Debian LTS and ELTS - March 2024

xian.com - Update upcoming ELA documentation rdeps status updated ~every hour Fix missing dcut suite (internal) - IRC meeting -- Sylvain Beucler Debian LTS Team

Re: Remove runc from dla-needed

Hi, Please read the dla-needed.txt entry. It says we should sync *bullseye*. Cheers! Sylvain On 07/04/2024 23:47, Ola Lundqvist wrote: Hi fellow LTS contributors I was about to assign runc to myself but realized that it should not be in dla-needed. There is just one CVE to be fixed and that

Re: How to handle freeimage package

Hi, I think this requires a bit of coordination: - the package is basically dead upstream, there hasn't been a fix in the official repos, neither Debian or other distros attempted to fix them - we do have a sponsor for LTS and ELTS/stretch, so we're paid to take care of this package - secteam

Debian LTS and ELTS - April 2024

- Help with handling package / understand triage: https://lists.debian.org/debian-lts/2024/04/msg00014.html https://lists.debian.org/debian-lts/2024/04/msg00015.html - Jitsi meeting Also took notes: https://lists.debian.org/debian-lts/2024/04/msg00113.html -- Sylvain Beucler Debian LTS

Re: Fixing glib2.0 CVE-2024-34397 in buster

edure :) Cheers! Sylvain Beucler Debian LTS Team On 10/05/2024 17:02, Simon McVittie wrote: Please cc either me or the glib2.0 package's address on any replies that are relevant outside the LTS team: I am not subscribed to -lts. Normally I don't attempt to support any packages in the LTS dis

Debian LTS and ELTS - May 2024

LTS security tracker: optimize lengthy post-commit checks - Report issue with pyxian source access - IRC meeting https://meetbot.debian.net/debian-lts/2024/debian-lts.2024-05-23-14.00.html -- Sylvain Beucler Debian LTS Team

Debian LTS and ELTS - June 2024

) - Jitsi Meeting https://lists.debian.org/debian-lts/2024/06/msg00012.html -- Sylvain Beucler Debian LTS Team

Debian LTS and ELTS - July 2024

-tracker/-/blob/master/conf/pre-commit-elts - ELTS security tracker WebUI: help debug missing buster-lts source https://deb.freexian.com/extended-lts/tracker/ - security-tracker: fix 2 issues causing cron warnings every 15mn - IRC meeting http://meetbot.debian.net/debian-lts/2024/debian-lts.2024-07-18-14.01.html -- Sylvain Beucler Debian LTS Team

Re: gpac end-of-life in stretch (and recommendation for buster/bullseye)

://tracker.debian.org/news/1548977/removed-221dfsg1-31-from-unstable/ gpac in bullseye still has >100 open CVEs and I don't believe the situation described by Roberto improved. Do we want to mark gpac EOL for bullseye as well? Cheers! Sylvain Beucler Debian LTS Team From: Roberto C. Sánchez Date:

Security support for pypy and jython

limited-support, in debian-security-support? Incidentally are there other packages that mass-embed python2 stdlib that we should also consider (I checked data/embedded-code-copies)? Cheers! Sylvain Beucler Debian LTS Team

Re: gpac end-of-life in stretch (and recommendation for buster/bullseye)

Hi, On 08/08/2024 15:20, Santiago Ruano Rincón wrote: El 08/08/24 a las 11:56, Sylvain Beucler escribió: Since then: - gpac was EOLd in buster https://salsa.debian.org/debian/debian-security-support/-/commit/a0bfdf01d404aba46893d2971d776f8f7fb5337e - gpac was removed from bookworm https

Re: Security support for pypy and jython

Hi, On 13/08/2024 11:54, Moritz Mühlenhoff wrote: Am Mon, Aug 12, 2024 at 03:10:06PM -0300 schrieb Santiago Ruano Rincón: El 08/08/24 a las 12:10, Sylvain Beucler escribió: python2.7 was marked unsupported in bullseye. We recently noted that pypy[v2] (included up to bullseye) and jython (all

Re: make-scratch-ntfs script

.. test.ntfs /mnt/t/ also 'umount -l' sounds like troubles :) Cheers! Sylvain Beucler Debian LTS Team

Re: Make stable-security build logs public after embargo

Hi Wanna-Build Team, On 19/08/2024 18:57, Aurelien Jarno wrote: On 2024-08-14 12:59, Santiago Ruano Rincón wrote: El 13/12/23 a las 11:56, Salvatore Bonaccorso escribió: On Wed, Dec 13, 2023 at 07:50:38AM +0100, Sylvain Beucler wrote: Actually we have a summary of the situation here: https

Debian LTS and ELTS - August 2024

https://manpages.debian.org/unstable/autodep8/autodep8.1.en.html - How to create an arm* VM from an AMD64 host, for testing purposes, using debvm-create - Monthly team meeting (through Jitsi) Acted as secretary https://lists.debian.org/debian-lts/2024/08/msg00041.html -- Sylvain Beucler Debian LTS Team

Re: Looking for collaborator for MariaDB 10.5 and Galera 4

at * https://salsa.debian.org/mariadb-team/mariadb-10.5/-/merge_requests * https://salsa.debian.org/mariadb-team/galera-4/-/merge_requests YES :) Let me know when the new versions are available for review. Cheers! Sylvain Beucler Debian LTS Team

Re: Looking for collaborator for MariaDB 10.5 and Galera 4

Hi Otto, On 10/09/2024 16:36, Otto Kekäläinen wrote: Thanks for your review on these yesterday! I have updated both to address your feedback: https://salsa.debian.org/mariadb-team/galera-4/-/merge_requests/27 https://salsa.debian.org/mariadb-team/mariadb-10.5/-/merge_requests/18 Can you add th

phpmyadmin CVE-2019-6799 review request

high + + * Non-maintainer upload by the Debian LTS team. + * Fix CVE-2019-6799: information leak (arbitrary file read) using SQL +queries. + + -- Sylvain Beucler Sun, 24 Feb 2019 01:12:19 +0100 + phpmyadmin (4:4.2.12-2+deb8u4) jessie-security; urgency=high * Non-maintainer upload by the

Experimenting with phpmyadmin's testsuite

Hi, Since phpmyadmin is a regular guest here, I checked how its repository testsuite performs. (I didn't find prior work in that area on the list.) Lots of errors/incomplete/skipped even with the upstream source, lots of deprecation warnings. The unit tests quickly halts on Debian's patched codeb

Re: phpmyadmin: CVE-2019-6799: PMASA-2019-1

Uploaded to jessie-security.

gnutls/nettle (CVE-2018-16868/CVE-2018-16869)

Hi, I'm working on CVE-2018-16868/CVE-2018-16869, a side-channel attack that affects gnutls and nettle, disclosed 2018-12, tagged low/local. Unlike what I read in data/CVE/list, I understand that the nettle fix is not just a new function - it's a rewrite of the RSA functions, completemented by a

Re: gnutls/nettle (CVE-2018-16868/CVE-2018-16869)

Hi, On 04/03/2019 16:55, Markus Koschany wrote: > Am 04.03.19 um 16:33 schrieb Sylvain Beucler: > [...] >> I see this as a strong signal that we should not attempt to backport the >> fix, and go with a (minor). >> >> Alternatively we could upgrade nettle (libnettle4

Re: Request for testing - symfony

Hi, On 02/03/2019 18:46, Roberto C. Sánchez wrote: > I have prepared an update to symfony (version 2.3.21+dfsg-4+deb8u4) > which is need of testing. I intend to upload in one week's time if I do > not receive any reports of problems. Read on for details if you are in > a position to help with te

Re: gnutls/nettle (CVE-2018-16868/CVE-2018-16869)

Hi, On 04/03/2019 17:37, Sylvain Beucler wrote: > On 04/03/2019 16:55, Markus Koschany wrote: >> Am 04.03.19 um 16:33 schrieb Sylvain Beucler: >> [...] >>> I see this as a strong signal that we should not attempt to backport the >>> fix, and go with a (minor

Contacting maintainers about no-dsa

Hi, At the wiki process page we say: https://wiki.debian.org/LTS/Development#Contact_the_maintainer   When we tag issues as "no-dsa", and don't plan to take care of the updates by ourselves, then we use it in this way:   $ bin/contact-maintainers --lts --no-dsa sudo CVE-2014-9680 CVE-2014-0106 I

Re: Debian/LTS newbie question

Hi, On 09/03/2019 11:44, th.pitsc...@uni.de wrote: > Hello list members, > > is it correct to assume that in Debian versions entering "obsolete" > state, any "aptitude safe-upgrade" will stop upgrading to newer > packages other than for the reason of security fixes? > > When exactly would also the

Re: Contacting maintainers about no-dsa

Hi, On 08/03/2019 15:54, Holger Levsen wrote: > On Fri, Mar 08, 2019 at 12:22:40PM +0100, Sylvain Beucler wrote: >> I was about do contact the nettle and gnutls maintainers, but after >> discussing with Emilio on IRC it appears that we do not contact >> maintainers for this

sqlalchemy testsuite

Hi, Here are some notes about running the sqlalchemy test suite on jessie. The document leaves a lot of the setup up to the user. I still have some failures with MySQL and Unicode, even when configuring everything in utf8... I'm aggregating test suite notes at https://wiki.debian.org/LTS/TestSuit

Time allocation per CVE

Hi, I spent the day reproducing (unbreaking) the sqlalchemy exploit, figuring out how to run the test suite, attempting a backport of the upstream fix, plus some communication. I did about the same for the gnutls/nettle issue last week (only to conclude with a no-dsa T_T). While I believe those

sqlalchemy security fix available for testing

Hi, I made a fix for sqlalchemy available for testing (CVE-2019-7164/7548): https://people.debian.org/~beuc/lts/sqlalchemy/ Upstream author Mike Bayer warns that this might break applications, hence if you are depend on sqlalchemy you are encouraged to test: https://gerrit.sqlalchemy.org/#/c/sqla

Re: DLAs in the website: some updates and issues

Hi, On 18/03/2019 09:55, Brian May wrote: > Laura Arjona Reina writes: > >> Other option is, instead of looking at the html code, doing >> >> make dla-123-1.en.html >> >> and open the resulting html file with a web browser. > This command did not work for me, I had to use "make -C 2019 > dla-1716

Re: DLAs in the website: some updates and issues

Hi, On Thu, Mar 07, 2019 at 08:02:18PM +0100, Laura Arjona Reina wrote: > El 5/3/19 a las 16:07, Markus Koschany escribió: > > thank your for your work on our website. Ideally we would like to make > > the whole process fully automatic without the need for any manual > > interaction. > > This is

ghostscript testing

Hi, I prepared an update for ghostscript. https://people.debian.org/~beuc/lts/ghostscript/ Even if we recently rebased to the latest upstream in jessie, the upstream patches did not apply cleanly and I did my best to replicate the changes. Note: we ship a 9.26*a* version which upstream does not p

Re: ghostscript testing

On 25/03/2019 16:11, Sylvain Beucler wrote: > Hi, > > I prepared an update for ghostscript. > https://people.debian.org/~beuc/lts/ghostscript/ > > Even if we recently rebased to the latest upstream in jessie, the > upstream patches did not apply cleanly and I did my best to re

Re: ghostscript testing

Hi, On 25/03/2019 16:13, Sylvain Beucler wrote: > On 25/03/2019 16:11, Sylvain Beucler wrote: >> Hi, >> >> I prepared an update for ghostscript. >> https://people.debian.org/~beuc/lts/ghostscript/ >> >> Even if we recently rebased to the latest upstream in

Re: ghostscript testing

Hi, On 27/03/2019 00:00, Markus Koschany wrote: > Am 26.03.19 um 15:55 schrieb Sylvain Beucler: > [...] >> Markus, I read in the archives that you backported fixes in earlier >> security uploads - any other tip? :) > I did all the testing myself by setting up a Jessie env

Re: DLAs in the website: some updates and issues

Hi, On 18/03/2019 15:56, Sylvain Beucler wrote: > On Thu, Mar 07, 2019 at 08:02:18PM +0100, Laura Arjona Reina wrote: >> El 5/3/19 a las 16:07, Markus Koschany escribió: >>> thank your for your work on our website. Ideally we would like to make >>> the whole process

Re: more missing DLAs on the website

Hi, Is there a rationale on why we are updating the website, by the way? And with a full copy of the advisory? (instead of e.g. pointing to the list archives). I wondered whether we needed translations at: https://lists.debian.org/debian-lts/2019/03/msg00101.html https://lists.debian.org/debian-lt

Re: more missing DLAs on the website

Hi, On 02/04/2019 10:59, Holger Levsen wrote: > On Mon, Apr 01, 2019 at 08:51:00PM +0200, Sylvain Beucler wrote: >> I wondered whether we needed translations at: > because: > [...] > - translations OK so I guess we need DLA translations ;) I was wondered whether actual users a

Re: more missing DLAs on the website

Hi, On 02/04/2019 12:09, Holger Levsen wrote: > On Tue, Apr 02, 2019 at 11:52:58AM +0200, Sylvain Beucler wrote: >> OK so I guess we need DLA translations ;) >> I was wondered whether actual users asked for them, but let's assume so. > you might not be aware, but: > >

Re: more missing DLAs on the website

Hi, On Tue, Apr 02, 2019 at 12:55:31PM +0200, Markus Koschany wrote: > Am 02.04.19 um 12:39 schrieb Sylvain Beucler: > > Ideally we could then cron this out as Markus suggested. > > So far I had no problems with the parse script. I just download the html > file from the DLA ann

Debian LTS logo

Hi, Is this our official logo? I was contemplating adding it to my monthly reports: https://raphaelhertzog.com/files/2015/03/Debian-LTS-2-small.png Also, is there a version in higher resolution? Cheers! Sylvain

Re: Fwd: [SECURITY] [DSA 4427-1] samba security update

Thanks Mathieu. I referenced it in our dla-needed.txt task list. A member of the LTS team will look into it. Cheers! Sylvain On 08/04/2019 11:10, Mathieu Parent wrote: > Dear LTS maintainers, > > See attached patch for CVE-2019-3880 in samba. > Don't know if it applies cleanly. > > Regards > >

Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity

Hi, On 08/04/2019 14:32, Holger Levsen wrote: > I've done this again and am considering (in general) to not write these mails > anymore. Please speak up if you think these mails are useful (or could > be made more useful.) > > Today I do feel it's useful to point out, that one should not merely >

Re: LTS, no-dsa reasoning and sponsored packages

Hi, On 08/04/2019 21:56, Holger Levsen wrote: > On Mon, Apr 08, 2019 at 09:51:19PM +0200, Salvatore Bonaccorso wrote: >> Recently I noticed that for a no-dsa (either for no-dsa or the >> stronger ignored) as explanation was started to be used e.g. "not used >> by any sponsor". That sounds related

Re: LTS, no-dsa reasoning and sponsored packages

Hi, On 09/04/2019 09:50, Ingo Wichmann wrote: > labeling it "minor issues" when the real reason is "sponsors needed" > sounds wrong to me. That's never been the real reason so far AFAICS, only a complementary reason.     [jessie] - libpodofo (DoS, not used by any sponsor)     [jessie] - hoteldr

Re: LTS, no-dsa reasoning

Hi Salvatore, On 08/04/2019 22:18, Sylvain Beucler wrote: > On 08/04/2019 21:56, Holger Levsen wrote: >> On Mon, Apr 08, 2019 at 09:51:19PM +0200, Salvatore Bonaccorso wrote: >>> Recently I noticed that for a no-dsa (either for no-dsa or the >>> stronger ignored) as ex

Re: Wheezy/ELTS samba update broken for i386 arch

gt; [1.2.10-2]  update-inetd{a} [4.43] > 0 packages upgraded, 9 newly installed, 0 to remove and 4 not upgraded. AFAICS the u19 update for pushed for amd64 but not for i386 (yet?). Mike? Cheers! Sylvain Beucler Debian LTS

LTS report for March

Hi, I had posted my monthly report on my blog, which is aggregated at Planet Debian: https://blog.beuc.net/posts/Debian_LTS_-_March_2019/ https://planet.debian.org/ In case some of this list members left the RSS world, I reference it here as well :) Cheers! Sylvain

Re: LTS, no-dsa reasoning and sponsored packages

Hi, On 16/04/2019 09:20, Raphael Hertzog wrote: > On Tue, 09 Apr 2019, Sylvain Beucler wrote: >> On 09/04/2019 09:50, Ingo Wichmann wrote: >>> labeling it "minor issues" when the real reason is "sponsors needed" >>> sounds wrong to me. >> Th

Re: change in LTS procedures: publish DLAs on www.debian.org

How about following the earlier instructions? /!\ We recommend you request membership to the salsa webmaster-team group. :) - Sylvain On 22/04/2019 19:33, Ola Lundqvist wrote: > Great. Now I think I can follow the instructions. :-) > > On Mon, 22 Apr 2019 at 15:34, Holger Levsen

LTS report for April

Hi, My report for April is available: https://blog.beuc.net/posts/Debian_LTS_-_April_2019/ Cheers! Sylvain

Re: Firefox insecure because of missing extensions

Hi, On 06/05/2019 15:47, Hideki Yamane wrote: > On Mon, 6 May 2019 15:04:09 +0200 Karsten wrote: >> Package: firefox-esr >> Version: 60.6.1esr-1~deb8u1 > It was already done in unstable and stable-proposed-updates, and > reporter asks about oldstable, so CC:ed to lts mailing list. > > LTS ma

Re: Firefox insecure because of missing extensions

Hi, On 06/05/2019 23:33, Sylvain Beucler wrote: > On 06/05/2019 15:47, Hideki Yamane wrote: >> On Mon, 6 May 2019 15:04:09 +0200 Karsten wrote: >>> Package: firefox-esr >>> Version: 60.6.1esr-1~deb8u1 >> It was already done in unstable and stable-proposed-upd

openjdk-7 status

Hi, openjdk-7 is back in dla-needed.txt with the commit message "Sounds serious enough". However it was re-added the day after DLA-1782-1 and there's no new CVE since. Was it an oversight, or was it meant to reconsider https://security-tracker.debian.org/tracker/CVE-2019-2697 which wasn't address

Re: dns-root-data in Jessie LTS

Hi, On 13/05/2019 05:43, Ondřej Surý wrote: > could you please update dns-root-data package in Jessie LTS to latest version > from Unstable/Stretch? I'll backport it following dkg's stretch update. Besides setting up a bind9, anything we should test? Cheers! Sylvain

Re: dns-root-data in Jessie LTS

weird traffic with old key that DNS > Root Operators > see at root servers. > > Just make sure it contains only the new DNSKEY (2017) and not both. > > Thanks, > Ondrej > -- > Ondřej Surý > ond...@isc.org > >> On 14 May 2019, at 01:38, Sylvain Beucler wrote: >

Re: dns-root-data in Jessie LTS

Ping ? :) On 13/05/2019 21:14, Sylvain Beucler wrote: > Hi, > > AFAICS dns-root-data has no reverse-dependency in Jessie (I ran the > script in a more recent box and got confused). > Does it make sense to update it after all? > > bind9 ships 3 keys in /etc/bind/bind.keys with

Re: improving https://wiki.debian.org/LTS/Development

Hi, On 16/05/2019 09:40, Christoph Berg wrote: > Re: Holger Levsen 2019-05-15 <20190515130831.qcgsaiig3bh3b...@layer-acht.org> >> Should we maybe put just this on a page called >> https://wiki.debian.org/LTS/Development/TLDR >> which then people can look at when they occasionally do a DLA? >> >>

Re: Looking for collaborator for MariaDB 10.5 and Galera 4

Hi, On 17/09/2024 01:50, Otto Kekäläinen wrote: In any case our workflow is to start registering the DLAs once the package is built and installed on all archs, so if you decide to dput you could do that now. Do you plan to announce the DLA or do you want me to? I will do my own final checks, a

<    1   2   3   4