Re: [SECURITY] [DSA 4371-1] apt security update

2019-01-22 Thread Steve McIntyre
On Tue, Jan 22, 2019 at 01:44:12PM +, Ben Hutchings wrote: >On Tue, 2019-01-22 at 13:17 +0100, Yves-Alexis Perez wrote: >> - >> Debian Security Advisory DSA-4371-1 secur...@debian.org >>

Re: [SECURITY] [DSA 4371-1] apt security update

2019-01-22 Thread Moritz Muehlenhoff
On Tue, Jan 22, 2019 at 01:44:12PM +, Ben Hutchings wrote: > On Tue, 2019-01-22 at 13:17 +0100, Yves-Alexis Perez wrote: > > - > > Debian Security Advisory DSA-4371-1 secur...@debian.org > >

Accepted apt 1.0.9.8.5 (source all amd64) into oldstable

2019-01-22 Thread Julian Andres Klode
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 22 Jan 2019 13:15:57 +0100 Source: apt Binary: apt libapt-pkg4.12 libapt-inst1.5 apt-doc libapt-pkg-dev libapt-pkg-doc apt-utils apt-transport-https Architecture: source all amd64 Version: 1.0.9.8.5 Distribution:

Re: [SECURITY] [DSA 4371-1] apt security update

2019-01-22 Thread Ben Hutchings
On Tue, 2019-01-22 at 13:17 +0100, Yves-Alexis Perez wrote: > - > Debian Security Advisory DSA-4371-1 secur...@debian.org > https://www.debian.org/security/Yves-Alexis Perez > January

Re: proposed removal of Enigmail from jessie/LTS

2019-01-22 Thread Moritz Muehlenhoff
On Tue, Jan 22, 2019 at 02:44:50PM -0500, Antoine Beaupré wrote: > > I'm not sure we should remove *both* enigmail and thunderbird from > jessie. I understand there are problems with the a.m.o version, but then [..] > Right now I'm leaning towards completely dropping support from Enigmail > in

Accepted libjpeg-turbo 1:1.3.1-12+deb8u1 (source all amd64) into oldstable

2019-01-22 Thread Mike Gabriel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 22 Jan 2019 20:46:50 +0100 Source: libjpeg-turbo Binary: libjpeg-dev libjpeg62-turbo-dev libjpeg62-turbo libjpeg62-turbo-dbg libturbojpeg1 libturbojpeg1-dbg libturbojpeg1-dev libjpeg-turbo-progs libjpeg-turbo-progs-dbg

Re: [SECURITY] [DLA 1637-1] apt security update (amended)

2019-01-22 Thread Julien Cristau
On 1/23/19 7:00 AM, Abhijith PA wrote: > > Hi. > > My sbuild setup fails to build packages in jessie. > > W: Failed to fetch > gzip:/var/lib/apt/lists/partial/_build_pdns-recursor-mVttBC_resolver-NUo8FV_apt%5farchive_._Sources.gz > Invalid file format > > E: Some index files failed to

Re: proposed removal of Enigmail from jessie/LTS

2019-01-22 Thread Daniel Kahn Gillmor
On Tue 2019-01-22 14:44:50 -0500, Antoine Beaupré wrote: > I'm not sure we should remove *both* enigmail and thunderbird from > jessie. I understand there are problems with the a.m.o version, but then > that's somewhat outside of scope of LTS. It would seem rather unfair for > users of thunderbird

Accepted systemd 215-17+deb8u9 (source amd64) into oldstable

2019-01-22 Thread Antoine Beaupré
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 22 Jan 2019 15:30:45 -0500 Source: systemd Binary: systemd systemd-sysv libpam-systemd libsystemd0 libsystemd-dev libsystemd-login0 libsystemd-login-dev libsystemd-daemon0 libsystemd-daemon-dev libsystemd-journal0

[SECURITY] [DLA 1639-1] systemd security update

2019-01-22 Thread Antoine Beaupré
Package: systemd Version: 215-17+deb8u9 CVE ID : CVE-2018-16864 CVE-2018-16865 Debian Bug : 918841 918848 Multiple vulnerabilities were found in the journald component of systemd which can lead to a crash or code execution. CVE-2018-16864 An allocation of memory

Re: [SECURITY] [DSA 4371-1] apt security update

2019-01-22 Thread Ben Hutchings
On Tue, 2019-01-22 at 13:50 +, Steve McIntyre wrote: > On Tue, Jan 22, 2019 at 01:44:12PM +, Ben Hutchings wrote: > > On Tue, 2019-01-22 at 13:17 +0100, Yves-Alexis Perez wrote: > > > - > > > Debian Security Advisory

Re: proposed removal of Enigmail from jessie/LTS

2019-01-22 Thread Ben Hutchings
On Tue, 2019-01-22 at 14:44 -0500, Antoine Beaupré wrote: [...] > Right now I'm leaning towards completely dropping support from Enigmail > in jessie, since the changes required are too far ranging to be > comfortable. I agree with you. All the options are bad, but this seems to be the least

Re: [SECURITY] [DLA 1637-1] apt security update

2019-01-22 Thread Thorsten Glaser
On Tue, 22 Jan 2019, Julian Andres Klode wrote: > This is known to break some proxies when used against security.debian.org. If > that happens, people can switch their security APT source to use: > > deb http://cdn-fastly.deb.debian.org/debian-security stable/updates main jessie/updates! Using

Re: [SECURITY] [DLA 1637-1] apt security update

2019-01-22 Thread Julian Andres Klode
On Tue, Jan 22, 2019 at 03:49:22PM +0100, Thorsten Glaser wrote: > On Tue, 22 Jan 2019, Julian Andres Klode wrote: > > > This is known to break some proxies when used against security.debian.org. > > If > > that happens, people can switch their security APT source to use: > > > > deb

Re: [SECURITY] [DLA 1637-1] apt security update

2019-01-22 Thread Thorsten Glaser
On Tue, 22 Jan 2019, Julian Andres Klode wrote: > > jessie/updates! Using stable/updates will break the system > > and keep back apt! > > Sorry, I missed that bit while updating the email from the DSA :( Don't worry, this happens, we're all humans, but please send an updated announcement

[SECURITY] [DLA 1637-1] apt security update (amended)

2019-01-22 Thread Julian Andres Klode
Package: apt Version: 1.0.9.8.5 CVE ID : CVE-2019-3462 Debian Bug : (amended to refer to jessie in the sources.list entry below, instead of stable) Max Justicz discovered a vulnerability in APT, the high level package manager. The code handling HTTP redirects in the

Re: [SECURITY] [DLA 1637-1] apt security update (amended)

2019-01-22 Thread Abhijith PA
Hi. My sbuild setup fails to build packages in jessie. W: Failed to fetch gzip:/var/lib/apt/lists/partial/_build_pdns-recursor-mVttBC_resolver-NUo8FV_apt%5farchive_._Sources.gz Invalid file format E: Some index files failed to download. They have been ignored, or old ones used instead. E:

Re: [SECURITY] [DLA 1637-1] apt security update (amended)

2019-01-22 Thread Jason Guto
jasongutow...@westat.com On Tue, Jan 22, 2019 at 9:55 AM Julian Andres Klode wrote: > > Package: apt > Version: 1.0.9.8.5 > CVE ID : CVE-2019-3462 > Debian Bug : > > (amended to refer to jessie in the sources.list entry below, instead of > stable) > > Max Justicz

Re: proposed removal of Enigmail from jessie/LTS

2019-01-22 Thread Antoine Beaupré
On 2018-12-20 14:30:49, Daniel Kahn Gillmor wrote: > fwiw, i agree with jmm that encouraging users to upgrade to stable is > the best outcome here. The question is, what are we doing to the folks > who (for whatever reason) can't make that switch. > > On Thu 2018-12-20 17:01:30 +0100, Moritz

Re: [SECURITY] [DLA 1637-1] apt security update (amended)

2019-01-22 Thread Jason Guto
Would it be best practice to disable HTTP connections for apt and is the latter even possible? Thank you On Tue, Jan 22, 2019 at 9:55 AM Julian Andres Klode wrote: > > Package: apt > Version: 1.0.9.8.5 > CVE ID : CVE-2019-3462 > Debian Bug : > > (amended to refer to

Re: [SECURITY] [DSA 4371-1] apt security update

2019-01-22 Thread Chris Lamb
Ben Hutchings wrote: > This presumably needs to be fixed for jessie LTS as well, and I see > Chris Lamb has claimed it. I took the "claim" here so that there was definitely someone in the LTS team who would ensure everything was followed-through, which seems like it has happened. I've since