On Fri, Mar 11, 2016 at 3:49 AM, Moritz Mühlenhoff wrote:
> On Sun, Mar 06, 2016 at 06:58:48PM +0100, Salvatore Bonaccorso wrote:
>
>> But I think as well that is right now to early to
>> start adopting these for not yet assigned issues.
>
> Agreed, let's stick with the usual "file a bug to get a
On Sat, Mar 12, 2016 at 10:51 PM, Kurt Roeckx wrote:
> On Sun, Mar 06, 2016 at 03:33:16PM +1100, Brian May wrote:
>> For example, if there are no CVEs are we able to use OVEs instead?
>
> What abaout DWF?
That didn't exist at the time of Brian's post.
I think OVE/OVI still have less friction
On Tue, Mar 22, 2016 at 10:06 PM, Antoine Beaupré wrote:
> Well, the friction is one thing, but we need to adopt *one* system for
> the future, if CVEs are going the wayside (or even as a complementary
> approach).
I agree with this post from oss-security:
On Mon, Mar 28, 2016 at 10:34 PM, Andrew Deck wrote:
> On a related note, does anyone know what happened to OSF and the OSVDB?
> There still seem to be blog updates, but I remember OSVDB having a web
> UI, and the OSF website seems to be down.
They have officially closed the OSVDB site:
On Wed, May 4, 2016 at 12:23 AM, Tom Turelinckx wrote:
> Jessie is not available for sparc.
If you are actually using sparc I would recommend you look at
migrating to and assisting the sparc64 porting efforts. Or reviving
sparc if you need 32-bit SPARC. Or switch to another architecture.
On Tue, Feb 21, 2017 at 4:27 AM, Antoine Beaupré wrote:
> security@lists.d.o is not a list, as far as i know. there's
> debian-security@lists.d.o, but I never posted there... or did you mean
> t...@security.debian.org?
secur...@lists.debian.org goes to root (DSA) and listmaster AFAICT.
--
bye,
On Thu, Oct 20, 2016 at 9:59 PM, Santiago Vila wrote:
> Should this not start in unstable with a bug report?
This is what the stable security team usually do, because they know
that if they don't they will eventually have to do the work
themselves. They also do NMUs in unstable in some cases.
Hi all,
I note that there have been some CA removals and additions that would
be nice to have in wheezy, in particular the ISRG Root for LE, thoughts?
--
bye,
pabs
https://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
On Wed, Mar 29, 2017 at 12:28 PM, Salvatore Bonaccorso wrote:
> See as well https://bugs.debian.org/761945 (and respective clones for
> debian-).
Committed a patch for this, carnil deployed it.
One downside to this is that committing DLAs to the Debian website
hasn't happened since 2016
On Tue, Mar 28, 2017 at 8:12 AM, Michael Shuler wrote:
> I need to fix up the jessie PU I have filed (and update to 2.11), and
> I'll do a wheezy PU at the same time. Thanks!
Debian wheezy is no longer managed by the release team, so you will
need to do an LTS upload instead:
On Tue, Jul 4, 2017 at 10:02 PM, Matus UHLAR wrote:
> I just found out that the unattended-upgrades package in wheezy does not
> upgrade packages although configured to do it.
I note that this same situation will apply to jessie when it becomes
oldoldstable.
I haven't tested the default stretch
On Fri, Jul 7, 2017 at 2:01 AM, Antoine Beaupré wrote:
> For what it's worth, my opinion is that we should attempt to synchronize
> certdata.txt (and blacklist.txt, for that matter) across all suites (but
> not other changes to the packaging). This would remove another decision
> point in our
On Wed, May 24, 2017 at 5:51 PM, Apollon Oikonomopoulos wrote:
> So, from my understanding the version in Wheezy cannot be fixed: the 2.7
> agents only use YAML to send out facts and upstream's fix is to simply
> not accept anything other than PSON. Whitelisting YAML defeats the
> purpose, as
On Wed, May 24, 2017 at 6:24 PM, Paul Wise wrote:
> In Python/Perl YAML libraries there are ways to safely load YAML
> files, does Ruby not have the same possibilities?
After a bit of searching, I wonder if copying the ruby-safe-yaml
package from wheezy-backports to wheezy and then pa
On Mon, Jun 12, 2017 at 3:37 AM, Salvatore Bonaccorso wrote:
> I'm attaching the *preliminary* set of changes which I plan to
> activate once stretch is released.
Wow, there really is a horribly large amount of hard-coding of things
that should be fetched from the archive instead. I've added a
On Mon, Nov 27, 2017 at 7:43 PM, Adam Weremczuk wrote:
> deb http://httpredir.debian.org/debian/ wheezy main contrib non-free
> deb-src http://httpredir.debian.org/debian/ wheezy main contrib non-free
You can also replace httpredir.d.o with deb.d.o, httpredir.d.o is dead
and now redirects to
On Fri, Jan 19, 2018 at 11:52 PM, Antoine Beaupré wrote:
> I have found that Snyk had issues in its database that weren't in Mitre:
>
> https://snyk.io/vuln/npm:jquery
I note that nodesecurity also has some CVE-less issues:
https://nodesecurity.io/advisories?search=jquery
> Finally, I wanted
On Thu, Jan 25, 2018 at 1:12 AM, Antoine Beaupré wrote:
> Okay, so this is a broader, recurring problem we have with the security
> tracker right now... From my perspective, I've always and only used CVEs
> as unique identifiers for vulnerabilities in my work in the security
> tracker. When that
On Thu, 2018-01-25 at 11:05 -0500, Antoine Beaupré wrote:
> I'm not sure what to say to nodesecurity.io folks
I've already contacted them multiple times in 2014 and once in 2016,
about incorporating CVEs into their workflow. The responses were
positive but didn't result in much change, except
On Wed, Aug 8, 2018 at 3:35 PM, Brian May wrote:
> Sidenote: Curiously I cannot connect to
> https://security-tracker.debian.org/ today from this machine on this
> network... Connections always time out. Probably something weird with my
> network, however other webpages appear to be fine. If I
On Thu, 2018-08-09 at 16:57 +1000, Brian May wrote:
> I could still ping the host, so probably not a routing problem.
Next time try connecting to port 80/443 on the IP address without
sending any data. That would eliminate a HTTP-layer issue.
> Looks like I can connect today however, so maybe
On Wed, Mar 14, 2018 at 4:42 PM, Mathieu Parent wrote:
> See the attached patch for CVE-2018-1050 on samba 3.6. CVE-2018-10507
> is on the AD DC code which is not part of samba 3.6.
A beta of samba 4 is also in wheezy:
https://packages.debian.org/source/wheezy/samba4
--
bye,
pabs
On Wed, Oct 24, 2018 at 4:15 AM Sean Whitton wrote:
>
> On Tue 23 Oct 2018 at 05:06PM +0200, Markus Koschany wrote:
> >
> > In short: Make it very clear if you want to provide long-term support
> > for your project. Talk to the LTS team in case you need help. Nobody is
> > forced to do anything.
>
On Sat, Dec 1, 2018 at 6:35 AM Thorsten Alteholz wrote:
> Package: nsis
> Version: 2.46-10+deb8u1
> CVE ID : CVE-2015-9267 CVE-2015-9268
>
> Among others, Andre Heinicke from gpg4win.org found several issues of
> nsis, a tool for creating quick and user friendly installers
On Tue, Apr 16, 2019 at 10:20 AM PICCORO McKAY Lenz wrote:
> was removed or not? are stil ELTS?
The timeline says that eLTS support ended on 31st May 2019.
https://wiki.debian.org/LTS/Extended
--
bye,
pabs
https://wiki.debian.org/PaulWise
On Mon, Nov 9, 2020 at 10:33 PM Brian May wrote:
> What is this "Built-Using" header?
It documents which source package versions need to be shipped to
ensure license compliance.
On Fri, Feb 26, 2021 at 3:35 PM Markus Koschany wrote:
> How can we keep the [embedded copies] list up-to-date?
Considering that the copies can be added, removed or made irrelevant
in each upload of each package, I think this would be a very hard
problem.
The simplest solution would be to
On Thu, Feb 25, 2021 at 10:41 PM Ola Lundqvist wrote:
> Finding embedded code copies is harder.
There are some useful strategies for that listed on the wiki:
https://wiki.debian.org/EmbeddedCopies
Probably `apt-file search -I dsc` and the various code searching
services (sources.d.o
On Fri, Feb 12, 2021 at 11:21 AM Sylvain Beucler wrote:
> Pushing your point, we'd need to consider all software insecure by
> default, perform regular code audits on the full Debian archive, which
> would be very costly, and blocking packages from reaching testing, which
> would introduce
On Fri, 2021-02-12 at 14:40 +0100, Ola Lundqvist wrote:
> The discussion is more or less whether packages should be allowed in
> Debian in the first place. This should be discussed on some general
> mailinglist, like debian-devel or debian-project. LTS cannot put
> restrictions on what should
On Mon, 2022-09-05 at 21:38 +0200, Ola Lundqvist wrote:
> I agree that it is good to fix the pcs package, but shouldn't we fix
> the default umask in general?
> I would argue that the default umask is insecure.
bookworm login sets new user home directories to secure permissions:
$ grep -E
On Mon, 2022-10-24 at 09:54 +0200, Anton Gladky wrote:
> thanks for the information. AFAIK skipping releases is not supported.
> You have to go through all releases step-by-step.
Thats correct, although some folks want Debian to not
drop things that help skip upgrades wherever possible.
On Fri, 2022-09-09 at 22:41 +0200, Ola Lundqvist wrote:
> I see that I was not clear what I meant with "in general" :-)
Woops, sorry for the noise :)
> Here I found how the generic source code looks like:
> https://rubydoc.info/gems/thin/1.3.1/Thin%2FBackends%2FUnixServer:connect
>
> You can
On Wed, 2023-02-22 at 12:13 +0100, Ola Lundqvist wrote:
> Unfortunately not the correct mailing list.
> This is the mailinglist for security updates of buster.
The request for applying Linux kernel security fixes without reboot
is even more useful for Debian oldstable/stable, which do not
On Thu, 2023-07-20 at 14:13 +0100, Ronny Adsetts wrote:
> I think upgrading our Samba servers to Bullseye and then Samba from
> backports (or Michael's repo) is the approach I'll take.
Is upgrading to Debian bookworm after that not possible for you?
--
bye,
pabs
35 matches
Mail list logo
