concerns about the security reliability of python-gnupg

2019-02-07 Thread Antoine Beaupré
Hi, Recently, python-gnupg was triaged for maintenance in Debian LTS, which brought my attention to this little wrapper around GnuPG that I'm somewhat familiar with. Debian is marked as "vulnerable" for CVE-2019-6690 in Jessie and Stretch right now, with buster and sid marked as fixed, as you

Re: (when?) do we (still) contact maintainers?

2019-02-07 Thread Antoine Beaupré
On 2019-02-07 18:32:39, Markus Koschany wrote: > Please do not CC me. I am subscribed. > > Am 07.02.19 um 18:23 schrieb Antoine Beaupré: > [...] >> Well, I don't think we should make such calls without announcing it and >> documenting the new workflow clearly, first off. >> >> Second, I think I

Re: concerns about the security reliability of python-gnupg

2019-02-07 Thread Antoine Beaupré
On 2019-02-07 11:44:45, Antoine Beaupré wrote: > https://dev.gentoo.org/~mgorny/articles/evolution-uid-trust-extrapolation.html > https://blogs.gentoo.org/mgorny/2019/01/29/identity-with-openpgp-trust-model/ Oops, that second link should have been:

Re: concerns about the security reliability of python-gnupg

2019-02-07 Thread Antoine Beaupré
On 2019-02-07 16:48:56, Holger Levsen wrote: > On Thu, Feb 07, 2019 at 11:44:45AM -0500, Antoine Beaupré wrote: >> But maybe, instead, we should just mark it as unsupported in >> debian-security-support and move on. There are few packages depending on >> it, in jessie: > [...] >> in buster: >>

Accepted dovecot 1:2.2.13-12~deb8u5 (source amd64) into oldstable

2019-02-07 Thread Chris Lamb
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 07 Feb 2019 17:57:04 +0100 Source: dovecot Binary: dovecot-core dovecot-dev dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-managesieved dovecot-pgsql dovecot-mysql dovecot-sqlite dovecot-ldap dovecot-gssapi dovecot-sieve

Re: (when?) do we (still) contact maintainers?

2019-02-07 Thread Antoine Beaupré
On 2019-02-07 17:58:48, Markus Koschany wrote: > Hello, > > Am 07.02.19 um 17:32 schrieb Antoine Beaupré: > [...] >> Am I missing something here? Did we change this practice, or is this an >> oversight? > > I have been part of the team for three years now, from my experience > almost all people

Re: (when?) do we (still) contact maintainers?

2019-02-07 Thread Markus Koschany
Please do not CC me. I am subscribed. Am 07.02.19 um 18:23 schrieb Antoine Beaupré: [...] > Well, I don't think we should make such calls without announcing it and > documenting the new workflow clearly, first off. > > Second, I think I mostly agree with you, but we need to be certain we > won't

Accepted libarchive 3.1.2-11+deb8u7 (source amd64) into oldstable

2019-02-07 Thread Antoine Beaupré
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 07 Feb 2019 13:04:01 -0500 Source: libarchive Binary: libarchive-dev libarchive13 bsdtar bsdcpio Architecture: source amd64 Version: 3.1.2-11+deb8u7 Distribution: jessie-security Urgency: medium Maintainer: Debian Libarchive

Re: concerns about the security reliability of python-gnupg

2019-02-07 Thread Holger Levsen
On Thu, Feb 07, 2019 at 11:44:45AM -0500, Antoine Beaupré wrote: > But maybe, instead, we should just mark it as unsupported in > debian-security-support and move on. There are few packages depending on > it, in jessie: [...] > in buster: > Note that the list is (slowly) growing. marking it it

Re: (when?) do we (still) contact maintainers?

2019-02-07 Thread Markus Koschany
Hello, Am 07.02.19 um 17:32 schrieb Antoine Beaupré: [...] > Am I missing something here? Did we change this practice, or is this an > oversight? I have been part of the team for three years now, from my experience almost all people are very happy when someone else fixes bugs in oldstable. Most

[SECURITY] [DLA 1667-1] dovecot security update

2019-02-07 Thread Chris Lamb
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: dovecot Version: 1:2.2.13-12~deb8u5 CVE ID : CVE-2019-3814 It was discovered that there was a vulnerability in the dovecot IMAP/POP3 server. A flaw in the TLS username handling could lead to an attacker logging in

(when?) do we (still) contact maintainers?

2019-02-07 Thread Antoine Beaupré
Hi, I was under the impression that we were supposed to contact maintainers when we add packages to dla-needed.txt, as part of the triage work. That is, at least, the method documented here: https://wiki.debian.org/LTS/Development#Triage_new_security_issues Confident that people doing the

Re: (when?) do we (still) contact maintainers?

2019-02-07 Thread Ola Lundqvist
Hi Antoine It is my fault that python developers were not contacted. I added the package to dla-needed.txt yesterday (or possibly the day before) and planned to contact the maintainers. But before I had the chance to do so the package was already fixed and then it did not feel appropriate to

[SECURITY] [DLA 1668-1] libarchive security update

2019-02-07 Thread Antoine Beaupré
Package: libarchive Version: 3.1.2-11+deb8u7 CVE ID : CVE-2019-119 CVE-2019-120 Fuzzing found two further file-format specific issues in libarchive, a read-only segfault in 7z, and an infinite loop in ISO9660. CVE-2019-119 Out-of-bounds Read vulnerability

tiff / CVE-2014-8127 / CVE-2018-5360

2019-02-07 Thread Brian May
According to https://security-tracker.debian.org/tracker/CVE-2014-8127: tiff 4.0.3-12.3+deb8u5 is vulnerable to CVE-2014-8127. But according to the changelog CVE-2014-8127 was fixed in version 4.0.3-12.3+deb8u3: tiff (4.0.3-12.3+deb8u3) jessie-security; urgency=high * Backport fix for the

(E)LTS report for January

2019-02-07 Thread Emilio Pozuelo Monfort
Hi, During the month of January, I spent 42.5 hours working on LTS on the following tasks: - thunderbird 60.4.0 ESR security update - tzdata and libdatetime-timezone-perl new releases - investigated symfony test failures - policykit-1 security update - investigated lua vulnerability, which

Re: [SECURITY] [DSA 4371-1] apt security update

2019-02-07 Thread Emilio Pozuelo Monfort
Hi Steve, On 07/02/2019 12:12, Steve McIntyre wrote: > On Mon, Jan 28, 2019 at 12:26:54AM +, Steve McIntyre wrote: >> On Sun, Jan 27, 2019 at 06:33:29PM +, Steve McIntyre wrote: >>> >>> I'll give it a try now... >> >> And that worked on the first attempt. Using this approach, I've done >>

[SECURITY] [DLA 1663-1] python3.4 security update

2019-02-07 Thread Brian May
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: python3.4 Version: 3.4.2-1+deb8u2 CVE ID : CVE-2016-0772 CVE-2016-5636 CVE-2016-5699 CVE-2018-20406 CVE-2019-5010 This DLA fixes a a problem parsing x509 certificates, an pickle integer overflow,

Re: [SECURITY] [DLA 1664-1] golang security update

2019-02-07 Thread Emilio Pozuelo Monfort
On 06/02/2019 23:47, Antoine Beaupré wrote: > On 2019-02-06 23:42:12, Chris Lamb wrote: >> Hi Antoine, >> >>> all golang Debian packages are (as elsewhere) statically compiled >>> and linked so we'd need to rebuild all the rdeps >> >> Hm. Can we avoid /all/ the rdeps? I mean, grep the rdeps for

Re: [SECURITY] [DSA 4371-1] apt security update

2019-02-07 Thread Steve McIntyre
On Mon, Jan 28, 2019 at 12:26:54AM +, Steve McIntyre wrote: >On Sun, Jan 27, 2019 at 06:33:29PM +, Steve McIntyre wrote: >> >>I'll give it a try now... > >And that worked on the first attempt. Using this approach, I've done >jessie builds of the various LTS arches using casulana, the

Accepted python3.4 3.4.2-1+deb8u2 (source all amd64) into oldstable

2019-02-07 Thread Brian May
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 06 Feb 2019 16:55:11 +1100 Source: python3.4 Binary: python3.4 python3.4-venv libpython3.4-stdlib python3.4-minimal libpython3.4-minimal libpython3.4 python3.4-examples python3.4-dev libpython3.4-dev libpython3.4-testsuite