Hi,
On 02/04/2019 10:59, Holger Levsen wrote:
> On Mon, Apr 01, 2019 at 08:51:00PM +0200, Sylvain Beucler wrote:
>> I wondered whether we needed translations at:
> because:
> [...]
> - translations
OK so I guess we need DLA translations ;)
I was wondered whether actual us
Hi,
On 02/04/2019 12:09, Holger Levsen wrote:
> On Tue, Apr 02, 2019 at 11:52:58AM +0200, Sylvain Beucler wrote:
>> OK so I guess we need DLA translations ;)
>> I was wondered whether actual users asked for them, but let's assume so.
> you might not be aware, but:
>
> ~/Pr
Hi,
On Tue, Apr 02, 2019 at 12:55:31PM +0200, Markus Koschany wrote:
> Am 02.04.19 um 12:39 schrieb Sylvain Beucler:
> > Ideally we could then cron this out as Markus suggested.
>
> So far I had no problems with the parse script. I just download the html
> file from the DLA ann
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: pdns
Version: 3.4.1-4+deb8u9
CVE ID : CVE-2019-3871
Debian Bug : 924966
A vulnerability was found in PowerDNS Authoritative Server before
4.0.7 and before 4.1.7. An insufficient validation of data coming from
Hi,
On 18/03/2019 15:56, Sylvain Beucler wrote:
> On Thu, Mar 07, 2019 at 08:02:18PM +0100, Laura Arjona Reina wrote:
>> El 5/3/19 a las 16:07, Markus Koschany escribió:
>>> thank your for your work on our website. Ideally we would like to make
>>> the whole proc
pdns-backend-remote pdns-backend-mydns
Architecture: source amd64
Version: 3.4.1-4+deb8u9
Distribution: jessie-security
Urgency: high
Maintainer: Debian PowerDNS Maintainers
Changed-By: Sylvain Beucler
Description:
pdns-backend-geo - geo backend for PowerDNS
pdns-backend-ldap - LDAP backend
Hi,
On 27/03/2019 00:00, Markus Koschany wrote:
> Am 26.03.19 um 15:55 schrieb Sylvain Beucler:
> [...]
>> Markus, I read in the archives that you backported fixes in earlier
>> security uploads - any other tip? :)
> I did all the testing myself by setting up a Jessie env
Hi,
On 25/03/2019 16:13, Sylvain Beucler wrote:
> On 25/03/2019 16:11, Sylvain Beucler wrote:
>> Hi,
>>
>> I prepared an update for ghostscript.
>> https://people.debian.org/~beuc/lts/ghostscript/
>>
>> Even if we recently rebased to the latest upstream
Hi,
I prepared an update for ghostscript.
https://people.debian.org/~beuc/lts/ghostscript/
Even if we recently rebased to the latest upstream in jessie, the
upstream patches did not apply cleanly and I did my best to replicate
the changes.
Note: we ship a 9.26*a* version which upstream does not
On 25/03/2019 16:11, Sylvain Beucler wrote:
> Hi,
>
> I prepared an update for ghostscript.
> https://people.debian.org/~beuc/lts/ghostscript/
>
> Even if we recently rebased to the latest upstream in jessie, the
> upstream patches did not apply cleanly and I did my best to re
Hi,
Is this our official logo?
I was contemplating adding it to my monthly reports:
https://raphaelhertzog.com/files/2015/03/Debian-LTS-2-small.png
Also, is there a version in higher resolution?
Cheers!
Sylvain
Hi,
Is there a rationale on why we are updating the website, by the way?
And with a full copy of the advisory?
(instead of e.g. pointing to the list archives).
I wondered whether we needed translations at:
https://lists.debian.org/debian-lts/2019/03/msg00101.html
Thanks Mathieu.
I referenced it in our dla-needed.txt task list.
A member of the LTS team will look into it.
Cheers!
Sylvain
On 08/04/2019 11:10, Mathieu Parent wrote:
> Dear LTS maintainers, > > See attached patch for CVE-2019-3880 in samba.
> Don't know if it
applies cleanly. > > Regards > >
Hi,
On 08/04/2019 14:32, Holger Levsen wrote:
> I've done this again and am considering (in general) to not write these mails
> anymore. Please speak up if you think these mails are useful (or could
> be made more useful.)
>
> Today I do feel it's useful to point out, that one should not merely
>
-maintainer upload by the Debian LTS team.
+ * Fix CVE-2019-6799: information leak (arbitrary file read) using SQL
+queries.
+
+ -- Sylvain Beucler Sun, 24 Feb 2019 01:12:19 +0100
+
phpmyadmin (4:4.2.12-2+deb8u4) jessie-security; urgency=high
* Non-maintainer upload by the Debian LTS team
Hi,
Since phpmyadmin is a regular guest here, I checked how its repository
testsuite performs.
(I didn't find prior work in that area on the list.)
Lots of errors/incomplete/skipped even with the upstream source, lots of
deprecation warnings.
The unit tests quickly halts on Debian's patched
-By: Sylvain Beucler
Description:
freedink-dfarc - frontend and .dmod installer for GNU FreeDink
freedink-dfarc-dbg - debugging symbols for dfarc
Changes:
freedink-dfarc (3.12-1+deb8u1) jessie-security; urgency=high
.
* Fix directory traversal in D-Mod extractor (CVE-2018-0496)
Checksums-Sha1
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: freedink-dfarc
Version: 3.12-1+deb8u1
CVE ID : CVE-2018-0496
Sylvain Beucler and Dan Walma discovered several directory traversal
issues in DFArc, a frontend and extensions manager for the Dink
Smallwood game
Uploaded to jessie-security.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: phpmyadmin
Version: 4:4.2.12-2+deb8u5
CVE ID : CVE-2019-6799
Debian Bug : 920823
An information leak issue was discovered in phpMyAdmin. An attacker
can read any file on the server that the web server's user
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Wed, 27 Feb 2019 13:09:09 +0100
Source: phpmyadmin
Binary: phpmyadmin
Architecture: source all
Version: 4:4.2.12-2+deb8u5
Distribution: jessie-security
Urgency: high
Maintainer: Thijs Kinkhorst
Changed-By: Sylvain Beucler
Hi,
On 02/03/2019 18:46, Roberto C. Sánchez wrote:
> I have prepared an update to symfony (version 2.3.21+dfsg-4+deb8u4)
> which is need of testing. I intend to upload in one week's time if I do
> not receive any reports of problems. Read on for details if you are in
> a position to help with
Hi,
I'm working on CVE-2018-16868/CVE-2018-16869, a side-channel attack that
affects gnutls and nettle, disclosed 2018-12, tagged low/local.
Unlike what I read in data/CVE/list, I understand that the nettle fix is
not just a new function - it's a rewrite of the RSA functions,
completemented by a
Hi,
On 04/03/2019 16:55, Markus Koschany wrote:
> Am 04.03.19 um 16:33 schrieb Sylvain Beucler:
> [...]
>> I see this as a strong signal that we should not attempt to backport the
>> fix, and go with a (minor).
>>
>> Alternatively we could upgrade nettle (libnettle4
Hi,
On 08/03/2019 15:54, Holger Levsen wrote:
> On Fri, Mar 08, 2019 at 12:22:40PM +0100, Sylvain Beucler wrote:
>> I was about do contact the nettle and gnutls maintainers, but after
>> discussing with Emilio on IRC it appears that we do not contact
>> maintainers for this
Hi,
On 09/03/2019 11:44, th.pitsc...@uni.de wrote:
> Hello list members,
>
> is it correct to assume that in Debian versions entering "obsolete"
> state, any "aptitude safe-upgrade" will stop upgrading to newer
> packages other than for the reason of security fixes?
>
> When exactly would also
Hi,
On 18/03/2019 09:55, Brian May wrote:
> Laura Arjona Reina writes:
>
>> Other option is, instead of looking at the html code, doing
>>
>> make dla-123-1.en.html
>>
>> and open the resulting html file with a web browser.
> This command did not work for me, I had to use "make -C 2019
>
Distribution: jessie-security
Urgency: high
Maintainer: Piotr Ożarowski
Changed-By: Sylvain Beucler
Description:
python-sqlalchemy - SQL toolkit and Object Relational Mapper for Python
python-sqlalchemy-doc - documentation for the SQLAlchemy Python library
python-sqlalchemy-ext - SQL toolkit
Hi,
On Thu, Mar 07, 2019 at 08:02:18PM +0100, Laura Arjona Reina wrote:
> El 5/3/19 a las 16:07, Markus Koschany escribió:
> > thank your for your work on our website. Ideally we would like to make
> > the whole process fully automatic without the need for any manual
> > interaction.
>
> This
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: sqlalchemy
Version: 0.9.8+dfsg-0.1+deb8u1
CVE ID : CVE-2019-7164 CVE-2019-7548
Debian Bug : 922669
Two vulnerabilities were discovered in SQLALchemy, a Python SQL
Toolkit and Object Relational Mapper.
Hi,
I made a fix for sqlalchemy available for testing (CVE-2019-7164/7548):
https://people.debian.org/~beuc/lts/sqlalchemy/
Upstream author Mike Bayer warns that this might break applications,
hence if you are depend on sqlalchemy you are encouraged to test:
Hi,
Here are some notes about running the sqlalchemy test suite on jessie.
The document leaves a lot of the setup up to the user.
I still have some failures with MySQL and Unicode, even when configuring
everything in utf8...
I'm aggregating test suite notes at
Hi,
On 04/03/2019 17:37, Sylvain Beucler wrote:
> On 04/03/2019 16:55, Markus Koschany wrote:
>> Am 04.03.19 um 16:33 schrieb Sylvain Beucler:
>> [...]
>>> I see this as a strong signal that we should not attempt to backport the
>>> fix, and go with a (minor
Hi,
At the wiki process page we say:
https://wiki.debian.org/LTS/Development#Contact_the_maintainer
When we tag issues as "no-dsa", and don't plan to take care of the
updates by ourselves, then we use it in this way:
$ bin/contact-maintainers --lts --no-dsa sudo CVE-2014-9680 CVE-2014-0106
I
Hi,
On 08/04/2019 21:56, Holger Levsen wrote:
> On Mon, Apr 08, 2019 at 09:51:19PM +0200, Salvatore Bonaccorso wrote:
>> Recently I noticed that for a no-dsa (either for no-dsa or the
>> stronger ignored) as explanation was started to be used e.g. "not used
>> by any sponsor".
That sounds
Hi Salvatore,
On 08/04/2019 22:18, Sylvain Beucler wrote:
> On 08/04/2019 21:56, Holger Levsen wrote:
>> On Mon, Apr 08, 2019 at 09:51:19PM +0200, Salvatore Bonaccorso wrote:
>>> Recently I noticed that for a no-dsa (either for no-dsa or the
>>> stronger ignored)
Hi,
I had posted my monthly report on my blog, which is aggregated at Planet
Debian:
https://blog.beuc.net/posts/Debian_LTS_-_March_2019/
https://planet.debian.org/
In case some of this list members left the RSS world, I reference it
here as well :)
Cheers!
Sylvain
Hi,
I spent the day reproducing (unbreaking) the sqlalchemy exploit,
figuring out how to run the test suite, attempting a backport of the
upstream fix, plus some communication.
I did about the same for the gnutls/nettle issue last week (only to
conclude with a no-dsa T_T).
While I believe those
: source all amd64
Version: 2.42.1-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian GNOME Maintainers
Changed-By: Sylvain Beucler
Description:
libgio-fam - GLib Input, Output and Streaming Library (fam module)
libglib2.0-0 - GLib library of C routines
libglib2.0-0-dbg
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: glib2.0
Version: 2.42.1-1+deb8u1
CVE ID : CVE-2019-12450
Debian Bug : 929753
It was discovered that GLib does not properly restrict some file
permissions while a copy operation is in progress; instead, default
Distribution: jessie-security
Urgency: high
Maintainer: Debian Qt/KDE Maintainers
Changed-By: Sylvain Beucler
Description:
akonadiconsole - management and debugging console for akonadi
akregator - RSS/Atom feed aggregator
blogilo- graphical blogging client
kaddressbook - address book and contact
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: kdepim
Version: 4:4.14.1-1+deb8u2
CVE ID : CVE-2019-10732
Debian Bug : 926996
A reply-based decryption oracle was found in kdepim, which provides
the KMail e-mail client.
An attacker in possession of S/MIME or
Hi,
openjdk-7 is back in dla-needed.txt with the commit message "Sounds
serious enough".
However it was re-added the day after DLA-1782-1 and there's no new CVE
since.
Was it an oversight, or was it meant to reconsider
https://security-tracker.debian.org/tracker/CVE-2019-2697 which wasn't
ffic with old key that DNS
> Root Operators
> see at root servers.
>
> Just make sure it contains only the new DNSKEY (2017) and not both.
>
> Thanks,
> Ondrej
> --
> Ondřej Surý
> ond...@isc.org
>
>> On 14 May 2019, at 01:38, Sylvain Beucler wrote:
>>
>&
Hi,
On 13/05/2019 05:43, Ondřej Surý wrote:
> could you please update dns-root-data package in Jessie LTS to latest version
> from Unstable/Stretch?
I'll backport it following dkg's stretch update.
Besides setting up a bind9, anything we should test?
Cheers!
Sylvain
Hi,
On 16/05/2019 09:40, Christoph Berg wrote:
> Re: Holger Levsen 2019-05-15 <20190515130831.qcgsaiig3bh3b...@layer-acht.org>
>> Should we maybe put just this on a page called
>> https://wiki.debian.org/LTS/Development/TLDR
>> which then people can look at when they occasionally do a DLA?
>>
>>
Ping ? :)
On 13/05/2019 21:14, Sylvain Beucler wrote:
> Hi,
>
> AFAICS dns-root-data has no reverse-dependency in Jessie (I ran the
> script in a more recent box and got confused).
> Does it make sense to update it after all?
>
> bind9 ships 3 keys in /etc/bind/bind.keys with
Hi,
My report for April is available:
https://blog.beuc.net/posts/Debian_LTS_-_April_2019/
Cheers!
Sylvain
-security
Urgency: medium
Maintainer: Maintainers of Mozilla-related packages
Changed-By: Sylvain Beucler
Description:
firefox-esr - Mozilla Firefox web browser - Extended Support Release (ESR)
firefox-esr-dbg - Debugging symbols for Firefox ESR
firefox-esr-l10n-ach - Acoli language package
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: firefox-esr
Version: 60.6.2esr-1~deb8u1
Debian Bug : 928415 928449 928509
Firefox 60.6.2 ESR repairs a certificate chain issue that caused
extensions to be disabled in the past few days. More information, and
details
Hi,
On 06/05/2019 23:33, Sylvain Beucler wrote:
> On 06/05/2019 15:47, Hideki Yamane wrote:
>> On Mon, 6 May 2019 15:04:09 +0200 Karsten wrote:
>>> Package: firefox-esr
>>> Version: 60.6.1esr-1~deb8u1
>> It was already done in unstable and stable-proposed-upd
Hi,
On 06/05/2019 15:47, Hideki Yamane wrote:
> On Mon, 6 May 2019 15:04:09 +0200 Karsten wrote:
>> Package: firefox-esr
>> Version: 60.6.1esr-1~deb8u1
> It was already done in unstable and stable-proposed-updates, and
> reporter asks about oldstable, so CC:ed to lts mailing list.
>
> LTS
Hi,
I just discovered this while triaging node-fstream:
https://www.debian.org/releases/oldstable/amd64/release-notes/ch-information.en.html#libv8
https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#libv8
"Unfortunately, this means that libv8-3.14, nodejs, and the
Hi,
On 05/07/2019 12:29, Abhijith PA wrote:
> On 04/07/19 3:53 pm, Sylvain Beucler wrote:
>> Hi,
>>
>> There are 2 free Frontdesk slots in the upcoming weeks.
>> Volunteers wanted :)
>>
>> >From 08-07 to 14-07:Chris Lamb
>> >From 15-07
Hi Mike,
On Mon, Jun 24, 2019 at 08:28:11AM +, Mike Gabriel wrote:
> On Di 18 Jun 2019 22:47:44 CEST, Sylvain Beucler wrote:
>
> > Package: glib2.0
> > Version: 2.42.1-1+deb8u1
> > CVE ID : CVE-2019-12450
> > Debian Bug : 929
Hi,
On 11/07/2019 15:20, Jonas Meurer wrote:
>> Many packages are packaged in Git already (probably on Salsa) and have a
>> repo location of their own. With applying GitLab based CI to the
>> workflow, the LTS team would add an extra Git repo, just for the LTS
>> uploads done by the paid
Hi,
There are 2 free Frontdesk slots in the upcoming weeks.
Volunteers wanted :)
>From 08-07 to 14-07:Chris Lamb
>From 15-07 to 21-07:
>From 22-07 to 28-07:Thorsten Alteholz
>From 29-07 to 04-08:
https://wiki.debian.org/LTS/Development#Frontdesk_duties
- Sylvain
How about following the earlier instructions?
/!\ We recommend you request membership to the salsa webmaster-team group.
:)
- Sylvain
On 22/04/2019 19:33, Ola Lundqvist wrote:
> Great. Now I think I can follow the instructions. :-)
>
> On Mon, 22 Apr 2019 at 15:34, Holger Levsen
-security
Urgency: high
Maintainer: Debian Printing Team
Changed-By: Sylvain Beucler
Description:
ghostscript - interpreter for the PostScript language and for PDF
ghostscript-dbg - interpreter for the PostScript language and for PDF - Debug
symbo
ghostscript-doc - interpreter
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: ghostscript
Version: 9.26a~dfsg-0+deb8u2
CVE ID : CVE-2019-3835 CVE-2019-3838
Debian Bug : 925256 925257
Cedric Buissart discovered two vulnerabilities in Ghostscript, the GPL
PostScript/PDF interpreter, which
Hi,
On 09/04/2019 09:50, Ingo Wichmann wrote:
> labeling it "minor issues" when the real reason is "sponsors needed"
> sounds wrong to me.
That's never been the real reason so far AFAICS, only a complementary
reason.
[jessie] - libpodofo (DoS, not used by any sponsor)
[jessie] -
ls
> [1.2.10-2] update-inetd{a} [4.43]
> 0 packages upgraded, 9 newly installed, 0 to remove and 4 not upgraded.
AFAICS the u19 update for pushed for amd64 but not for i386 (yet?).
Mike?
Cheers!
Sylvain Beucler
Debian LTS
Hi,
On 16/04/2019 09:20, Raphael Hertzog wrote:
> On Tue, 09 Apr 2019, Sylvain Beucler wrote:
>> On 09/04/2019 09:50, Ingo Wichmann wrote:
>>> labeling it "minor issues" when the real reason is "sponsors needed"
>>> sounds wrong to me.
>>
: 8.0.14-1+deb8u15
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers
Changed-By: Sylvain Beucler
Description:
libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API
classes
libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: tomcat8
Version: 8.0.14-1+deb8u15
CVE ID : CVE-2016-5388 CVE-2018-8014 CVE-2019-0221
Debian Bug : 929895 898935
Several minor issues have been fixed in tomcat8, a Java Servlet and
JSP engine.
CVE-2016-5388
Hi,
On Thu, Aug 08, 2019 at 02:15:52PM +0200, Markus Koschany wrote:
> Am 08.08.19 um 00:50 schrieb Sylvain Beucler:
> > So I reworked CVE-2017-5647, which involved 5 new commits related to
> > non-blocking I/O (NIO2 and COMET).
> > Stable build.
> >
> > Then
some progress by next week (otherwise another LTS member
will take care of it).
Cheers!
Sylvain Beucler - Debian LTS Team
some progress by next week (otherwise another LTS member
will take care of it).
Cheers!
Sylvain Beucler - Debian LTS Team
Hi,
On Sat, Aug 03, 2019 at 09:12:32AM +0200, Salvatore Bonaccorso wrote:
> On Fri, Aug 02, 2019 at 06:48:05PM +0200, Markus Koschany wrote:
> > Hello Salvatore,
> >
> > my last email regarding unzip, CVE-2019-13232, apparently remained
> > unanswered [1] but I feel it needs a clarification
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: vim
Version: 2:7.4.488-7+deb8u4
CVE ID : CVE-2017-11109 CVE-2017-17087 CVE-2019-12735
Debian Bug : 867720 930020
Several minor issues have been fixed in vim, a highly configurable
text editor.
CVE-2017-11109
On 03/08/2019 14:05, Markus Koschany wrote:
> Am 03.08.19 um 10:55 schrieb Sylvain Beucler:
> [...]
>> When an early fix is more likely to introduce regressions than protect
>> users from real-world attacks, don't we mark it as 'postponed'?
> We only postpone a fix if t
Hi,
On 30/08/2019 10:28, Mike Gabriel wrote:
> Hi Sylvain, hi all,
>
> On Fr 08 Mär 2019 11:03:49 CET, Sylvain Beucler wrote:
>
>> Hi,
>>
>> On 04/03/2019 17:37, Sylvain Beucler wrote:
>>> On 04/03/2019 16:55, Markus Koschany wrote:
>>&g
Hi Gabriel, hi all :)
We have a prepared QEMU update from 3 months ago that needs attention:
https://packages.sunweavers.net/debian/pool/main/q/qemu/
It fixes:
CVE-2017-9375 CVE-2019-12155 CVE-2017-15124 CVE-2016-5403 CVE-2016-5126
Since then we got:
CVE-2019-14378 CVE-2019-13164 CVE-2019-12068
: Steve Langasek
Changed-By: Sylvain Beucler
Description:
freetype2-demos - FreeType 2 demonstration programs
libfreetype6 - FreeType 2 font engine, shared library files
libfreetype6-dev - FreeType 2 font engine, development files
libfreetype6-udeb - FreeType 2 font engine for the debian-installer
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: freetype
Version: 2.5.2-3+deb8u4
CVE ID : CVE-2015-9381 CVE-2015-9382 CVE-2015-9383
Several newly-referenced issues have been fixed in the FreeType 2 font
engine.
CVE-2015-9381
heap-based buffer over-read in
-By: Sylvain Beucler
Description:
libonig-dev - Development files for libonig2
libonig2 - Oniguruma regular expressions library
libonig2-dbg - Debugging symbols for libonig2
Changes:
libonig (5.9.5-3.2+deb8u3) jessie-security; urgency=high
.
* Non-maintainer upload by the LTS team
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: libonig
Version: 5.9.5-3.2+deb8u3
CVE ID : CVE-2019-16163
Debian Bug : 939988
The Oniguruma regular expressions library, notably used in PHP
mbstring, is vulnerable to stack exhaustion. A crafted regular
tly at various places.
* CVE-2016-5126: block/iscsi: avoid potential overflow of acb->task->cdb.
* Remove unused/redundant patch files.
.
[Sylvain Beucler]
* CVE-2019-12068: scsi: lsi: exit infinite loop while executing script
* CVE-2019-13164: qemu-bridge-helper.c in QEMU 4
Hi,
I have an updated package at:
https://www.beuc.net/tmp/debian-lts/qemu/
The packages appears globally stable with KVM and Xen.
I found 1 regression: connecting to qemu's VNC server crashes the process.
This means there's probably an issue among CVE-2017-15124's 10 patches :/
(on a positive
Ping?
- Sylvain
On 04/09/2019 15:41, Sylvain Beucler wrote:
> Hi Mike, hi all :)
>
> We have a prepared QEMU update from 3 months ago that needs attention:
> https://packages.sunweavers.net/debian/pool/main/q/qemu/
>
> It fixes:
> CVE-2017-9375 CVE-2019-12155 CVE-2017-15
Hi!
On Mon, Sep 09, 2019 at 06:35:37PM +, Mike Gabriel wrote:
> On Mo 09 Sep 2019 11:23:59 CEST, Sylvain Beucler wrote:
> > On 04/09/2019 15:41, Sylvain Beucler wrote:
> > > We have a prepared QEMU update from 3 months ago that needs attention:
> > > https://pac
Hi,
It appears that the CVE-2017-5647 fix lacked this pre-requisite:
https://bz.apache.org/bugzilla/show_bug.cgi?id=57799
https://svn.apache.org/viewvc?view=revision=1712081
The test case is not flacky anymore, I'm going to test full builds again.
Cheers!
Sylvain
On 07/08/2019 00:45, Sylvain
accordingly (new client DN).
At last we have a working package that passes the testsuite.
How would you smoke-test it?
https://www.beuc.net/tmp/debian-lts/tomcat8/
(Now maybe I can start working on the actual CVEs :))
Cheers!
Sylvain
On 07/08/2019 12:29, Sylvain Beucler wrote:
> Hi,
>
> I
Hi,
On 25/07/2019 22:03, Otto Kekäläinen wrote:
> Hello Emilio and anybody else who might at some point upload MariaDB
> to jessie-security or stretch-security!
>
> Please use as the starting point the latest version in the MariaDB
> team Salsa repos
> - mariadb-10.0 branch 'jessie'
> -
Hi Markus,
I'm investigating tomcat8's FTBFS and I confirm Abhijith's findings in a
Jessie VM:
- test catalina/connector/TestSendFile.java fails with nio2 connector
but is not reliable and will report success ~1 out of 10 even with lots
of exceptions; catalina.log will report header parsing
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: squirrelmail
Version: 2:1.4.23~svn20120406-2+deb8u4
CVE ID : CVE-2019-12970
A XSS vulnerability was discovered in SquirrelMail. Due to improper
handling of RCDATA and RAWTEXT type elements, the built-in
Hi,
I added a couple mementos at https://wiki.debian.org/LTS/Development about
building and testing security uploads.
Let me know if this can be improved :)
Copy/paste:
- pbuilder usage:
# Init (note: jessie->jessie buggy
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806377)
sudo pbuilder
Hi Markus,
On 17/07/2019 17:16, Markus Koschany wrote:
> Am 17.07.19 um 16:46 schrieb Roberto C. Sánchez:
>> On Wed, Jul 17, 2019 at 11:26:56AM -0300, Markus Koschany wrote:
>>> lts-do-call-me contains all maintainers and/or source
>>> packages that should be handled by the maintainer. Please
Hi Gabriel,
I see you reverted affectation for CVE-2019-13376.
CVE-2019-13376 is an follow-up fix to CVE-2019-16993 (2016) which I
registered just yesterday toclarify that we've been missing this earlier
fix (AFAICS unsuccessfully ;)).
CVE-2019-13376 applies to 3.2.7 which already has the fix
Hi Mike,
On Wed, Oct 02, 2019 at 02:01:25PM +, Mike Gabriel wrote:
> On Di 01 Okt 2019 13:32:25 CEST, Sylvain Beucler wrote:
> > I see you reverted affectation for CVE-2019-13376.
> >
> > CVE-2019-13376 is an follow-up fix to CVE-2019-16993 (2016) which I
> >
e for target
'Unified_cpp_protocol_http1.o' failed
make[5]: *** [Unified_cpp_protocol_http1.o] Error 1
Is there a simple way to restart the build, possibly without parallelism?
Emilio?
Cheers!
Sylvain Beucler - Debian LTS Team
-binfmt qemu-utils qemu-guest-agent qemu-kvm
Architecture: source amd64
Version: 1:2.1+dfsg-12+deb8u12
Distribution: jessie-security
Urgency: medium
Maintainer: Debian QEMU Team
Changed-By: Sylvain Beucler
Description:
qemu - fast processor emulator
qemu-guest-agent - Guest-side qemu-system
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: qemu
Version: 1:2.1+dfsg-12+deb8u12
CVE ID : CVE-2016-5126 CVE-2016-5403 CVE-2017-9375 CVE-2019-12068
CVE-2019-12155 CVE-2019-13164 CVE-2019-14378 CVE-2019-15890
Debian Bug : 826151 832619
Hi,
On 28/09/2019 22:36, Ola Lundqvist wrote:
> I have looked a little into CVE-2019-16935. My conclusion is that the
> package is vulnerable but I could not really judge its severity. I have
> a question though. If we find that we should correct it, shouldn't we
> correct also jython and
Hi,
First, welcome to Utkarsh Gupta in the team :)
>From what I understand there was a training during July and August,
resulting in active status this month.
I saw zero traces of this training besides a passing anonymous
mention in Raphael's reports.
Possibly we can clarify this a lil' bit? Or
Hi,
Team ACME gets a new member. No reaction.
When asked what happened:
- team member A: no time
- team member B: not a documented process
- team member C: maybe new member did something wrong
- team member D: will be introduced in 3 weeks with the report
- team member E: I thought it was a user
Hi,
On 29/10/2019 23:12, Ola Lundqvist wrote:
> Hi LTS contributors
>
> I have built a cpio package with CVE-2019-14866 corrected.
> According to my testing it is no longer possible to reproduce the
> problem reported in this CVE.
>
> You can find the packages I have produced here:
>
Hi,
On 06/11/2019 21:14, Utkarsh Gupta wrote:
> On 06/11/19 11:47 am, Brian May wrote:
>> Utkarsh Gupta writes:
>>
>>> I am not quite sure about what should we do here because the update (DLA
>>> 1956-1) doesn't quite fix the CVE completely and also brings some login
>>> problems as reported in
Hi,
On 06/11/2019 12:22, Dylan Aïssi wrote:
> After several emails exchanged with Holger and Raphaël, I am now a LTS
> trainee :-).
> I am still learning how to deal with the LTS workflow, so you can
> expect some questions from my side.
>
> Otherwise, I am DD since September 2018 and mainly
Hi,
On 10/11/2019 21:41, Brian May wrote:
> Holger Levsen writes:
>
>> then, just for the record, this was discussed with Raphael and me. Please
>> don't do more hours than assigned without coordination. See "What should
>> I do if I work more than the hours allocated?" in debian-lts.git for
>>
1 - 100 of 481 matches
Mail list logo
