El 16/09/22 a las 09:39, Emilio Pozuelo Monfort escribió:
> Hi Santiago,
>
> On 15/09/2022 09:52, Emilio Pozuelo Monfort wrote:
> > On 14/09/2022 15:42, Santiago R.R. wrote:
> > > El 14/09/22 a las 13:58, Emilio Pozuelo Monfort escribió:
> > > > On 13/
El 14/09/22 a las 13:58, Emilio Pozuelo Monfort escribió:
> On 13/09/2022 16:46, Sylvain Beucler wrote:
> > Hi,
> >
> > IIUC this is about fixing 2 non-security bugs, that were introduced
> > prior to buster's initial release.
> >
> > I personally don't think this fits the LTS project scope.
> >
Hi,
El 10/09/22 a las 19:11, Adam D. Barratt escribió:
> On Wed, 2020-05-27 at 11:56 +0200, Santiago R.R. wrote:
> > Since 1.0.6-9, bzip2 was built without the -D_FILE_OFFSET_BITS=64
> > CPPFLAG, and so it's not able to handle > 2GB files in 32-bit archs.
> > See ht
Hi,
Last November I spent 12 hours on Debian LTS under the Freexian umbrella.
I continued the work on qemu and released [DLA-1599-1]. Thanks to Lucas
and Hugo for reviewing and testing!
[DLA-1599-1] https://lists.debian.org/debian-lts-announce/2018/11/msg00038.html
I am still carrying six hours
El 24/11/18 a las 10:46, Hugo Lefeuvre escribió:
> > > > > I have prepared a preliminary package for qemu to fix most of
> > > > > currently
> > > > > open CVEs (among those that have a patch or have been fixed in
> > > > > stretch).
> > > > > I would be glad if someone could give it a try. It is
Hi there,
I have prepared a preliminary package for qemu to fix most of currently
open CVEs (among those that have a patch or have been fixed in stretch).
I would be glad if someone could give it a try. It is found in the usual
place:
deb https://people.debian.org/~santiago/debian santiago-je
Hi,
El 20/11/18 a las 16:17, Holger Levsen escribió:
> Hi,
>
> On Mon, Nov 19, 2018 at 06:50:16PM -0500, Antoine Beaupré wrote:
> > Automatic unclaimer
> > ---
> >
> > After an internal discussion about work procedures, a friend pointed me
> > at the [don't lick the cookie][6] ar
Hi,
In October 2018 I had available 28 hours --that I am carrying from
previous months-- to work on Debian LTS under the Freexian umbrella. I
spent ten of them in the following:
* dnsruby: finished the work and released [DLA 1542-1].
* clamav: released [DLA 1553-1] to update the package to the ne
(Resending since archive was not working. Sorry for the noise)
El 10/10/18 a las 09:06, Santiago R.R. escribió:
> Hi,
>
> The last month of September I spent four hours only from the 32 I had
> available to work on Debian LTS under the Freexian initiative:
>
> * openssh: re
Hi,
The last month of September I spent four hours only from the 32 I had
available to work on Debian LTS under the Freexian initiative:
* openssh: released [DLA 1500-2] to fix a regression from my previous
upload. Thanks to Salvatore.
* Checked for DNS(SEC)-related packages that required to be
Hi,
Last August I had 20 available hours to work on Debian LTS under the
Freexian initiave, but I was only able to spend eight of them:
* clamav: released [DLA
1461-1](https://lists.debian.org/debian-lts-announce/2018/08/msg00020.html)
that packages the new upstream release and fixes two CVEs.
Source: dnsmasq
Version: 2.72-3+deb8u2
Severity: important
Tags: patch
Hi Simon,
The DNS Root Key Signing Key (KSK) Rollover is scheduled for 11 October
2018 [1]. After this date, DNS resolvers will need to have the new key
(KSK-2017) to perform DNSSEC validation.
[1] https://www.icann.org/news/
Hi,
Last July I spent the 17.5 I had available to work on Debian LTS under
the Freexian initiative. I finished the work on, and released the DLA of:
* ruby2.1: DLA 1421-1
https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
* libidn: DLA 1447-1
https://lists.debian.org/debian-lts
El 10/08/18 a las 10:20, Chris Lamb escribió:
> Holger Levsen wrote:
>
> […]
> > of that page and then I found the entry where it describes how to claim
> > a DLA, which I did, thinking this would be visible enough (and maybe
> > automatically put an entry into dla-needed.txt.)
>
> It would not b
El 19/07/18 a las 20:59, Mike Gabriel escribió:
> Hi all,
>
> On Do 19 Jul 2018 21:18:13 CEST, Sebastian Andrzej Siewior wrote:
>
> > On 2018-07-19 17:06:30 [+0200], Mike Gabriel wrote:
> > > The Debian LTS team would like to fix the security issues which are
> > > currently open in the Jessie v
Hi,
Sorry for being late with my report.
I had available 15 hours in total to work on Debian LTS under the Freexian
initiative, but I was only able to spend 5.5 of them. I started working on
qemu, which has a long list of open issues, and I am continuing the work this
month.
Thanks for using and
Dear security team,
I am working on the jessie package of qemu (the first time I work on
it), and I notice it hasn't been updated in jessie since May 2017.
There were various stretch updates since then, and I wonder if the
reason why jessie wasn't updated was mainly lack of time/resources, or
is t
Hi,
The last month of May, Freexian assigned me eight hours to work on Debian LTS,
but I was able to use only one. During that hour, I started to work on the
libidn upload for jessie (and stretch). I am carrying to this month the
remaining hours. I hope I will be able to spend them.
Thanks for us
Hi,
On April 2018 I got assigned eight hours to work on Debian LTS by the Freexian
initiative. It was more ruby fun:
* After having some feedback (thanks to Gabriel Filion!), I finished the work
on ruby1.9.1 and issued [DLA 1358-1].
* Triaged missing issues in ruby1.8, and issued the correspond
posed-updates and will only be in the main
> > > repository after the next (final?) point release.
>
> On 04.05.18 09:42, Santiago R.R. wrote:
> > Just FTR, 0.99.4+dfsg-1+deb8u1 was also in proposed updates:
> > https://tracker.debian.org/news/937695/accepted-clamav-0994dfsg-1
El 04/05/18 a las 09:20, Raphael Hertzog escribió:
> Hello Marc,
>
> On Thu, 03 May 2018, Marc SCHAEFER wrote:
> > Probably that a downgrade of the clamav suite would solve the problem;
> > however
> > there is something wrong in the coherency between wheezy LTS and jessie,
> > don't
> > you thi
El 24/04/18 a las 11:40, Gabriel Filion escribió:
> On 2018-04-22 04:20 PM, Santiago R.R. wrote:
> > El 19/04/18 a las 18:07, Gabriel Filion escribió:
> >> Hi there,
> >>
> >> I've run a test on our setup here after getting a poke from Antoine.
> &g
El 19/04/18 a las 18:07, Gabriel Filion escribió:
> Hi there,
>
> I've run a test on our setup here after getting a poke from Antoine.
>
> I'm not sure that the test is actually conclusive of anything though..
> basically, it still works for us but that's probably because of how
> things are setu
El 18/04/18 a las 09:14, Antoine Beaupré escribió:
> On 2018-04-18 12:47:52, Santiago R.R. wrote:
> > Hi Antoine!
> >
> > El 17/04/18 a las 11:58, Antoine Beaupré escribió:
> >> Also, after talking with my old colleagues, I just realized that they
> >> mi
Hi Antoine!
El 17/04/18 a las 11:58, Antoine Beaupré escribió:
> Also, after talking with my old colleagues, I just realized that they
> might be using Ruby 1.8 and not 1.9.1. It seems we have triaged those
> out of the picture, but maybe all 1.8 packages are affected by a bunch
> of those issues
Hi,
I have uploaded test packages of ruby1.9.1 to my personal repo:
deb https://people.debian.org/~santiago/debian santiago-wheezy-security/
deb-src https://people.debian.org/~santiago/debian santiago-wheezy-security/
It would be great to have feedback from it, especially because:
This p
El 10/04/18 a las 17:59, Brian May escribió:
> Hello Santiago,
>
> Just wondering if there was any reason for not fixing CVE-2018-174
> in DLA 1336-1?
Hi Brian,
As I said in a previous mail, I think it is a not-so-severe issue (the
user has to run the `gem owner` command for being exploitabl
Hi,
Last month of March, I had 12 hours to spend in the Debian LTS project under
the Freexian umbrella. This is what I did:
* Finished the work about clamav
* curl: I released [DLA 1309-1] that fixed CVE-2018-1000120, CVE-2018-1000121
and CVE-2018-1000122.
* jruby, rubygems and ruby1.9.1: I upl
El 02/04/18 a las 10:13, Chris Lamb escribió:
> Hi Santiago,
>
> > I have been unable to confirm the versions of these packages are
> > affected by CVE-2018-174 and CVE-2018-179
>
> re. CVE-2018-174, it seems fairly clear. For example, here is jruby's
> lib/ruby/site_ruby/1.8/rubygems
Hi Chris,
El 02/04/18 a las 08:55, Chris Lamb escribió:
> Hi Santiago,
>
> I just triaged rubygems & jruby for wheezy re. CVE-2018-174 and
> noticed that ruby1.9.1 is also vulnerable. You still have this latter
> package reserved in dla-needed.txt since March 18th.
I have been unable to conf
El 13/03/18 a las 21:03, Hugo Lefeuvre escribió:
> Hi Santiago,
>
> I've installed your test packages in a wheezy vm and tested the
> following features:
>
> * Install: OK
> * Updating virus definitions: OK (everything was up to date, which is
> the expected behavior after an update I guess)
>
Hi,
I have prepared test packages of clamav, available at:
deb https://people.debian.org/~santiago/debian santiago-wheezy-security/
deb-src https://people.debian.org/~santiago/debian santiago-wheezy-security/
Feedback is always welcome!
-- Santiago
signature.asc
Description: PGP sign
Hi,
In the previous month I resumed my activities in the LTS Team, under the
Freexian initiative. I got assigned eight hours. I was finally able to
work six and I am carrying the rest for this month.
* suricata: I checked CVE-2018-6794, but after reproducing it, I chose to
follow security-team
Hi,
El 02/03/18 a las 23:36, Sebastian Andrzej Siewior escribió:
> On 2018-03-02 02:19:04 [+], Scott Kitterman wrote:
> > Conveniently, upstream just released 0.99.4 that addresses this and some
> > other issues. I'd suggest you let us get that into stable/oldstable first.
>
> I will try to
El 26/02/18 a las 10:55, Jeff Breidenbach escribió:
> >Was upstream's position also to remove those binaries?
>
> Yes.
>
> >Upstream was unable to provide a patch?
>
> Yes. Upstream decided that it was not worth the time to make a patch.
>
> Leptonica is a large image processing library. It als
El 23/02/18 a las 10:08, Jeff Breidenbach escribió:
> >So these files should be also removed from the package in wheezy and jessie?
>
> Yes.
Sorry if my previous message was maybe too brief.
It is not common to remove a file from the packages of a released debian
suite. I find it surprising that
Security team: sorry for the lack of context in the message. Please see
https://lists.debian.org/debian-lts/2018/02/msg00054.html and
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830660
El 22/02/18 a las 22:35, Jeff Breidenbach escribió:
>These binaries were removed in #830660.
>>$ st
El 11/02/18 a las 18:16, Markus Koschany escribió:
> Markus Koschany pushed to branch master at Debian Security Tracker /
> security-tracker
>
> Commits:
>
> • f8aa9d3d
> by Markus Koschany at 2018-02-11T19:16:41+01:00
>
> Add librsvg to dla-needed.txt
>
Hi Markus,
The information I
Hi,
El 23/11/16 a las 18:02, Brian May escribió:
> Hello,
>
> I noticed that Asterisk was marked EOL for Debian squeeze; just wondered
> what the reasons were, and if these reasons apply to wheezy?
Not sure about the reasons for squeeze, but Thorsten has already handled
one upload for wheezy. Yo
Hi,
For July 2016, I had in total 25.95 paid hours available (including
those spare from previous months) to work on Debian LTS via the Freexian
umbrella. However, I was only able to use 14. This is partially what I
have done:
* Helped to test the apache2 package prepared and uploaded by Salvator
El 02/08/16 a las 10:11, Sébastien Delafond escribió:
> On Aug/01, Santiago R.R. wrote:
> > Please, find attached debdiffs to mitigate this in wheezy (that I plan
> > to upload) and jessie. I have tested it with a python cgi taken from
> > httpoxy's PoCs, and it seems t
18:01:58.0 +0200
@@ -1,3 +1,12 @@
+lighttpd (1.4.31-4+deb7u5~1) santiago-wheezy; urgency=medium
+
+ * Non-maintainer upload by the Debian LTS Team.
+ * Fix CVE-2016-1000212: Mitigate HTTPoxy vulnerability.
+ * Add buffer_is_equal_caseless_string.patch
+ * Add mitigate-httpoxy-779c133c16f9af168b0
Hi,
This is a summary of the Debian LTS BoF, held during Debconf 16. Full
gobby text can be found at
https://gobby.debian.org/export/debconf16/bof/debian-lts
I have also added the TODO items to https://wiki.debian.org/LTS/TODO
1. Process to dispatch frontdesk duties
The last manual and auto-
Hi there,
A new mysql-5.5 package from last upstream release is available for test
at my personal repository:
deb https://people.debian.org/~santiago/debian santiago-wheezy/
deb-src https://people.debian.org/~santiago/debian santiago-wheezy/
Any feedback is always welcome.
Cheers,
Santiago
Hello everybody,
From the 13.50 hours that I had available in the last February,
sponsored through Freexian, I spent twelve on the following:
* cpio: I uploaded the package that fixes CVE-2016-2037.
See [DLA
415-1](https://lists.debian.org/debian-lts-announce/2016/02/msg7.html).
* gtk+2.0:
45 matches
Mail list logo
