Re: diff for passenger in Squeeze

2015-12-29 Thread Antoine Beaupré
On 2015-12-29 07:36:30, Guido Günther wrote: > Hi Thorsten, > > Isn't the logic reversed here? We want so _skip_ the header if it > containsNonAlphaNumDash not add it? After reviewing the patch, I agree, the logic is reversed. I am also not sure why the patch is so different - did the primitives

Re: security tracker end-of-life patch

2016-01-02 Thread Antoine Beaupré
On 2016-01-02 09:43:14, Guido Günther wrote: > So what I would expect is the tracker to show that the package is > unsupported (i.e. by dropping the column for the unsupported Debian > releases by default in the "open issues" table and marking it as > unsupported in the "available versions" table?

Re: squeeze/wheezy updates of Redmine (+ long term state of redmine packaging)

2015-12-31 Thread Antoine Beaupré
On 2015-12-30 04:23:33, Raphael Hertzog wrote: > Hello Antoine, > > On Tue, 29 Dec 2015, anarcat wrote: >> Hello dear maintainers of the Redmine packages! >> >> The Debian LTS team would like to fix the security issues which are >> currently open in the Squeeze or Wheezy versions of redmine: > >

long-term redmine debian packaging

2015-12-29 Thread Antoine Beaupré
Hi! ["out of date redmine" bug report in CC. this is a followup email to the generic "we're going to LTS redmine!" notification which expands on the situation and hopefully the future of the Redmine packaging] I am trying to figure out how to maintain Redmine in the long term, especially in the

security tracker end-of-life patch

2015-12-31 Thread Antoine Beaupré
hi right now, the security tracker shows CVEs marked as "end-of-life" as "vulnerable", and in the open issue list. a good example is the redmine package: https://security-tracker.debian.org/tracker/source-package/redmine CVE-2015-8477, CVE-2014-1985, CVE-2012-2054 and CVE-2012-0327 are all

security-tracker: ignoring end-of-life packages (was: squeeze/wheezy updates of Redmine (+ long term state of redmine packaging))

2016-01-01 Thread Antoine Beaupré
On 2016-01-01 11:30:36, Raphael Hertzog wrote: > Hi, > > On Thu, 31 Dec 2015, Antoine Beaupré wrote: >> > I have thus pushed the attached patch to the git repository of >> > debian-security-support. Ccing the security team to inform them >> > of this change. >

another squeeze cacti update?

2016-01-05 Thread Antoine Beaupré
Hi! Cacti still shows up in the list of opened issues in squeeze... Are you going to take care of CVE-2015-8604 next? Thanks! a. -- The reasonable man adapts himself to the world. The unreasonable man persists in trying to adapt the world to himself. Therefore, all progress depends on the

Re: smokeping DLA test

2015-11-26 Thread Antoine Beaupré
On 2015-11-26 07:57:09, Niko Tyni wrote: > [cc'ing you just in case you aren't subscribed] > > On Wed, Nov 25, 2015 at 12:29:40PM -0500, Antoine Beaupré wrote: > >> this is my first DLA, so i want to make sure i am doing this >> right... Already i am worried i have skipp

Re: smokeping DLA test

2015-11-26 Thread Antoine Beaupré
On 2015-11-26 13:07:42, Antoine Beaupré wrote: > On 2015-11-26 12:41:38, Raphael Hertzog wrote: >> Hi, >> >> On Thu, 26 Nov 2015, Antoine Beaupré wrote: >>> Somehow i still built the package with the (harmless) fix... I wonder >>> what to do now - i upl

Re: smokeping DLA test

2015-11-26 Thread Antoine Beaupré
On 2015-11-26 17:07:41, Adam D. Barratt wrote: > Yes. See https://lists.debian.org/debian-lts/2015/11/msg00085.html Uh. So it seems i'm not subscribed to this list after all. How embarrassing... Will fix this right away. That said: rah. Yet another git-buildpackage problem. Will fix that and

Accepted smokeping 2.3.6-5+squeeze2 (source all) into squeeze-lts

2015-11-26 Thread Antoine Beaupré
hanged-By: Antoine Beaupré <anar...@debian.org> Description: smokeping - latency logging and graphing system Changes: smokeping (2.3.6-5+squeeze2) squeeze-lts; urgency=medium . * backport CVE-2013-4168 to squeeze-lts Checksums-Sha1: c33823918cd1a513e9ed8eb40e14fae9c2b1e3e2 1984 smokeping_2.3.

[SECURITY] [DLA 348-1] smokeping security update

2015-11-27 Thread Antoine Beaupré
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: smokeping Version: 2.3.6-5+squeeze2 CVE ID : CVE-2013-4168 CVE-2013-4168 Minor XSS issue resolved in the upstream 2.6.9, discovered by Steven Chamberlain

[SECURITY] [DLA 481-2] phpmyadmin regression update

2016-05-30 Thread Antoine Beaupré
Package: phpmyadmin Version: 4:3.4.11.1-2+deb7u4 CVE ID : CVE-2016-1927 CVE-2016-2038 CVE-2016-2039 CVE-2016-2040 CVE-2016-2041 CVE-2016-2045 CVE-2016-2560 Debian Bug : 825301 The previous security upload broke the search pages in phpMyAdmin. This was

Re: squeeze update of chrony?

2016-02-04 Thread Antoine Beaupré
On 2016-02-04 11:56:50, Vincent Blut wrote: > Hey Antoine, > > On 2016-01-30 15:16:49, Antoine Beaupré wrote: > >> On 2016-01-28 17:27:41, Vincent Blut wrote: > >>> On Thu, Jan 28, 2016 at 09:23:01PM +0100, Guido Günther wrote: > >>>>Hell

Re: Preparing to announce Squeeze LTS end-of-life

2016-02-09 Thread Antoine Beaupré
On 2016-02-09 08:51:20, Holger Levsen wrote: > There's one irritation though, which I could not fix yet: if support for > Squeeze LTS ends now or on the last day of February, and support for Wheezy > will be taken over from the security team on April 26th, what will the LTS > team do in the

Re: squeeze update of chrony?

2016-02-11 Thread Antoine Beaupré
On 2016-02-10 17:33:37, Vincent Blut wrote: > Ok, it’s done. Please could you review and eventually upload if > everything is good for you? Note that the concerned branch is > *squeeze-lts* and the chrony-1.24 upstream tarball is in a branch named > *upstream-1.24*. Hi! I have tried to build

Re: squeeze update of chrony?

2016-02-13 Thread Antoine Beaupré
On 2016-02-13 03:23:21, Guido Günther wrote: >> > If you want to build it from the git tree, the following should suffice: >> > $git clone https://anonscm.debian.org/git/collab-maint/chrony.git >> > $git checkout squeeze-lts >> > $gbp buildpackage --git-pbuilder --git-debian-branch=squeeze-lts >>

Re: squeeze update of openssh?

2016-01-29 Thread Antoine Beaupré
On 2016-01-23 06:50:51, Guido Günther wrote: > Hi Colin, > On Fri, Jan 15, 2016 at 02:01:44PM +, Colin Watson wrote: >> On Fri, Jan 15, 2016 at 02:50:33PM +0100, Yves-Alexis Perez wrote: >> > On ven., 2016-01-15 at 14:47 +0100, Guido Günther wrote: >> > > > I believe Yves-Alexis Perez is

Re: Looking for issues affecting wheezy but fixed in squeeze

2016-01-28 Thread Antoine Beaupré
On 2016-01-23 08:22:22, Guido Günther wrote: > Hi, > > now that Wheezy LTS is approaching I wondered what would be the best > places to help out fixing issues in Wheezy so that upgrading from > Squeeze to Wheezy would not introduce new security issues. > > Therefore I added

Re: squeeze update of openssh?

2016-02-01 Thread Antoine Beaupré
On 2016-01-30 11:26:59, Antoine Beaupré wrote: > The problem is, from what I understand, there is no way to fix > CVE-2016-1908 while ForwardX11Trusted is set to "yes". Basically, that > setting makes the whole exploit unnecessary because there's no > protection to workarou

Re: squeeze update of chrony?

2016-01-30 Thread Antoine Beaupré
On 2016-01-28 17:27:41, Vincent Blut wrote: > On Thu, Jan 28, 2016 at 09:23:01PM +0100, Guido Günther wrote: >>Hello dear maintainers, > > Hello Guido, > >>the Debian LTS team would like to fix the security issues which are >>currently open in the Squeeze version of chrony:

Re: squeeze update of prosody?

2016-01-30 Thread Antoine Beaupré
On 2016-01-30 02:57:12, Sergei Golovan wrote: > Hi Guido, > > On Fri, Jan 29, 2016 at 11:10 AM, Guido Günther wrote: >> >> I would be great to have a "maintainer blessed" patch for that >> issue. Just send it to the list and we take care of the rest. > > Here are the .dsc and

[SECURITY] [DLA 406-1] phpmyadmin security update

2016-01-30 Thread Antoine Beaupré
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: phpmyadmin Version: 4:3.3.7-11 CVE ID : CVE-2016-2039 CVE-2016-2041 Several flaws were discovered in the CSRF authentication code of phpMyAdmin. CVE-2016-2039 The XSRF/CSRF token is generated with a weak

[SECURITY] [DLA 407-1] prosody security update

2016-01-30 Thread Antoine Beaupré
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: prosody Version: 0.7.0-1squeeze1+deb6u2 CVE ID : CVE-2016-0756 The flaw allows a malicious server to impersonate the vulnerable domain to any XMPP domain whose domain name includes the attacker's domain as a suffix.

Re: squeeze update of openssh?

2016-01-29 Thread Antoine Beaupré
On 2016-01-23 06:50:51, Guido Günther wrote: > I had a look at RedHat's analysis[1] and at Squeeze, Wheezy and Jessie: > > * Squeeze and Wheezy don't run "xhost +si:localuser:`id -un`" from > xinit but we do so from Jessie on > * we have the security extension enabled > > however

Re: Wheezy time

2016-01-28 Thread Antoine Beaupré
I am also a little confused by this now: when does squeeze support officially starts, and when do we start hammering at wheezy-lts? a. -- We are discreet sheep; we wait to see how the drove is going, and then go with the drove. - Mark Twain

Re: squeeze update of chrony?

2016-02-03 Thread Antoine Beaupré
On 2016-01-30 15:16:49, Antoine Beaupré wrote: > On 2016-01-28 17:27:41, Vincent Blut wrote: >> On Thu, Jan 28, 2016 at 09:23:01PM +0100, Guido Günther wrote: >>>Hello dear maintainers, >> >> Hello Guido, >> >>>the Debian LTS team would like to fix th

Re: Glibc CVE-2015-7547

2016-02-16 Thread Antoine Beaupré
On 2016-02-16 11:15:12, Dolecek, Martin wrote: > Hi, > > glibc has bug (CVE-2015-7547). Now we have an exploit, so can LTS team > prepare fix? > > https://googleonlinesecurity.blogspot.ch/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html I believe this was done already:

Re: [PATCH] Given a package allow to check in which releases security support has ended

2016-02-17 Thread Antoine Beaupré
On 2016-02-17 12:13:35, Guido Günther wrote: > When triaging LTS issues I always have to look up what we still support > and what not. Attached script simplifies this a bit: > > $ bin/support-ended.py --lists /path/to/debian-security-support/ iceape > Package unsupported in wheezy >

Re: [PATCH] Given a package allow to check in which releases security support has ended

2016-02-18 Thread Antoine Beaupré
On 2016-02-18 02:26:28, Guido Günther wrote: > Hi, > On Wed, Feb 17, 2016 at 01:39:41PM -0500, Antoine Beaupré wrote: >> On 2016-02-17 12:13:35, Guido Günther wrote: >> > When triaging LTS issues I always have to look up what we still support >> > and what n

Re: squeeze update of chrony?

2016-02-12 Thread Antoine Beaupré
On 2016-02-11 15:37:27, Vincent Blut wrote: > On Thu, Feb 11, 2016 at 02:02:52PM -0500, Antoine Beaupré wrote: >>On 2016-02-10 17:33:37, Vincent Blut wrote: >>> Ok, it’s done. Please could you review and eventually upload if >>> everything is good for you? Not

[SECURITY] [DLA 414-1] chrony security update

2016-02-12 Thread Antoine Beaupré
Package: chrony Version: 1.24-3+squeeze3 CVE ID : CVE-2016-1567 Debian Bug : 812923 chrony before 1.31.2 and 2.x before 2.2.1 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation

Re: Archive of squeeze-lts ?

2016-03-28 Thread Antoine Beaupré
On 2016-03-27 15:01:01, Matus UHLAR - fantomas wrote: >>On Thu, 24 Mar 2016, Luke Hall wrote: >>> I'm seeing this when trying to fetch lts packages from >>> archive.debian.org at the moment. Anyone know a good contact for them? >>> >>> E: Release file expired, ignoring >>>

Re: Xen security updates on Wheezy

2016-04-07 Thread Antoine Beaupré
On 2016-03-26 01:36:43, Brian May wrote: > Antoine Beaupré <anar...@orangeseeds.org> writes: > >> They seem to hold, although I have yet to test them in production. One >> thing I noticed is that they don't seem to fix CVE-2015-8104 and >> CVE-2015-5307, i

Re: nss security wheezy updates ready for testing

2016-04-07 Thread Antoine Beaupré
On 2016-03-31 10:12:04, Guido Günther wrote: > On Tue, Mar 29, 2016 at 04:28:36PM -0400, Antoine Beaupré wrote: >> On 2016-03-26 04:33:29, Guido Günther wrote: >> > Until that it might make sense to add >> > >> > >>

Updated: nss security wheezy updates ready for testing

2016-04-07 Thread Antoine Beaupré
On 2016-04-07 16:44:07, Antoine Beaupré wrote: >> The patches by itself look good to me. > > Alright, I'll rebuild with the tests/ directory, we'll see how that > goes. :) I rebuild the packages with the tests/ directory: https://people.debian.org/~anarcat/debian/wheezy-lt

Re: working for wheezy-security until wheezy-lts starts

2016-03-24 Thread Antoine Beaupré
On 2016-03-21 19:16:24, Brian May wrote: > Brian May writes: > >>> Wonder how many of the CVEs the Ubuntu version fixes. >> >> Will have a look at this now. > > Comparing the changelog with our security tracker (by hand; not sure if > anybody has written a tool to automate this,

Re: Archive of squeeze-lts ?

2016-03-24 Thread Antoine Beaupré
On 2016-03-24 13:59:34, Johnathon Tinsley wrote: >>> >>> I'm seeing this when trying to fetch lts packages from >>> archive.debian.org at the moment. Anyone know a good contact for them? >>> >>> E: Release file expired, ignoring >>> http://archive.debian.org/debian/dists/squeeze-lts/Release

Re: tracking security issues without CVEs

2016-03-22 Thread Antoine Beaupré
On 2016-03-13 08:53:38, Paul Wise wrote: > On Sat, Mar 12, 2016 at 10:51 PM, Kurt Roeckx wrote: >> On Sun, Mar 06, 2016 at 03:33:16PM +1100, Brian May wrote: >>> For example, if there are no CVEs are we able to use OVEs instead? >> >> What abaout DWF? > > That didn't exist at the time of Brian's

nss security wheezy updates ready for testing

2016-03-29 Thread Antoine Beaupré
On 2016-03-26 04:33:29, Guido Günther wrote: > Thanks for reviewing this! I was about to look into more recent nss > issues after handling dhcpcd but since you're at it, go ahead! > > Note that we still have CVE-2015-4000 which would most easily be fixed > by having the same nss in all suites but

Re: Supporting armel/armhf in wheezy-lts

2016-04-25 Thread Antoine Beaupré
On 2016-04-25 09:27:34, Raphael Hertzog wrote: > - I don't think that the bounty model gives the correct incentive for > the security work, and you would have a hard time covering the hard > packages... I think this is a critical part of it. Bounties are fine and fun if you want to scratch an

staging security updates

2016-04-28 Thread Antoine Beaupré
On 2016-04-28 02:54:36, Brian May wrote: > - Created private signed repository for staging my proposed updates for > testing. https://people.debian.org/~bam/debian/ So I've been thinking about this as well, and this seems to be a resource we all need and should figure out a way to implement in

Re: libidn test packages [resent]

2016-04-22 Thread Antoine Beaupré
On 2016-04-16 18:46:50, Alessandro Ghedini wrote: > On Tue, Apr 12, 2016 at 03:20:04PM -0400, Antoine Beaupré wrote: >> (Fixed list address, sorry for the duplicate.) >> >> Hi, >> >> I have looked at porting the security fixes on the libidn package from >&

Re: mediawiki support in wheezy-LTS

2016-05-20 Thread Antoine Beaupré
On 2016-05-20 05:32:08, Moritz Muehlenhoff wrote: > On Fri, May 20, 2016 at 11:11:53AM +0200, Thorsten Glaser wrote: >> On Tue, 17 May 2016, Antoine Beaupré wrote: >> >> > >> Actually, before we do that: did we actually agree that we would not >> > >

Re: Wheezy update of sogo?

2016-05-18 Thread Antoine Beaupré
On 2016-05-18 15:43:32, Markus Koschany wrote: > Am 18.05.2016 um 21:01 schrieb Jeroen Dekkers: >> Hi Markus, >> >> Sorry for the late reply. This bug also isn't fixed in jessie, the >> reason for this is that upstream isn't going to fix this for SOGo 2 >> and earlier. The security bug is about

[SECURITY] [DLA 480-1] nss security update

2016-05-18 Thread Antoine Beaupré
Package: nss Version: 3.14.5-1+deb7u6 CVE ID : CVE-2015-7181 CVE-2015-7182 CVE-2016-1938 CVE-2016-1950 CVE-2016-1978 CVE-2016-1979 This security update fixes serious security issues in NSS including arbitrary code execution and remote denial service

[SECURITY] [DLA 481-1] phpmyadmin security update

2016-05-18 Thread Antoine Beaupré
Package: phpmyadmin Version: 4:3.4.11.1-2+deb7u3 CVE ID : CVE-2016-1927 CVE-2016-2038 CVE-2016-2039 CVE-2016-2040 CVE-2016-2041 CVE-2016-2045 CVE-2016-2560 This security update fixes a number of security issues in phpMyAdmin. We recommend you upgrade your

Re: Bug#821811: samba: badlock patch breaks trust relationship

2016-05-18 Thread Antoine Beaupré
On 2016-04-29 08:55:43, Santiago Ruano Rincón wrote: > Dear Samba maintainers, > > Any updates about this bug? > > LTS Team, anyone could help to handle it? > > According to comment#17 in > https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1572122 > Andreas Schneider prepared a fix for 3.6.25.

NSS and logjam in wheezy (CVE-2015-4000)

2016-05-18 Thread Antoine Beaupré
On 2016-03-29 16:28:36, Antoine Beaupré wrote: > On 2016-03-26 04:33:29, Guido Günther wrote: >> Thanks for reviewing this! I was about to look into more recent nss >> issues after handling dhcpcd but since you're at it, go ahead! >> >> Note that we still have CVE-2015-4

Re: [pkg-ntp-maintainers] squeeze update of ntp?

2016-05-18 Thread Antoine Beaupré
On 2016-05-18 13:56:37, Kurt Roeckx wrote: > There are 22 open, some of which are marked as non-important. Of > the new ones some should probably also be marked as such. I did so with CVE-2015-8158 as it affects only ntpq under very specific conditions and the impact is minor (it hangs). > I've

Re: Xen 4.1.6.1 backport + Ubuntu patches ready for testing (take 3)

2016-05-09 Thread Antoine Beaupré
On 2016-05-04 17:09:39, Antoine Beaupré wrote: > Hi, > > TL;DR: debdiff below, features only changes to debian/changelog and > debian/patches (apart from the upstream upgrade of course). Binary > packages in: Obviously, something *had* to come up here to make this incomple

Re: libidn test packages [resent]

2016-05-12 Thread Antoine Beaupré
On 2016-05-09 03:28:50, Brian May wrote: > Added CC Debian Libidn Team > > I now have fixed the packages libidn packages initially produced by > Alessandro Ghedini and destined for wheezy-security and jessie-security. > They now build fine. > > In particular, for the Jessie

Re: Unsupported packages for Wheezy LTS

2016-05-12 Thread Antoine Beaupré
On 2016-05-12 10:00:24, Guido Günther wrote: >> qemu and qemu-kvm were triaged as unsupported for CVE-2016-3712, but I >> think Guido is studying how to support virtualisation related packages, >> and maybe we should wait for his evaluation. > > I had zero feedback on supporting qemu so I'd

Re: Unsupported packages for Wheezy LTS

2016-05-12 Thread Antoine Beaupré
On 2016-05-12 10:14:26, Moritz Muehlenhoff wrote: > On Thu, May 12, 2016 at 10:07:17AM -0400, Antoine Beaupré wrote: >> On 2016-05-12 10:00:24, Guido Günther wrote: >> >> qemu and qemu-kvm were triaged as unsupported for CVE-2016-3712, but I >> >> think

Re: icu package and debdiff [new contributor, first attempt]

2016-05-12 Thread Antoine Beaupré
On 2016-05-12 15:07:19, Roberto C. Sánchez wrote: > Hi Antoine, > > On Mon, May 09, 2016 at 05:09:30PM +0200, Markus Koschany wrote: >> Hello Roberto, welcome on board! >> >> Am 08.05.2016 um 05:34 schrieb Roberto C. Sánchez: >> >> > I pulled the patch for CVE-2015-4844 from the upstream jdk8u

Re: testing asterisk for Wheezy LTS

2016-05-17 Thread Antoine Beaupré
On 2016-04-24 13:56:06, Thorsten Alteholz wrote: > Hi everybody, > > I uploaded version 1.8.13.1~dfsg1-3+deb7u4 of asterisk to: > https://people.debian.org/~alteholz/packages/wheezy-lts/asterisk/amd64/ > https://people.debian.org/~alteholz/packages/wheezy-lts/asterisk/i386/ > > Please give it

Re: Updated: nss security wheezy updates ready for testing

2016-05-17 Thread Antoine Beaupré
On 2016-05-16 12:39:44, Guido Günther wrote: > Hi Antoine, > On Thu, Apr 07, 2016 at 05:18:21PM -0400, Antoine Beaupré wrote: >> On 2016-04-07 16:44:07, Antoine Beaupré wrote: >> >> The patches by itself look good to me. >> > >> > Alright, I'll rebuil

mediawiki support in wheezy-LTS

2016-05-17 Thread Antoine Beaupré
[should have changed that topic earlier!] On 2016-05-17 11:31:06, Markus Koschany wrote: > Am 17.05.2016 um 16:49 schrieb Antoine Beaupré: >> On 2016-05-17 07:42:52, Santiago Ruano Rincón wrote: >>> Thanks for triaging this. But, don't forget to update >>> https://ano

Re: [Secure-testing-commits] r41743 - data/CVE

2016-05-17 Thread Antoine Beaupré
On 2016-05-17 07:42:52, Santiago Ruano Rincón wrote: > Thanks for triaging this. But, don't forget to update > https://anonscm.debian.org/cgit/collab-maint/debian-security-support.git/tree/security-support-ended.deb7 > when needed. Actually, before we do that: did we actually agree that we would

Re: libidn test packages [resent]

2016-05-17 Thread Antoine Beaupré
Reducing CCs. On 2016-05-14 04:19:50, Brian May wrote: > Antoine Beaupré <anar...@debian.org> writes: > >> I reviewed the patch quickly, nothing strikes me as completely wrong, >> but I am not currently in a position to test the patchset. > > Unless there are any o

Re: Xen 4.1.6.1 backport + Ubuntu patches ready for testing (take 3)

2016-05-17 Thread Antoine Beaupré
On 2016-05-16 19:13:28, Brian May wrote: > Brian May writes: > >> Any objections by anybody if I upload Antoine Beaupré's packages to >> Debian, this Monday morning at Melbourne timezone? > > Done. > > Next step, the DLA. I went through the changelog and remove entries that > are

Re: libidn test packages [resent]

2016-05-17 Thread Antoine Beaupré
On 2016-05-17 11:24:29, Markus Koschany wrote: > Am 17.05.2016 um 16:59 schrieb Antoine Beaupré: >> Reducing CCs. >> >> On 2016-05-14 04:19:50, Brian May wrote: >>> Antoine Beaupré <anar...@debian.org> writes: >>> >>>> I reviewed

Re: testing asterisk for Wheezy LTS

2016-05-17 Thread Antoine Beaupré
On 2016-05-17 14:01:24, Thorsten Alteholz wrote: > Hi Antoine, > > On Tue, 17 May 2016, Antoine Beaupré wrote: >> Both are what seem to be serious enough DOS attacks, and are not marked >> no-dsa or anything. You are still assigned the package in dla-needed.txt >>

Re: Call for tests: Making OpenJDK 7 the default in Wheezy LTS

2016-05-17 Thread Antoine Beaupré
On 2016-05-17 12:31:27, Markus Koschany wrote: > [dropping Rene from CC because he is subscribed to debian-java] > > Am 17.05.2016 um 17:56 schrieb Antoine Beaupré: >> On 2016-04-25 06:34:53, Markus Koschany wrote: > [...] >>> We don't intend to remove OpenJDK 6 but

Re: No DLA for xen, librsvg, libidn?

2016-05-17 Thread Antoine Beaupré
On 2016-05-17 13:42:47, Salvatore Bonaccorso wrote: > Hi LTS team, > > If I do not miss something, there were updates for src:xen, > src:libidn, and src:librsvg via security.d.o but without DLA. The last > two with entries in the DLA/list file already. Could you please send > those? It might

Re: Unsupported packages for Wheezy LTS

2016-05-13 Thread Antoine Beaupré
On 2016-05-13 06:30:35, Moritz Muehlenhoff wrote: > On Fri, May 13, 2016 at 12:21:13PM +0200, Raphael Hertzog wrote: >> On Fri, 13 May 2016, Moritz Muehlenhoff wrote: >> > > I'm not convinced that >> > > supporting the current Wheezy versions of QEMU for two more years is of >> > > much use (in

Re: No DLA for xen, librsvg, libidn?

2016-05-18 Thread Antoine Beaupré
On 2016-05-18 03:45:57, Raphael Hertzog wrote: > On Tue, 17 May 2016, Antoine Beaupré wrote: >> It would be great to have better consistency here. > > Yes, just like we ensure that we get an Accepted mail before sending the > DLA, we must make sure that the DLA has gone t

Re: No DLA for xen, librsvg, libidn?

2016-05-18 Thread Antoine Beaupré
On 2016-05-18 00:12:41, Salvatore Bonaccorso wrote: > Hi Brian, hi Antoine, > > On Wed, May 18, 2016 at 11:36:21AM +1000, Brian May wrote: >> Brian May writes: >> >> > However I don't see them in the archives. I can try resending... >> >> I resent the DLAs. I suspect I might

Re: Draft for bits.debian.org regarding armel and armhf support

2016-05-18 Thread Antoine Beaupré
On 2016-05-18 06:33:57, Raphael Hertzog wrote: > On Wed, 18 May 2016, Holger Levsen wrote: >> I just wondered whether we should also include the info that openjdk6 >> will very soon be deprecated and users should update to openjdk7? As >> evident from this list, even LTS contributors missed this

Re: imagemagick

2016-05-18 Thread Antoine Beaupré
On 2016-05-17 21:50:22, Brian May wrote: > Hello, > > I have backported the patches for imagemagick in Jessie to Wheezy. > > As attached. I think most of this is straight forward however not 100% > certain of the 0079-Indirect-filename-must-be-authorized-by-policy.patch > patch. > > In particular,

Re: Wheezy update of roundcube?

2016-05-03 Thread Antoine Beaupré
On 2016-05-02 15:31:39, Guilhem Moulin wrote: > Hi there, > > On Mon, 02 May 2016 at 21:19:13 +0200, Markus Koschany wrote: >> Would you like to take care of this yourself? > > Not replying in the name of team (however I'm the one who pushed for > Roundcube in jessie-backports and who is trying to

Re: testing asterisk for Wheezy LTS

2016-05-03 Thread Antoine Beaupré
On 2016-05-02 18:58:23, Gabriel Filion wrote: > Oops, I forgot to mention that I am not subscribed to the mailing list. > So please include me in CC for replies. > >> thanks alot for testing the package, I really appreciate it. >> >> On Thu, 28 Apr 2016, Gabriel Filion wrote: >> >>> >

Re: xen debdiff

2016-05-03 Thread Antoine Beaupré
On 2016-05-03 04:07:08, Brian May wrote: > Hello, > > Raphael Hertzog asked me to post the debdiff of the Ubuntu package I am > working on here. > > He had some concerns with using the Ubuntu version like this. In > particular Ubuntu does some things differently with respect to init.d > scripts,

Xen 4.1.6.1 backport + Ubuntu patches ready for testing (take 3)

2016-05-04 Thread Antoine Beaupré
Hi, TL;DR: debdiff below, features only changes to debian/changelog and debian/patches (apart from the upstream upgrade of course). Binary packages in: https://people.debian.org/~anarcat/debian/wheezy-lts/ Long story follows... So I *believe* I have correctly completed the backport of

Re: Xen updates for wheezy ready for testing

2016-04-20 Thread Antoine Beaupré
TOn 2016-04-20 01:00:32, Brian May wrote: > Antoine Beaupré <anar...@orangeseeds.org> writes: > >> Heads up! The Xen packages prepared by Brian May have passed preliminary >> testing and are ready for wider testing on Wheezy! See: >> >> https://people.d

Re: LTS Frontdesk duties

2016-04-21 Thread Antoine Beaupré
On 2016-04-21 04:48:26, Raphael Hertzog wrote: > Hi, > > On Thu, 21 Apr 2016, Santiago Ruano Rincón wrote: >> We need to schedule the next cycles of Frontdesk duties. I don't know if >> Raphaël want to do it (with his Freexian's hat on?), but we could also >> take the slots by ourselves. I am up

Re: Tools for testing LTS updates

2017-01-31 Thread Antoine Beaupré
On 2017-01-24 08:37:05, Guido Günther wrote: > I'm using a qemu VM bootstrapped via > > > http://honk.sigxcpu.org/con/Preseeding_Debian_virtual_machines_with_virt_install.html > > Note that there's also autopkgtest-virt-qemu but since it doesn't use > libvirt I'd have to handle it differently

Re: [PATCH] lts-cve-triage: Allow to ignore unsupported packages

2017-02-04 Thread Antoine Beaupré
On 2017-02-04 13:19:12, Guido Günther wrote: > This avoids listing packages with limited support which clobber the output. that's great! > Do we want to enable this by default? Yes, for sure. A. -- The destiny of Earthseed is to take root among the stars. - Octavia

Re: graphicsmagick update

2017-01-31 Thread Antoine Beaupré
On 2017-01-31 21:42:41, Emilio Pozuelo Monfort wrote: > I'd say it makes sense to release a regression update. > > BTW I'm not sure about this change, which is not mentioned in your changelog > entry: > > --- graphicsmagick-1.3.16/debian/rules 2016-09-20 23:52:26.0 +0200 > +++

Re: Tools for testing LTS updates

2017-01-23 Thread Antoine Beaupré
On 2017-01-23 18:41:25, Bálint Réczey wrote: [ratt: cool! though i am not sure when i should use that...?] > The other tool I would love to use for LTS work is a private > https://ci.debian.net/ installation for running autopkgtests or > reverse dependencies. > > To make it happen I'm thinking

Re: Tools for testing LTS updates

2017-01-23 Thread Antoine Beaupré
On 2017-01-23 20:46:28, Guido Günther wrote: > On Mon, Jan 23, 2017 at 07:22:30PM +, Holger Levsen wrote: >> On Mon, Jan 23, 2017 at 02:01:41PM -0500, Antoine Beaupré wrote: >> > regarding ci... i am not sure how useful that would be for me. right >> > now, i just

Re: testing and review requested for Wheezy update of apache2

2017-01-23 Thread Antoine Beaupré
On 2017-01-22 11:25:08, Stefan Fritsch wrote: > On Thursday, 19 January 2017 20:47:15 CET Stefan Fritsch wrote: >> On Tuesday, 17 January 2017 11:59:17 CET Antoine Beaupré wrote: >> > I would need people to start testing the package at this point, not >> > necessarily in

Re: testing and review requested for Wheezy update of apache2

2017-01-23 Thread Antoine Beaupré
On 2017-01-22 11:25:08, Stefan Fritsch wrote: > Test Summary Report > --- > t/apache/chunkinput.t (Wstat: 0 Tests: 37 Failed: 1) >Failed test: 3 > t/apache/contentlength.t (Wstat: 0 Tests: 24 Failed: 8) >Failed tests: 2, 4, 14, 16, 18, 20, 22, 24

[SECURITY] [DLA 795-1] tiff security update

2017-01-23 Thread Antoine Beaupré
Package: tiff Version: 4.0.2-6+deb7u9 CVE ID : CVE-2016-3622 CVE-2016-3623 CVE-2016-3624 CVE-2016-3945 CVE-2016-3990 CVE-2016-9533 CVE-2016-9534 CVE-2016-9535 CVE-2016-9536 CVE-2016-9537 CVE-2016-9538 CVE-2016-9540

Re: testing and review requested for Wheezy update of apache2

2017-01-23 Thread Antoine Beaupré
On 2017-01-23 15:14:30, Antoine Beaupré wrote: > On 2017-01-22 11:25:08, Stefan Fritsch wrote: >> Test Summary Report >> --- >> t/apache/chunkinput.t (Wstat: 0 Tests: 37 Failed: 1) >>Failed test: 3 >> t/apache/contentlength.t

Accepted tiff 4.0.2-6+deb7u9 (source all amd64) into oldstable

2017-01-23 Thread Antoine Beaupré
Urgency: high Maintainer: Ondřej Surý <ond...@debian.org> Changed-By: Antoine Beaupré <anar...@debian.org> Description: libtiff-doc - TIFF manipulation and conversion documentation libtiff-opengl - TIFF manipulation and conversion tools libtiff-tools - TIFF manipulation and conv

Re: Wheezy update of calibre?

2017-01-28 Thread Antoine Beaupré
Just for the record: before packaging this update, we will need to investigate the issue much further. In particular, it seems likely that there are more undocumented but public security issues in Calibre. See for example bug #853004: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853004 But

Re: testing and review requested for Wheezy update of apache2

2017-02-20 Thread Antoine Beaupré
"GET / HTTP/1.0\n\n" | nc localhost 80 HTTP/1.1 400 Bad Request # printf "GET / HTTP/1.0\r\nFoo: b\0ar\r\n\r\n" | nc localhost 80 HTTP/1.1 400 Bad Request # printf "GET / HTTP/1.0\0\r\n\r\n" | nc localhost 80 HTTP/1.1 400 Bad Request This all looks goo

postponing php5 issue

2017-02-20 Thread Antoine Beaupré
It seems a bit too much to do a DLA for a single issue in the php5 package (CVE-2016-7478, namely): https://security-tracker.debian.org/tracker/source-package/php5 I looked at the issue and the patch is easily ported, but i suggest we postpone this DLA until we have piled up more important

Re: postponing php5 issue

2017-02-22 Thread Antoine Beaupré
On 2017-02-21 21:57:23, Emilio Pozuelo Monfort wrote: > On 20/02/17 23:19, Antoine Beaupré wrote: >> It seems a bit too much to do a DLA for a single issue in the php5 >> package (CVE-2016-7478, namely): >> >> https://security-tracker.debian.org/tracker/source-p

testing and review requested for Wheezy update of apache2

2017-01-17 Thread Antoine Beaupré
corresponding to RFC7230 for request lines +and request headers, to prevent response splitting and cache pollution by +malicious clients or downstream proxies. + * The stricter HTTP enforcement may cause compatibility problems with +non-conforming clients. Fine-tuning is possible with the new +

graphicsmagick update

2017-01-16 Thread Antoine Beaupré
y Team. + * Properly fix CVE-2016-5240. Previous patch caused a segfault instead +of fixing the Denial of Service. + + -- Antoine Beaupré <anar...@debian.org> Mon, 16 Jan 2017 14:35:02 -0500 + graphicsmagick (1.3.16-1.1+deb7u5) wheezy-security; urgency=high * Non-maintainer upload by

tiff wheezy security update ready for testing

2017-01-19 Thread Antoine Beaupré
7-5225: LibTIFF version 4.0.7 is vulnerable to a heap buffer +overflow in the tools/tiffcp resulting in DoS or code execution via +a crafted BitsPerSample value. + * heap-based buffer overflow in TIFFFillStrip (tif_read.c) (Closes: +846837) + + -- Antoine Beaupré <anar...@debia

Re: testing and review requested for Wheezy update of apache2

2017-02-28 Thread Antoine Beaupré
On 2017-02-23 19:14:59, Jonas Meurer wrote: > Am 23.02.2017 um 11:59 schrieb Guido Günther: >> On Wed, Feb 22, 2017 at 06:54:46PM +0100, Jonas Meurer wrote: >>> Am 22.02.2017 um 18:46 schrieb Guido Günther: Hi Jonas, On Wed, Feb 22, 2017 at 05:28:46PM +0100, Jonas Meurer wrote: >

[SECURITY] [DLA 841-1] apache2 security update

2017-02-28 Thread Antoine Beaupré
Package: apache2 Version: 2.2.22-13+deb7u8 CVE ID : CVE-2016-8743 This upload fixes a security vulnerability in the header parsing code. David Dennerline, of IBM Security's X-Force Researchers, and Régis Leroy discovered problems in the way Apache handled a broad pattern

Re: Wheezy update of inspircd?

2016-09-06 Thread Antoine Beaupré
I am a bit surprised to see this - are ircd packages sponsored now? There's a similar issue in Charybdis and I deliberately marked it as unsupported in LTS because, AFAIK, no customer expressed the need to support those yet. I'd be glad to see if we can update charybdis in Wheezy as well, but to

Re: Questions regarding MySQL update

2016-09-14 Thread Antoine Beaupré
On 2016-09-13 22:50:29, Roberto C. Sánchez wrote: > [ Unknown signature status ] > On Tue, Sep 13, 2016 at 12:21:21PM +0200, Markus Koschany wrote: >> >> I suggest to package the latest Oracle release 5.5.52 that addresses the >> vulnerability. I'm not sure if we should wait until more details

Re: mysql-5.5 CVE-2016-6662

2016-09-12 Thread Antoine Beaupré
On 2016-09-12 18:34:34, Brian May wrote: > Hello, > > I had a look at CVE-2016-6662. Looks pretty simple to understand. Looks > like the ability for mysqld to create arbitrary log files - that may > overwrite/create config files with write permissions for the mysql user > - is a key factor. > >

Re: version number when packaging a new upstream release

2016-10-03 Thread Antoine Beaupré
On 2016-10-03 12:33:24, Roberto C. Sánchez wrote: > On Mon, Oct 03, 2016 at 06:29:28PM +0200, Hugo Lefeuvre wrote: >> Hi, >> >> I've packaged the 0.8.18 release of libav for wheezy-security. The >> version number was previously 6:0.8.17-2+deb7u2. Could anybody confirm >> me that the new version

tre package ready for testing

2016-10-26 Thread Antoine Beaupré
Hi Santiago (and others), I have prepared a wheezy LTS security upload for tre here: https://people.debian.org/~anarcat/debian/wheezy-lts/ The debdiff is attached to this message. I have also sent the ported patch to the following bug report:

  1   2   3   4   5   6   >