Accepted php5 5.6.39+dfsg-0+deb8u2 (source amd64 all) into oldstable

2019-02-11 Thread Abhijith PA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 11 Feb 2019 17:38:14 +0530 Source: php5 Binary: php5 php5-common libapache2-mod-php5 libapache2-mod-php5filter php5-cgi php5-cli php5-phpdbg php5-fpm libphp5-embed php5-dev php5-dbg php-pear php5-curl php5-enchant php5-gd

Re: Bug#859122: about 500 DLAs missing from the website

2019-02-11 Thread Antoine Beaupré
On 2019-02-09 03:55:44, Laura Arjona Reina wrote: > Hello all > > Holger Levsen merged the generated DLAs and I've worked to create the > /lts tree to show them separated from the DSA. I have moved to this new > /lts folder the DLAs from years 2014, 2015 and 2016 that we had already, > and remove

Accepted wordpress 4.1.25+dfsg-1+deb8u1 (source all) into oldstable

2019-02-11 Thread Markus Koschany
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 11 Feb 2019 12:13:40 +0100 Source: wordpress Binary: wordpress wordpress-l10n wordpress-theme-twentyfifteen wordpress-theme-twentyfourteen wordpress-theme-twentythirteen Architecture: source all Version: 4.1.25+dfsg-1+deb8u1

Re: Jessie update of libsdl1.2 and libsdl2?

2019-02-11 Thread Felix Geyer
Hi Ola, On 10.02.19 17:27, Ola Lundqvist wrote: > Dear maintainers, > > The Debian LTS team would like to fix the security issues which are > currently open in the Jessie version of libsdl1.2 and libsdl2: > https://security-tracker.debian.org/tracker/CVE-2019-7572 >

PHP5 status

2019-02-11 Thread Markus Koschany
Hello, I noticed that both of you work on PHP5. Please coordinate the next upload. We should package version 5.6.40 which will fix all known issues. I have contacted secur...@php.net and they confirmed to me that they will assign new CVE numbers shortly. Regards, Markus signature.asc

Re: Bug#859122: about 500 DLAs missing from the website

2019-02-11 Thread Antoine Beaupré
On 2019-02-09 14:39:50, Holger Levsen wrote: > Hi Laura, > > many many thanks for your work on this, including and especially this > writeup! > > some comments below, where I dont say anything I mean 'yay"! :) > > On Sat, Feb 09, 2019 at 03:55:44AM +0100, Laura Arjona Reina wrote: >> * The

[SECURITY] [DLA 1673-1] wordpress security update

2019-02-11 Thread Markus Koschany
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: wordpress Version: 4.1.25+dfsg-1+deb8u1 CVE ID : CVE-2018-20147 CVE-2018-20148 CVE-2018-20149 CVE-2018-20150 CVE-2018-20151 CVE-2018-20152 CVE-2018-20153 Debian Bug : 916403

Re: concerns about the security reliability of python-gnupg

2019-02-11 Thread Antoine Beaupré
On 2019-02-09 11:39:18, Elena ``of Valhalla'' wrote: > On 2019-02-07 at 11:44:45 -0500, Antoine Beaupré wrote: >> Hi, >> >> Recently, python-gnupg was triaged for maintenance in Debian LTS, which >> brought my attention to this little wrapper around GnuPG that I'm >> somewhat familiar with. >>

Re: Bug#921663: Please add python-certbot update to jessie-backports

2019-02-11 Thread Brad Warren
I agree with the concerns about updating python3-cryptography in jessie. If we can’t update jessie, I’d ideally love to see the packages in jessie-backports updated. Despite the announcement that jessie-backports was discontinued ~6 months ago, tens of thousands of users and many more domains

Re: PHP5 status

2019-02-11 Thread Abhijith PA
Hi Markus and Roberto On Tuesday 12 February 2019 02:13 AM, Markus Koschany wrote: > Hello, > > I noticed that both of you work on PHP5. Please coordinate the next > upload. We should package version 5.6.40 which will fix all known > issues. I have contacted secur...@php.net and they confirmed

Re: Bug#859122: about 500 DLAs missing from the website

2019-02-11 Thread Salvatore Bonaccorso
Hi, On Sat, Feb 09, 2019 at 03:55:44AM +0100, Laura Arjona Reina wrote: > * We still need the Apache redirects, so the people that try the old > URLs (wether directly because they knew, or via the security tracker), > find the files they need. What we need to do is send a patch to > >

Re: PHP 5.6 EOD of Life Support and Debian 8 LTS.

2019-02-11 Thread Thomas Martin
Hi Ola, Thanks for your answer, much appreciated. About PHP7.0, I was asking if it would be supported in next LTS release (when Stretch become oldstable), but I might be anticipating way too far. Thomas Le sam. 9 févr. 2019 à 21:35, Ola Lundqvist a écrit : > > Hi Thomas > > I do not see that

Re: tiff

2019-02-11 Thread Hugo Lefeuvre
Hi Brian, I am currently testing the update. I already had a look at the patches. > diff -Nru tiff-4.0.3/debian/patches/CVE-2018-12900.patch > tiff-4.0.3/debian/patches/CVE-2018-12900.patch > --- tiff-4.0.3/debian/patches/CVE-2018-12900.patch1970-01-01 > 10:00:00.0 +1000 > +++

[SECURITY] [DLA 1674-1] php5 security update

2019-02-11 Thread Abhijith PA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: php5 Version: 5.6.39+dfsg-0+deb8u2 CVE ID : CVE-2018-1000888 php-pear in php5 contains CWE-502 (Deserialization of Untrusted Data) and CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object

Re: Bug#921663: Please add python-certbot update to jessie-backports

2019-02-11 Thread Alexander Wirt
On Mon, 11 Feb 2019, Brad Warren wrote: > I agree with the concerns about updating python3-cryptography in jessie. > > If we can’t update jessie, I’d ideally love to see the packages in > jessie-backports updated. Despite the announcement that jessie-backports was > discontinued ~6 months ago,

Re: [pkg-golang-devel] [SECURITY] [DLA 1664-1] golang security update

2019-02-11 Thread Emilio Pozuelo Monfort
On 11/02/2019 09:24, Chris Lamb wrote: > Hi Tobias, > >> The remaining packages on the list maybe need a rebuild for jessie: >> >> aptly >> direnv >> golang-bindata >> golang-gogoprotobuf >> golang-goprotobuf >> heartbleeder >> kxd >> ngrok >> obfs4proxy >> pt-websocket >> slt > > Great stuff —

Accepted ghostscript 9.26a~dfsg-0+deb8u1 (source all amd64) into oldstable

2019-02-11 Thread Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 29 Jan 2019 10:46:45 +0100 Source: ghostscript Binary: ghostscript ghostscript-x ghostscript-doc libgs9 libgs9-common libgs-dev ghostscript-dbg Architecture: source all amd64 Version: 9.26a~dfsg-0+deb8u1 Distribution:

Re: PHP 5.6.40 on Jessie

2019-02-11 Thread Jean-Baptiste Martin-Ariès
Hello, Do you have any information about PHP 5.6.40 date of availability for Jessie ? Thanks, JB Le mer. 30 janv. 2019 à 15:56, Jean-Baptiste Martin-Ariès < jean.baptiste.mar...@gmail.com> a écrit : > Hello, > > PHP 5.6.40 had been made available on 10 Jan 2019 and contains several > bugs and

Re: [pkg-golang-devel] [SECURITY] [DLA 1664-1] golang security update

2019-02-11 Thread Chris Lamb
Hi Tobias, > The remaining packages on the list maybe need a rebuild for jessie: > > aptly > direnv > golang-bindata > golang-gogoprotobuf > golang-goprotobuf > heartbleeder > kxd > ngrok > obfs4proxy > pt-websocket > slt Great stuff — thanks for this. LTS team, just as a sanity check;

Re: [pkg-golang-devel] [SECURITY] [DLA 1664-1] golang security update

2019-02-11 Thread Michael Hudson-Doyle
On Mon, 11 Feb 2019 at 21:28, Emilio Pozuelo Monfort wrote: > On 11/02/2019 09:24, Chris Lamb wrote: > > Hi Tobias, > > > >> The remaining packages on the list maybe need a rebuild for jessie: > >> > >> aptly > >> direnv > >> golang-bindata > >> golang-gogoprotobuf > >> golang-goprotobuf > >>

[SECURITY] [DLA 1670-1] ghostscript security update

2019-02-11 Thread Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: ghostscript Version: 9.26a~dfsg-0+deb8u1 CVE ID : CVE-2019-6116 Tavis Ormandy discovered a vulnerability in Ghostscript, the GPL PostScript/PDF interpreter, which may result in denial of service or the execution of

[SECURITY] [DLA 1672-1] curl security update

2019-02-11 Thread Chris Lamb
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: curl Version: 7.38.0-4+deb8u14 CVE IDs: CVE-2018-16890 CVE-2019-3822 CVE-2019-3823 It was discovered that there were three vulnerabilities in the curl command-line HTTP (etc.) client: * CVE-2018-16890: A heap

Re: faad2 and systemd: (semi)-automaticly unclaimed after 2 weeks of inactivity

2019-02-11 Thread Antoine Beaupré
On 2019-02-11 10:57:20, Holger Levsen wrote: > hi, > > I've just unclaimed faad2 and systemd as the last documented activity on these > packages was more than two weeks ago... > > If you intend to continue working on them, please just reclaim them and > update the note. Hehe... "arroseur arrosé"

[SECURITY] [DLA 1671-1] coturn security update

2019-02-11 Thread Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: coturn Version: 4.2.1.2-1+deb8u1 CVE ID : CVE-2018-4056 CVE-2018-4058 CVE-2018-4059 Multiple vulnerabilities were discovered in coTURN, a TURN and STUN server for VoIP. CVE-2018-4056 An SQL injection

Re: Bug#921663: Please add python-certbot update to jessie-backports

2019-02-11 Thread Ian Campbell
On Mon, 2019-02-11 at 12:06 +0200, Adrian Bunk wrote: > certbot is not in jessie, so nothing to fix/update there. Oh, I hadn't realised that bit, thanks for clarifying. I have no advice/suggestions then. Ian.

Re: [SECURITY] [DSA 4371-1] apt security update

2019-02-11 Thread Emilio Pozuelo Monfort
On 11/02/2019 02:38, Steve McIntyre wrote: > On Fri, Feb 08, 2019 at 11:23:54AM +0100, Emilio Pozuelo Monfort wrote: >> >> I have done an automated install (ncurses frontend, installing GNOME) using >> the >> netinst/amd64 image, with an LVM encrypted volume. I have also tested the CD1 >> media,

Re: Bug#921663: Please add python-certbot update to jessie-backports

2019-02-11 Thread Adrian Bunk
On Sat, Feb 09, 2019 at 08:37:09AM +, Ian Campbell wrote: >... > There is no need for an exception, jessie-backports is not the right > place to be fixing this issue even if it were still open. It should be > fixed by an update to either Jessie itself of the security suite. >... certbot is

Accepted coturn 4.2.1.2-1+deb8u1 (source amd64) into oldstable

2019-02-11 Thread Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 31 Jan 2019 09:53:40 +0100 Source: coturn Binary: coturn Architecture: source amd64 Version: 4.2.1.2-1+deb8u1 Distribution: jessie-security Urgency: medium Maintainer: Debian VoIP Team Changed-By: Emilio Pozuelo Monfort

faad2 and systemd: (semi)-automaticly unclaimed after 2 weeks of inactivity

2019-02-11 Thread Holger Levsen
hi, I've just unclaimed faad2 and systemd as the last documented activity on these packages was more than two weeks ago... If you intend to continue working on them, please just reclaim them and update the note. Thanks. -- tschau, Holger

Accepted curl 7.38.0-4+deb8u14 (source amd64 all) into oldstable

2019-02-11 Thread Chris Lamb
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 11 Feb 2019 15:57:22 +0100 Source: curl Binary: curl libcurl3 libcurl3-gnutls libcurl3-nss libcurl4-openssl-dev libcurl4-gnutls-dev libcurl4-nss-dev libcurl3-dbg libcurl4-doc Architecture: source amd64 all Version:

Re: [SECURITY] [DLA 1672-1] curl security update

2019-02-11 Thread Gerald Designergerald
Thanj you merci Le Lun 11 Fév 2019 16:44, Chris Lamb a écrit : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Package: curl > Version: 7.38.0-4+deb8u14 > CVE IDs: CVE-2018-16890 CVE-2019-3822 CVE-2019-3823 > > It was discovered that there were three