Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable
On 2017-10-31 15:45:31, Raphael Hertzog wrote: > On Tue, 31 Oct 2017, Antoine Beaupré wrote: >> I'll take care of it then. Should I just reuse the old DLA id? or >> simply mention the old DLA id in the announcement? Or mention all the >> CVEs fixed in the old DLA in the new DLA? >> >> Not actually sure how to merge this. :) > > You prepare your DLA like usual but then you also document the CVE > fixed by the old DLA in the mail sent to debian-lts-announce. But when > you generate your template with bin/gen-DLA you only pass the newly fixed > CVE (to not fix the same CVE twice in data/DLA/list). Excellent, this will come out this afternoon once the package is accepted. A. -- A genius is someone who discovers that the stone that falls and the moon that doesn't fall represent one and the same phenomenon. - Ernesto Sabato
Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable
On Tue, 31 Oct 2017, Antoine Beaupré wrote: > I'll take care of it then. Should I just reuse the old DLA id? or > simply mention the old DLA id in the announcement? Or mention all the > CVEs fixed in the old DLA in the new DLA? > > Not actually sure how to merge this. :) You prepare your DLA like usual but then you also document the CVE fixed by the old DLA in the mail sent to debian-lts-announce. But when you generate your template with bin/gen-DLA you only pass the newly fixed CVE (to not fix the same CVE twice in data/DLA/list). Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable
On 2017-10-31 14:13:13, Raphael Hertzog wrote: > On Tue, 31 Oct 2017, Antoine Beaupré wrote: >> > Please send it again and add a small sentence explaining that you send an >> > old advisory that never made it to the list... IOW if you expect >> > confusion, add an explanation to clear it up. >> >> I will be looking at a GM update later today - should i merge that >> announcement in? > > That also works, sure. I'll take care of it then. Should I just reuse the old DLA id? or simply mention the old DLA id in the announcement? Or mention all the CVEs fixed in the old DLA in the new DLA? Not actually sure how to merge this. :) A. -- If you have come here to help me, you are wasting our time. But if you have come because your liberation is bound up with mine, then let us work together.- Aboriginal activists group, Queensland, 1970s
Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable
On Tue, 31 Oct 2017, Antoine Beaupré wrote: > > Please send it again and add a small sentence explaining that you send an > > old advisory that never made it to the list... IOW if you expect > > confusion, add an explanation to clear it up. > > I will be looking at a GM update later today - should i merge that > announcement in? That also works, sure. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable
On 2017-10-31 11:56:31, Raphael Hertzog wrote: > Hi, > > On Sat, 28 Oct 2017, Brian May wrote: >> I didn't realize until after I uploaded the newer version associated >> with DLA-1140-1. So I tried sending DLA-1130-1 again, followed by >> DLA-1140-1. >> >> Unfortunately DLA-1140-1 made it to the list, but DLA-1130-1 still >> didn't. I am concerned if I send DLA-1130-1 now that DLA-1140-1 has been >> published it would cause confusion. > > Please send it again and add a small sentence explaining that you send an > old advisory that never made it to the list... IOW if you expect > confusion, add an explanation to clear it up. I will be looking at a GM update later today - should i merge that announcement in? > But not sending the announce is not a good option IMO. FWIW checking that the > announce went through is part of my routine for each DLA. Agreed. What I do is that I have the DLA template in my secure-testing SVN checkout after I sent it, and leave it there until I have verified it shows up in the archives. (Or that I received it, but my email client (notmuch) strangely makes that quite difficult, as it deduplicates multiple messages with the same message ID, so I can't really tell if I actually received my own messages! That will fortunately be fixed in the 0.26 release though... ) A. -- Il n'existe aucune limite sacrée ou non à l'action de l'homme dans l'univers. Depuis nos origines nous avons le choix: être aveuglé par la vérité ou coudre nos paupières. - [no one is innocent]
Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable
Hi, On Sat, 28 Oct 2017, Brian May wrote: > I didn't realize until after I uploaded the newer version associated > with DLA-1140-1. So I tried sending DLA-1130-1 again, followed by > DLA-1140-1. > > Unfortunately DLA-1140-1 made it to the list, but DLA-1130-1 still > didn't. I am concerned if I send DLA-1130-1 now that DLA-1140-1 has been > published it would cause confusion. Please send it again and add a small sentence explaining that you send an old advisory that never made it to the list... IOW if you expect confusion, add an explanation to clear it up. But not sending the announce is not a good option IMO. FWIW checking that the announce went through is part of my routine for each DLA. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable
Antoine Beaupréwrites: > Somehow the DLA-1130-1 that was associated with this upload never made > it to the mailing list archive here: Yes, I commented on that in a recent email. I didn't realize until after I uploaded the newer version associated with DLA-1140-1. So I tried sending DLA-1130-1 again, followed by DLA-1140-1. Unfortunately DLA-1140-1 made it to the list, but DLA-1130-1 still didn't. I am concerned if I send DLA-1130-1 now that DLA-1140-1 has been published it would cause confusion. -- Brian May
Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable
On 2017-10-27 19:05:07, Hugo Lefeuvre wrote: > Hi Antoine, Brian, > >> Somehow the DLA-1130-1 that was associated with this upload never made >> it to the mailing list archive here: >> >> https://lists.debian.org/debian-lts-announce/2017/10/ >> >> I also didn't receive a copy, so I suspect it was never sent. >> >> A. >> >> PS: I realized this while reviewing my own announcements - it seems I >> failed to sent DLA-1144-1 myself... maybe we need better mechanisms to >> catch those? > > Same for me, I had to send DLA 1133-1 three times before it reached the > list. Like if the server would silently reject my emails. I wouldn't > have noticed it without Ola's help. My email finally got through today. According to #debian-lists, there was an issue with the signature verification software, which was fixed yesterday. In my case, I also previously had issues because I added a new signing subkey that took some time to propagate across Debian's infrastructure. The main issue is we have currently no way of noticing when a number is skipped. It would be nice to automate this stuff somehow, yet I can't quite think of how... Maybe by adding (signed) DLA files themselves into security tracker and have *that* send out the announcements? A. -- That's one of the remarkable things about life: it's never so bad that it can't get worse. - Calvin
Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable
Hi Antoine, Brian, > Somehow the DLA-1130-1 that was associated with this upload never made > it to the mailing list archive here: > > https://lists.debian.org/debian-lts-announce/2017/10/ > > I also didn't receive a copy, so I suspect it was never sent. > > A. > > PS: I realized this while reviewing my own announcements - it seems I > failed to sent DLA-1144-1 myself... maybe we need better mechanisms to > catch those? Same for me, I had to send DLA 1133-1 three times before it reached the list. Like if the server would silently reject my emails. I wouldn't have noticed it without Ola's help. Cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com 4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA signature.asc Description: PGP signature
Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable
Somehow the DLA-1130-1 that was associated with this upload never made it to the mailing list archive here: https://lists.debian.org/debian-lts-announce/2017/10/ I also didn't receive a copy, so I suspect it was never sent. A. PS: I realized this while reviewing my own announcements - it seems I failed to sent DLA-1144-1 myself... maybe we need better mechanisms to catch those? -- All governments are run by liars and nothing they say should be believed. - I. F. Stone
Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 10 Oct 2017 17:57:27 +1100 Source: graphicsmagick Binary: graphicsmagick libgraphicsmagick3 libgraphicsmagick1-dev libgraphicsmagick++3 libgraphicsmagick++1-dev libgraphics-magick-perl graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat graphicsmagick-dbg Architecture: source amd64 all Version: 1.3.16-1.1+deb7u10 Distribution: wheezy-security Urgency: high Maintainer: Daniel KobrasChanged-By: Brian May Description: graphicsmagick - collection of image processing tools graphicsmagick-dbg - format-independent image processing - debugging symbols graphicsmagick-imagemagick-compat - image processing tools providing ImageMagick interface graphicsmagick-libmagick-dev-compat - image processing libraries providing ImageMagick interface libgraphics-magick-perl - format-independent image processing - perl interface libgraphicsmagick++1-dev - format-independent image processing - C++ development files libgraphicsmagick++3 - format-independent image processing - C++ shared library libgraphicsmagick1-dev - format-independent image processing - C development files libgraphicsmagick3 - format-independent image processing - C shared library Changes: graphicsmagick (1.3.16-1.1+deb7u10) wheezy-security; urgency=high . * Non-maintainer upload by the LTS Team. * Fix CVE-2017-14103: The ReadJNGImage and ReadOneJNGImage functions in coders/png.c did not properly manage image pointers after certain error conditions. * Fix CVE-2017-14314: heap-based buffer over-read in DrawDashPolygon() . * Fix CVE-2017-14504: NULL pointer dereference triggered by malformed file. * Fix CVE-2017-14733: Ensure we detect alpha images with too few colors. * Fix CVE-2017-14994: DCM_ReadNonNativeImages() can produce image list with no frames, resulting in null image pointer. * Fix CVE-2017-14997: unsigned underflow leading to astonishingly large allocation request. Checksums-Sha1: b3f0f21f80d668f33e8ed77c42d8cb7102ede511 2686 graphicsmagick_1.3.16-1.1+deb7u10.dsc f2ec0392d7a7d5cbe0d5bdff2931edbacedd73e9 8736761 graphicsmagick_1.3.16.orig.tar.gz e3533915f279a72308144cc40d95d4268b070da3 198249 graphicsmagick_1.3.16-1.1+deb7u10.debian.tar.gz 1a01ead3adff128418be62e771addadd82699f12 1034612 graphicsmagick_1.3.16-1.1+deb7u10_amd64.deb a2d8f7737d004ed53bceb8685602077374ae7262 1324250 libgraphicsmagick3_1.3.16-1.1+deb7u10_amd64.deb 2efcd0d4c5f8b43d9d1eef973047e9824a9b18e3 1822836 libgraphicsmagick1-dev_1.3.16-1.1+deb7u10_amd64.deb 4c5bbd57073ef1da04a8cae0ca42a89e899b4905 154678 libgraphicsmagick++3_1.3.16-1.1+deb7u10_amd64.deb e1d1f9b293b249ea9c7078e34ee02a1d391b15cb 410866 libgraphicsmagick++1-dev_1.3.16-1.1+deb7u10_amd64.deb bb82c88eca4330b67dcfa23c6edb0b0caad4526b 83436 libgraphics-magick-perl_1.3.16-1.1+deb7u10_amd64.deb 790b0db8917b9fb0d840abef9530a9c2ae627559 3270206 graphicsmagick-dbg_1.3.16-1.1+deb7u10_amd64.deb e35712a8b3eb9f9cabf8f725146a2e996fdd636a 18674 graphicsmagick-imagemagick-compat_1.3.16-1.1+deb7u10_all.deb 0eee8b2f448d9170e8419e070dbe6cc9cad11b47 8 graphicsmagick-libmagick-dev-compat_1.3.16-1.1+deb7u10_all.deb Checksums-Sha256: 2d0d2c265a502fb21631f18a3a71951ccde3a2acac9da91767434b2deecca307 2686 graphicsmagick_1.3.16-1.1+deb7u10.dsc ae2229370926dea6c2423cc1adaf551d33f38102677332294439365aaac1514b 8736761 graphicsmagick_1.3.16.orig.tar.gz ad8747b1768312ecce3ec335ad093bf25d33d4193465c0988f3896df6e4a2d30 198249 graphicsmagick_1.3.16-1.1+deb7u10.debian.tar.gz 1b2990c052a9b8f49d9f6af64564329bbac3e39cdf6e407695cc4b29e9b58b59 1034612 graphicsmagick_1.3.16-1.1+deb7u10_amd64.deb cd9566db3b7e68d787baae7ceea335d12399b77338d736c04f98811729335fd1 1324250 libgraphicsmagick3_1.3.16-1.1+deb7u10_amd64.deb ecf617ff5d5f2c151cfb4c17f6d6e312afe9bf346fb722f3d07eeb67dc7dbddc 1822836 libgraphicsmagick1-dev_1.3.16-1.1+deb7u10_amd64.deb 984a1f67c1c56ca14b82e7f08fdaf868e0c46e58daaa8ec45a7a561884f72999 154678 libgraphicsmagick++3_1.3.16-1.1+deb7u10_amd64.deb e24a195090d1f45e91bfe0f28eae3cffcbd1ee587e0819f6af882fca782e99ec 410866 libgraphicsmagick++1-dev_1.3.16-1.1+deb7u10_amd64.deb eda4efd41fe44fa9f0f6d591fcf7b84c74ada8427d165601160c0ff667fba40d 83436 libgraphics-magick-perl_1.3.16-1.1+deb7u10_amd64.deb 1bf44bc81ff895ae58bece36484e7f16b7598ab29530b162b97298a2006b04ef 3270206 graphicsmagick-dbg_1.3.16-1.1+deb7u10_amd64.deb 661a448bb14b60d4d93af3147a464fe1de9f784ec7bdc7221af0c33ba6ea68ab 18674 graphicsmagick-imagemagick-compat_1.3.16-1.1+deb7u10_all.deb 4e11c628270b7badcf99050ed6cb3327b72646ea50a288f96d616bdfb3e1848d 8 graphicsmagick-libmagick-dev-compat_1.3.16-1.1+deb7u10_all.deb Files: 5d954dfe73d94199637115f7950039d8 2686 graphics optional graphicsmagick_1.3.16-1.1+deb7u10.dsc 66a4b9c7af6165b5d293fed6ebe04e36 8736761 graphics optional graphicsmagick_1.3.16.orig.tar.gz bed4cd314cc38ede112c5a9dadfa925f 198249 graphics