It was discovered that the Horde Application Framework written in PHP was affected by a Cross-site scripting vulnerability

Accepted moin 1.9.8-1+deb8u2 (source all) into oldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 15 Oct 2018 19:23:10 +0200 Source: moin Binary: python-moinmoin Architecture: source all Version: 1.9.8-1+deb8u2 Distribution: jessie-security Urgency: high Maintainer: Steve McIntyre <93...@debian.org> Changed-By:

Accepted tomcat7 7.0.56-3+really7.0.91-1 (source all) into oldstable

: 7.0.56-3+really7.0.91-1 Distribution: jessie-security Urgency: high Maintainer: Debian Java Maintainers Changed-By: Markus Koschany Description: libservlet3.0-java - Servlet 3.0 and JSP 2.2 Java API classes libservlet3.0-java-doc - Servlet 3.0 and JSP 2.2 Java API documentation libtomcat7-java

Accepted ghostscript 9.06~dfsg-2+deb8u11 (source all amd64) into oldstable

-security Urgency: high Maintainer: Debian Printing Team Changed-By: Markus Koschany Description: ghostscript - interpreter for the PostScript language and for PDF ghostscript-dbg - interpreter for the PostScript language and for PDF - Debug symbo ghostscript-doc - interpreter

<    1   2   3   4   5   6   7   8   9   10   >