Hi
On 29-08-2019 14:28, Raphael Hertzog wrote:
> (Note: pkg-security@tracker.d.o is not a valid email, dropped)
>
> Hi,
>
> On Thu, 29 Aug 2019, Holger Levsen wrote:
>>> In general, we (Debian) don't have a good answer to this problem and
>>> virtualbox is clearly a bad precedent. We really need
Hi Ola,
On 11/13/17 20:15, Ola Lundqvist wrote:
> You are right two of the issues are not an issue in wheezy. I have
> marked them accordingly. However one remains. I did not find time to
> look through the last ome.
I have already looked at that, it is present. But please see my comments
in bug
Control: found 881110 0.8.8a+dfsg-5+deb7u10
On 07-11-17 22:17, Salvatore Bonaccorso wrote:
> Please adjust the affected versions in the BTS as needed, only did
> check unstable's version for now source-wise.
All versions in Debian are affected.
Unfortunately the upstream commit contains much unn
Hi Ola
On 08-11-17 21:21, Ola Lundqvist wrote:
> The Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of cacti:
> https://security-tracker.debian.org/tracker/CVE-2017-16641
> https://security-tracker.debian.org/tracker/CVE-2017-16660
> https://
Hi Emilio
[By the way, I read debian-lts, so no need to mail me directly, dropped
your To: as well].
On 26-06-16 10:40, Emilio Pozuelo Monfort wrote:
>> I believe CVE-2016-2313 should be included in this fix.
>
> Certainly! I have backported the fix and included in this new debdiff.
Looks good
Hi Emilio
On 25-06-16 22:03, Emilio Pozuelo Monfort wrote:
>> Just in case somebody starts working on it, I'd like to review proposed
>> uploads of cacti to LTS. CVE-2016-2313 was initially wrongly fixed (a
>> sledgehammer for a simple nail). CVE-2016-3659 still needs reproducing
>> in Debian and
Hi all,
Just in case somebody starts working on it, I'd like to review proposed
uploads of cacti to LTS. CVE-2016-2313 was initially wrongly fixed (a
sledgehammer for a simple nail). CVE-2016-3659 still needs reproducing
in Debian and a check if the fix by a contributer in the upstream bug
report
Hi Markus,
On 29-02-16 21:56, Markus Koschany wrote:
> If it helps I could remove the "Debian 7 Wheezy" part and write
> "we recommend that you upgrade your systems".
That fully resolves the issue I was having with the text.
Paul
signature.asc
Description: OpenPGP digital signature
Hi Markus,
On 29-02-16 20:25, Matus UHLAR - fantomas wrote:
> you only can upgrade to wheezy directly. upgrade accross versions is not
> supported.
I know, but that is not what I meant. I meant (and wrote), upgrade via
wheezy.
Paul
signature.asc
Description: OpenPGP digital signature
Hi Markus,
On 29-02-16 12:35, Markus Koschany wrote:
> We recommend that you upgrade your systems to Debian 7 "Wheezy".
/me wonders, do we really recommend that? I would say we recommend our
users to upgrade to the current stable (via Wheezy), no? And wheezy-lts
is there for those that can't or w
Hi Vincent,
On 08-02-16 18:23, Vincent Blut wrote:
> That’s the plan, yes. By the way, I’ll contact you in the next few days
> to review 2.2.1-1 which is mostly ready.
Ok. Please be aware that I might not be able to act on the review this week.
>> And although this vulnerability is tagged as no-
Hi Vincent,
On 05-02-16 01:56, Vincent Blut wrote:
> +chrony (1.24-3+squeeze3) squeeze-lts; urgency=medium
> +
> + * Fix CVE-2016-1567: retrict authentication of server/peer
> + to specified key
I suggest you close bug 812923 in the changelog. The bts is smart enough
to tra
arg, I just notice my screw up... I didn't reserve 381-1, but 390-1. Is
that a reason to reject the mail?
(I must stop with using "git svn" on the security archive.)
Paul
On 15-01-16 14:23, Paul Gevers wrote:
> Hi,
>
> Just in case my message doesn't get throug
Date: Fri, 15 Jan 2016 14:07:39 +0100
From: Paul Gevers
To: debian-lts-annou...@lists.debian.org
Package: dbconfig-common
Version: 1.8.46+squeeze.1
CVE ID : NA
Debian Bug : 805638
It was discovered that dbconfig-common could, depending on the local
umask, make Postg
Hi all,
On 09-01-16 13:45, Paul Gevers wrote:
> After I take care of wheezy and jessie debdiff's I can take care of this
> in squeeze myself, but I don't mind if somebody beats me to it. But
> please use the attached patches or discuss why they are not good enough.
Plea
n the host_new_graphs_save function
in graphs_new.php in Cacti 0.8.8f and earlier allows remote authenticated users
to execute arbitrary SQL commands via crafted serialized data in the
selected_graphs_array parameter in a save action.
Author: Chris Lamb and Paul Gevers
Bug: http://bugs.cacti.
Hi Chris,
On 05-01-16 00:23, Chris Lamb wrote:
>> To be honest, I would have expected you would have shared your fix
>> somewhere, e.g. also in a regular bug against cacti such that the
>> (old)stable releases could more easily see/use the patch.
>
> I will happily add it too your bug tracker as
Hi Chris,
On 04-01-16 13:20, Chris Lamb wrote:
> cacti (0.8.7g-1+squeeze9+deb6u13) squeeze-lts; urgency=high
> .
>* Correct yet another regression in patch for CVE-2015-8369, introduced in
> 0.8.7g-1+squeeze9+deb6u12. Thanks to Marcel Meckel
> (Closes: #809260, #807599)
Apart fro
Hi Chris,
On 15-12-15 15:11, Chris Lamb wrote:
>>> Just to clarify what's needed here - are you part of Debian LTS?
>>
>> What a difficult question to answer straight. Yes and no. Yes, I lurk on
>> this e-mail list, yes, I have the intention to take care of "my" own
>> packages as said multiple ti
Hi Chris,
On 14-12-15 11:32, Chris Lamb wrote:
>>> Please don't, upstream already has a patch in SVN¹, but didn't mark the
>>> bug (I just did).
>>
>> Please find attached the debdiff that I could come up with from my work
>> on sid, jessie and wheezy. It isn't tested yet (I don't have a suitable
Hi all,
On 12-12-15 13:41, Paul Gevers wrote:
> Please don't, upstream already has a patch in SVN¹, but didn't mark the
> bug (I just did).
Please find attached the debdiff that I could come up with from my work
on sid, jessie and wheezy. It isn't tested yet (I don't
Hi Chris,
On 11-12-15 15:23, Chris Lamb wrote:
Would you like to take care of this yourself?
>>>
>>> Once there is a fix, yes, although I don't know about my availability,
>>> so I don't mind if the lts project takes care of it.
>
> I was actually going to have a look at this this evening an
Hi
On 11-12-15 10:50, Guido Günther wrote:
> the Debian LTS team would like to fix the security issues which are
> currently open in the Squeeze version of cacti:
> https://security-tracker.debian.org/tracker/CVE-2015-8369
Me too, but upstream hasn't even released a fix yet.
> Would you like to
Hi Santiago,
On 30-11-15 21:36, Santiago Ruano Rincón wrote:
> El 30/11/15 a las 19:56, Paul Gevers escribió:
>> So you confirm that the new ENGINE syntax is already supported in mysql-5.1?
>
> Yes. Confirmed by MySQL documentation
Yeah, great. Then there is no issue at all wit
Hi Santiago
[Dropping Mahyuddin from CC as promised]
On 30-11-15 10:11, Santiago Ruano Rincón wrote:
> Well, I have installed cacti from the attached debdiff and available at
> my personal repo [1].
I think there are some spurious changes that you included this way. I.e.
adding new fields to the
Hi Santiago,
On 27-11-15 08:53, Santiago Ruano Rincón wrote:
> Paul, you have suggested the changes to be made on cacti to make it
> compatible with mysql-5.5. Paul or Mahyuddin, would you like to provide
> a package with those changes for squeeze-lts? If that is not the case, I
> could take care
Hi
On 25-11-15 22:19, Ben Hutchings wrote:
> the Debian LTS team would like to fix the security issues which are
> currently open in the Squeeze version of dbconfig-common:
> https://security-tracker.debian.org/tracker/TEMP-0805638-5AC56F
O, I didn't know they made an issue out of it.
> Would yo
Hi all,
I am not really going to do any of this work for mysql-5.5, but...
On 30-10-15 17:11, Raphael Hertzog wrote:
> And this gives more ideas of things to verify: test install all packages
> depending on dbconfig-common and offering mysql support.
If there are any questions related to what db
On 20-07-15 15:58, Raphael Hertzog wrote:
> Don't forget to send a DLA mail to debian-lts-annou...@lists.debian.org.
I didn't.
> If you did so already, then it did not get through.
Indeed. I thought I checked after the first e-mail, but apparently that
was only a thought-experiment.
Paul
sig
Hi,
On 16-07-15 20:40, Ben Hutchings wrote:
> Would you like to take care of this yourself?
Yes. There are probably more CVE's involved, although they are not
assigned yet. I am already communicating with the security team about this.
Paul
signature.asc
Description: OpenPGP digital signature
Hi all,n 25-06-15 22:50, Paul Gevers wrote:
> Hi all,
>
> I intend to upload cacti 0.8.7g-1+squeeze6 soon (tomorrow, hopefully).
> However, due to differences in the mysql version I am not able to test
> the changes easily myself. I will try to upload the package to some
> lo
s.php.
+- Unassigned CVE SQL injection VN:JVN#78187936 / TN:JPCERT#98968540
+
+ -- Paul Gevers Tue, 23 Jun 2015 21:22:55 +0200
+
cacti (0.8.7g-1+squeeze5) squeeze-lts; urgency=high
* Fix regression caused by fixing CVE-2014-4002 at least plugin autom8
diff -u cacti-0.8.7g/debian/patches/s
Hi LTS list,
On 19-02-15 08:38, Christoph Biedl wrote:
> Thanks for that, given the past experiences with regressions
> introduced in file updates I'd really like to keep an eye on it.
Just an idea, couldn't we track somewhere which maintainers have
expressed their ideas about LTS? I.e. it should
Hi all,
On 5 July, I sent the attached security update to the announce list. It
seems to have never reached that list. Could somebody enlighten me and
tell me what I did wrong?
Paul
--- Begin Message ---
Package: cacti
Version: 0.8.7g-1+squeeze4
CVE ID : CVE-2014-2326 CVE-
34 matches
Mail list logo
