Re: [SECURITY] [DSA 4371-1] apt security update

2019-02-08 Thread Emilio Pozuelo Monfort
On 07/02/2019 12:23, Emilio Pozuelo Monfort wrote: > Hi Steve, > > On 07/02/2019 12:12, Steve McIntyre wrote: >> On Mon, Jan 28, 2019 at 12:26:54AM +, Steve McIntyre wrote: >>> On Sun, Jan 27, 2019 at 06:33:29PM +, Steve McIntyre wrote: I'll give it a try now... >>> >>> And that

Re: [SECURITY] [DLA 1664-1] golang security update

2019-02-08 Thread Salvatore Bonaccorso
Hi Holger, On Wed, Feb 06, 2019 at 11:24:34PM +, Holger Levsen wrote: > Dear golang maintainers and security team, > > this came up on the LTS mailing list... > > On Wed, Feb 06, 2019 at 11:42:12PM +0100, Chris Lamb wrote: > > > all golang Debian packages are (as elsewhere) statically

Re: [SECURITY] [DLA 1664-1] golang security update

2019-02-08 Thread Holger Levsen
Hi Salvatore, On Fri, Feb 08, 2019 at 09:02:49AM +0100, Salvatore Bonaccorso wrote: > The point we discussed with Tobias Quathamer was boiling down to: > > But if there are any Go-based applications in stretch which are affected by > > the ECC issue, we could schedule binNMUs by the next stretch

Re: Backports LTS security support

2019-02-08 Thread Alexander Wirt
On Fri, 08 Feb 2019, Paul van der Vlis wrote: > Hello, > > I would like to have LTS support for backports. On most systems I use > one or more packages from backports. > > When the same version of a package is in use in the next version of > Debian, I guess backporting them is -in most cases-

Backports LTS security support

2019-02-08 Thread Paul van der Vlis
Hello, I would like to have LTS support for backports. On most systems I use one or more packages from backports. When the same version of a package is in use in the next version of Debian, I guess backporting them is -in most cases- not a big problem. I am interesting if it would be a good

Re: about 500 DLAs missing from the website

2019-02-08 Thread Holger Levsen
Hi Antoine, On Sun, Feb 03, 2019 at 02:08:06PM +0100, Salvatore Bonaccorso wrote: > Thanks for working on this. indeed! > On Fri, Feb 01, 2019 at 01:44:10PM -0500, Antoine Beaupré wrote: > > On 2018-12-19 18:05:36, Antoine Beaupré wrote: > > > The DLAs are visible here: > > >

Re: [SECURITY] [DLA 1664-1] golang security update

2019-02-08 Thread Chris Lamb
Hi all, > > There is no sensible way to schedule binnmu's via security. So far none > > appeared AFAIK. […] > thanks for the quick feedback still! Indeed thanks for the feedback. Looking into this quickly from a jessie chroot: $ build-rdeps golang Reverse Build-depends in main:

Re: Backports LTS security support

2019-02-08 Thread Paul van der Vlis
Op 08-02-19 om 15:29 schreef Alexander Wirt: > On Fri, 08 Feb 2019, Paul van der Vlis wrote: > >> Hello, >> >> I would like to have LTS support for backports. On most systems I use >> one or more packages from backports. >> >> When the same version of a package is in use in the next version of >>

Re: [pkg-golang-devel] [SECURITY] [DLA 1664-1] golang security update

2019-02-08 Thread Chris Lamb
Hi Tobias, > $ grep-dctrl -FBuild-Depends golang-go -w -sPackage > /var/lib/apt/lists/*Sources [..] > > Please note that there are probably a lot of false positives in this > list, because not every package uses crypto/elliptic. Indeed. So how reliable would it be to look for "crypto/elliptic"

Re: Backports LTS security support

2019-02-08 Thread Alexander Wirt
On Fri, 08 Feb 2019, Paul van der Vlis wrote: > Op 08-02-19 om 15:29 schreef Alexander Wirt: > > On Fri, 08 Feb 2019, Paul van der Vlis wrote: > > > >> Hello, > >> > >> I would like to have LTS support for backports. On most systems I use > >> one or more packages from backports. > >> > >> When

Re: [pkg-golang-devel] [SECURITY] [DLA 1664-1] golang security update

2019-02-08 Thread Dr. Tobias Quathamer
Am 08.02.2019 um 16:20 schrieb Chris Lamb: > Hi all, > >>> There is no sensible way to schedule binnmu's via security. So far none >>> appeared AFAIK. > […] >> thanks for the quick feedback still! > > Indeed thanks for the feedback. Looking into this quickly from a > jessie chroot: > > $

Re: [pkg-golang-devel] [SECURITY] [DLA 1664-1] golang security update

2019-02-08 Thread Dr. Tobias Quathamer
Am 08.02.2019 um 17:31 schrieb Chris Lamb: > Hi Tobias, > >> $ grep-dctrl -FBuild-Depends golang-go -w -sPackage >> /var/lib/apt/lists/*Sources > [..] >> >> Please note that there are probably a lot of false positives in this >> list, because not every package uses crypto/elliptic. > > Indeed.

Accepted libreoffice 1:4.3.3-2+deb8u12 (source amd64 all) into oldstable

2019-02-08 Thread Antoine Beaupré
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 07 Feb 2019 14:24:28 -0500 Source: libreoffice Binary: libreoffice libreoffice-l10n-za libreoffice-l10n-in libreoffice-core libreoffice-common libreoffice-java-common libreoffice-writer libreoffice-calc libreoffice-impress

[SECURITY] [DLA 1669-1] libreoffice security update

2019-02-08 Thread Antoine Beaupré
Package: libreoffice Version: 1:4.3.3-2+deb8u12 CVE ID : CVE-2018-16858 Alex Infuehr discovered a directory traversal vulnerability which could result in the execution of Python script code when opening a malformed document. For Debian 8 "Jessie", this problem has been

Re: [pkg-golang-devel] [SECURITY] [DLA 1664-1] golang security update

2019-02-08 Thread Dr. Tobias Quathamer
Am 08.02.2019 um 20:46 schrieb Dr. Tobias Quathamer: > With that in mind, the list gets much shorter. Is there an easy way to > find out if a source package produces only the -dev binary package? One > hint at finding the right packages would be that the -dev packages are > arch:all, while other

Re: Bug#859122: about 500 DLAs missing from the website

2019-02-08 Thread Laura Arjona Reina
Hello all Holger Levsen merged the generated DLAs and I've worked to create the /lts tree to show them separated from the DSA. I have moved to this new /lts folder the DLAs from years 2014, 2015 and 2016 that we had already, and remove them from the /security tree and removed references to DLAs