[SECURITY] [DLA 514-1] libxslt security update

2016-06-12 Thread Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: libxslt Version: 1.1.26-14.1+deb7u1 CVE ID : CVE-2015-7995 CVE-2016-1683 CVE-2016-1684 Several vulnerabilities were found in libxslt. CVE-2015-7995 A missing type check could cause an application crash via a

[SECURITY] [DLA 527-1] nss security update

2016-06-25 Thread Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: nss Version: 2:3.14.5-1+deb7u8 CVE ID : CVE-2016-2834 Four moderate rated networking security issues were found in NSS. For Debian 7 "Wheezy", these problems have been fixed in version 2:3.14.5-1+deb7u8. We

Re: cacti LTS

2016-06-25 Thread Emilio Pozuelo Monfort
-2016-3172: Fix sql injection in tree.php. +debian/patches/CVE-2016-3659-sql-injection.patch ++ CVE-2016-3659: Fix sql injection in graph_view.php. + + -- Emilio Pozuelo Monfort <po...@debian.org> Sat, 25 Jun 2016 21:57:43 +0200 + cacti (0.8.8a+dfsg-5+deb7u8) wheezy-security; urgency

Re: claiming tiff

2016-06-26 Thread Emilio Pozuelo Monfort
On 26/06/16 02:19, Bálint Réczey wrote: > Hi, > > There are newly discovered vulnerabilities in tiff [1]. > > I no one objects I plan looking into them and working with the > maintainer(s) to get them fixed in Wheezy LTS and in newer > releases. I looked at this yesterday. These CVEs aren't

Re: cacti LTS

2016-06-26 Thread Emilio Pozuelo Monfort
On 26/06/16 09:23, Paul Gevers wrote: > Hi Emilio > > On 25-06-16 22:03, Emilio Pozuelo Monfort wrote: >>> Just in case somebody starts working on it, I'd like to review proposed >>> uploads of cacti to LTS. CVE-2016-2313 was initially wrongly fixed (a >>>

Re: claiming tiff

2016-06-26 Thread Emilio Pozuelo Monfort
On 26/06/16 16:10, Bálint Réczey wrote: > Added that information in dla-needed.txt. Thanks. I added links to each cve in data/CVE/list but forgot to add a note to dla-needed. > In that case I don't claim them yet. Let's see how upstream responds. OK. Cheers, Emilio

Accepted cacti 0.8.8a+dfsg-5+deb7u9 (source all) into oldstable

2016-07-25 Thread Emilio Pozuelo Monfort
org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: cacti - web interface for graphing of monitoring systems Changes: cacti (0.8.8a+dfsg-5+deb7u9) wheezy-security; urgency=medium . * Non-maintainer upload. * debian/patches/CVE-2016-3172-sql-injection.patch

[SECURITY] [DLA 560-1] cacti security update

2016-07-25 Thread Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: cacti Version: 0.8.8a+dfsg-5+deb7u9 CVE ID : CVE-2016-2313 CVE-2016-3172 CVE-2016-3659 Three security issues have been found in cacti: CVE-2016-2313 auth_login.php allows remote authenticated users who use

Accepted tardiff 0.1-1+deb7u1 (source all) into oldstable

2016-07-27 Thread Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 25 Jul 2016 23:29:13 +0200 Source: tardiff Binary: tardiff Architecture: source all Version: 0.1-1+deb7u1 Distribution: wheezy-security Urgency: medium Maintainer: Axel Beckert <a...@debian.org> Changed-By: Emilio P

Re: Coordinating uploads with identical tarballs

2016-08-01 Thread Emilio Pozuelo Monfort
On 01/08/16 21:29, Moritz Mühlenhoff wrote: > Hi, > when making uploads with an identical tarball in lts and stable-security > you really need to coordinate with t...@security.debian.org! Due to dak's > crappy orig tarball handling only of the uploads can be made with the > tarball included and if

Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling

2016-08-02 Thread Emilio Pozuelo Monfort
On 02/08/16 23:57, Ola Lundqvist wrote: > Hi Chris > > The reason I do not simply set the umask to a fixed value is to use the same > principle as upstream. That is honor the umask set bu the user. There may be > reasons why group read and/or write should be set for example. > > I agree with

Re: Icedtea plugin

2016-08-01 Thread Emilio Pozuelo Monfort
On 31/07/16 19:41, Roberto C. Sánchez wrote: > On Sun, Jul 31, 2016 at 07:34:28PM +0200, Emilio Pozuelo Monfort wrote: >> Hi, >> >> Currently, icedtea-plugin depends on icedtea-6-plugin, i.e. Java6. Given >> openjdk-6 is unsupported, we should change it to depend on

Re: Wheezy update of gdk-pixbuf?

2016-07-15 Thread Emilio Pozuelo Monfort
Hi, On 15/07/16 00:26, b...@decadent.org.uk wrote: > Hello dear maintainer(s), > > the Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of gdk-pixbuf: > https://security-tracker.debian.org/tracker/source-package/gdk-pixbuf > > Would you like

Re: Icedtea plugin

2016-08-05 Thread Emilio Pozuelo Monfort
On 02/08/16 19:48, Emilio Pozuelo Monfort wrote: > On 01/08/16 23:26, Markus Koschany wrote: >> On 01.08.2016 23:01, Emilio Pozuelo Monfort wrote: >>> On 31/07/16 19:41, Roberto C. Sánchez wrote: >>>> On Sun, Jul 31, 2016 at 07:34:28PM +0200, Emilio P

Re: Security update of firefox-esr for Wheezy

2016-08-05 Thread Emilio Pozuelo Monfort
On 04/08/16 23:02, Mike Hommey wrote: > On Thu, Aug 04, 2016 at 07:50:28PM +0200, Guido Günther wrote: >> Hi, >> On Thu, Aug 04, 2016 at 06:32:14PM +0900, Mike Hommey wrote: >>> On Thu, Aug 04, 2016 at 11:04:47AM +0200, Markus Koschany wrote: Hello Mike, Thank you for preparing the

Re: Icedtea plugin

2016-08-06 Thread Emilio Pozuelo Monfort
On 06/08/16 10:38, Markus Koschany wrote: > On 06.08.2016 10:18, Guido Günther wrote: >> Hi, >> On Fri, Aug 05, 2016 at 11:49:33PM +0200, Emilio Pozuelo Monfort wrote: >>> On 02/08/16 19:48, Emilio Pozuelo Monfort wrote: >>>> On 01/08/16 23:26, Markus Kosch

Accepted icedtea-web 1.4-3~deb7u3 (source all amd64) into oldstable

2016-08-05 Thread Emilio Pozuelo Monfort
: wheezy-security Urgency: medium Maintainer: OpenJDK Team <open...@lists.launchpad.net> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: icedtea-6-plugin - web browser plugin based on OpenJDK and IcedTea to execute Java a icedtea-7-plugin - web browser plugin base

[SECURITY] [DLA 587-1] fontconfig security update

2016-08-09 Thread Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: fontconfig Version: 2.9.0-7.1+deb7u1 CVE ID : CVE-2016-5384 Debian Bug : 833570 A possible double free vulnerability was found in fontconfig. The problem was due to insufficient validation when parsing the

Re: Security update of firefox-esr for Wheezy

2016-08-07 Thread Emilio Pozuelo Monfort
On 07/08/16 22:17, Raphael Hertzog wrote: > On Sun, 07 Aug 2016, Guido Günther wrote: >> I too think I would be good to support Firefox & Icedove until Wheezy >> goes EOL. Wd could backport gcc 4.8 from Jessie with only C/C++ enabled. > > And obviously, we make no change to gcc-defaults. > >

Re: Redis not uploaded and timely security announcements

2016-08-02 Thread Emilio Pozuelo Monfort
On 02/08/16 19:16, Chris Lamb wrote: > Chris Lamb wrote: > >>> DLA-577-1 has been issued two days ago but redis hasn't been uploaded >>> yet. > [..] >> Could these checks be automated instead of relying on a diligent >> front-desk..?) > > I've pushed such a script as bin/lts-missing-uploads.py.

Re: Icedtea plugin

2016-08-02 Thread Emilio Pozuelo Monfort
On 01/08/16 23:26, Markus Koschany wrote: > On 01.08.2016 23:01, Emilio Pozuelo Monfort wrote: >> On 31/07/16 19:41, Roberto C. Sánchez wrote: >>> On Sun, Jul 31, 2016 at 07:34:28PM +0200, Emilio Pozuelo Monfort wrote: >>>> Hi, >>>> >>>> Curr

Re: CVE-2016-2313 fix wrong

2016-07-29 Thread Emilio Pozuelo Monfort
On 28/07/16 14:59, Matus UHLAR - fantomas wrote: >> On 28/07/16 13:35, Matus UHLAR - fantomas wrote: >>> i believe the fix for CVE-2016-2313 in >>> CVE-2016-2313-authentication-bypass.patch is invalid. > > On 28.07.16 14:26, Emilio Pozuelo Monfort wrote: >&

LTS report for July 2016

2016-08-03 Thread Emilio Pozuelo Monfort
This month I was allocated 14.70 hours to work on Debian-LTS. I spent 13h doing the following: - Pushed the update for cacti. Investigated regression, waiting for upstream to comment. - Prepared and uploaded update for tardiff - Investigated gdk-pixbuf vulnerability: wheezy not affected (jessie

LTS report for June 2016

2016-07-02 Thread Emilio Pozuelo Monfort
This month I was allocated 16 hours to work on Debian-LTS. I spent this time doing the following: - Prepared, tested and uploaded libxslt. - Prepared and tested an update for clamav. However the maintainer asked me to wait until a regression in the Jessie update can be addressed. - Prepared,

[SECURITY] [DLA 814-1] openssl security update

2017-02-01 Thread Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: openssl Version: 1.0.1t-1+deb7u2 CVE ID : CVE-2016-7056 CVE-2016-8610 CVE-2017-3731 Several vulnerabilities were discovered in OpenSSL: CVE-2016-7056 A local timing attack was discovered against ECDSA P-256.

Re: openssl wheezy update

2017-02-01 Thread Emilio Pozuelo Monfort
On 01/02/17 00:29, Kurt Roeckx wrote: > On Tue, Jan 31, 2017 at 11:13:55PM +0100, Emilio Pozuelo Monfort wrote: >> Hi Kurt, >> >> I have prepared an update of openssl for wheezy based on 1.0.1t-1+deb8u6. I >> have >> done some smoke testing on it and it se

Accepted ntfs-3g 1:2012.1.15AR.5-2.1+deb7u3 (source amd64 all) into oldstable

2017-02-02 Thread Emilio Pozuelo Monfort
Maintainer: Daniel Baumann <daniel.baum...@progress-technologies.net> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: ntfs-3g- read/write NTFS driver for FUSE ntfs-3g-dbg - read/write NTFS driver for FUSE (debug) ntfs-3g-dev - read/write NTFS driver for FUSE (develo

Re: [Secure-testing-commits] r48631 - in data: . CVE

2017-02-01 Thread Emilio Pozuelo Monfort
On 01/02/17 00:42, Bálint Réczey wrote: > Hi Emilio, > > 2017-01-31 22:23 GMT+01:00 Bálint Réczey <bal...@balintreczey.hu>: >> Hi Emilio, >> >> 2017-01-31 22:14 GMT+01:00 Emilio Pozuelo Monfort <po...@debian.org>: >>> Hi Balint, >>

Accepted libplist 1.8-1+deb7u1 (source amd64 all) into oldstable

2017-01-31 Thread Emilio Pozuelo Monfort
: wheezy-security Urgency: medium Maintainer: gtkpod Maintainers <pkg-gtkpod-de...@lists.alioth.debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: libplist++-dev - Library for handling Apple binary and XML property lists libplist++1 - Library for handling

[SECURITY] [DLA 811-1] libplist security update

2017-01-31 Thread Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: libplist Version: 1.8-1+deb7u1 CVE ID : CVE-2017-5209 CVE-2017-5545 Debian Bug : 851196 852385 The following vulnerabilities have been fixed in libplist: CVE-2017-5209 Out of bounds read when parsing

Accepted ikiwiki 3.20120629.2+deb7u2 (source all) into oldstable

2017-01-31 Thread Emilio Pozuelo Monfort
, in particular t/git-cgi.t. (patch from Lafayette Chamber Singers Webmaster, backported from 3.20140916) . [ Emilio Pozuelo Monfort ] * Upload to wheezy-security. Checksums-Sha1: 3a9e3121597b333b76aee80d244f76475b7591b3 2095 ikiwiki_3.20120629.2+deb7u2.dsc 6b12392969ff8ea2f5a5f3

Re: Print undetermined issues in lts-cve-triage

2017-02-03 Thread Emilio Pozuelo Monfort
On 03/02/17 10:58, Guido Günther wrote: > Hi, > while looking at the recent changes in data/CVE/list I noticed a bunch > of gstreamer issues being added but not showing up in the output > produced by lts-cve-triage. Reason was that they're marked as > undetermined. The attached patch adds

[SECURITY] [DLA 812-1] ikiwiki security update

2017-01-31 Thread Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: ikiwiki Version: 3.20120629.2+deb7u2 CVE ID : CVE-2016-9646 CVE-2016-10026 CVE-2017-0356 Several vulnerabilities have been found in ikiwiki, a wiki compiler: CVE-2016-9646 Commit metadata forgery

Re: [Secure-testing-commits] r48631 - in data: . CVE

2017-01-31 Thread Emilio Pozuelo Monfort
Hi Balint, On 31/01/17 21:46, Balint Reczey wrote: > Log: > wavpack's issues don't affect wheezy > > The first part of the upstream patch is not needed since the > code is very different and not vulnerable. > The second part applies, but does not make any difference when > trying the exploits.

Accepted openssl 1.0.1t-1+deb7u2 (source all amd64) into oldstable

2017-02-01 Thread Emilio Pozuelo Monfort
: medium Maintainer: Debian OpenSSL Team <pkg-openssl-de...@lists.alioth.debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: libcrypto1.0.0-udeb - crypto shared library - udeb (udeb) libssl-dev - SSL development libraries, header files and documentation libs

Re: graphicsmagick update

2017-01-31 Thread Emilio Pozuelo Monfort
On 16/01/17 20:48, Antoine Beaupré wrote: > Hi, > > I've looked at updating the graphicsmagick (GM) update to fix the issues > outlined in a [recent discussion][1]. The fix to CVE-2016-5240.patch is > trivial. I can also confirm the current GM version in wheezy-security > segfaults with the POC.

LTS report for January

2017-01-31 Thread Emilio Pozuelo Monfort
Hi, This month I was allocated 12.75h (plus 2.5h carried from last month). I spent this time doing the following: - DLA 684-2: libx11 regression update - DLA 784-1: gcc-mozilla new package - DLA 800-1: firefox-esr security update - DLA 801-1: libxpm security update - DLA 802-1: openjdk-7

[SECURITY] [DLA 815-1] ntfs-3g security update

2017-02-02 Thread Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: ntfs-3g Version: 1:2012.1.15AR.5-2.1+deb7u3 CVE ID : CVE-2017-0358 Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write NTFS driver for FUSE, does not scrub the environment before executing

openssl wheezy update

2017-01-31 Thread Emilio Pozuelo Monfort
; urgency=medium + + * Non-maintainer upload by the LTS team. + * Backport changes from 1.0.1t-1+deb8u6: + * Fix CVE-2016-8610 + * Fix CVE-2017-3731 + * Fix CVE-2016-7056 + + -- Emilio Pozuelo Monfort <po...@debian.org> Tue, 31 Jan 2017 22:04:44 +0100 + openssl (1.0.1t-1+deb7u1) wheezy-se

[SECURITY] [DLA 800-1] firefox-esr security update

2017-01-26 Thread Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: firefox-esr Version: 45.7.0esr-1~deb7u1 CVE ID : CVE-2017-5373 CVE-2017-5375 CVE-2017-5376 CVE-2017-5378 CVE-2017-5380 CVE-2017-5383 CVE-2017-5386 CVE-2017-5390 CVE-2017-5396

Accepted lcms2 2.2+git20110628-2.2+deb7u2 (source amd64) into oldstable

2017-01-26 Thread Emilio Pozuelo Monfort
Moskalenko <ma...@debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: liblcms2-2 - Little CMS 2 color management library liblcms2-dev - Little CMS 2 color management library development headers liblcms2-utils - Little CMS 2 olor management library Changes:

[SECURITY] [DLA 802-1] openjdk-7 security update

2017-01-26 Thread Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: openjdk-7 Version: 7u121-2.6.8-1~deb7u1 openjdk-7 7u111-2.6.7-2~deb7u1 backported the security fixes from 7u121. openjdk-7 has now been updated to the full 7u121 version, which includes extra bug fixes and other

[SECURITY] [DLA 801-1] libxpm security update

2017-01-26 Thread Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: libxpm Version: 1:3.5.10-1+deb7u1 CVE ID : CVE-2016-10164 Tobias Stoeckmann discovered a vulnerability in the libXpm library that could cause a malicious attacker to execute arbitrary code via a specially crafted

[SECURITY] [DLA 803-1] lcms2 security update

2017-01-26 Thread Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: lcms2 Version: 2.2+git20110628-2.2+deb7u2 CVE ID : CVE-2016-10165 Debian Bug : https://bugs.debian.org/852627 An out of bounds read was found in lcms2, which can lead to heap memory leak or denial of service via

Re: Accepted openjdk-7 7u121-2.6.8-1~deb7u1 (source all amd64) into oldstable

2017-01-30 Thread Emilio Pozuelo Monfort
On 27/01/17 22:18, Ola Lundqvist wrote: > Hi Emilio > > I saw that you have uploaded a new openjdk-7 package. Were that > package supposed to fix the current issues reported for openjdk-7 or > was that corrections for earlier version? It doesn't fix the latest round of CVEs. > I'm asking

Re: Accepted tcpdump 4.9.0-1~deb7u1 (amd64 source) into oldstable

2017-01-30 Thread Emilio Pozuelo Monfort
On 30/01/17 22:19, Ola Lundqvist wrote: > Hi > > Will you send the DLA or do you want me to do that? Adding Romain to Cc. Cheers, Emilio > > // Ola > > On 30 January 2017 at 19:40, Romain Francoise wrote: > Format: 1.8 > Date: Sun, 29 Jan 2017 22:17:21 +0100 > Source:

Accepted openjdk-7 7u121-2.6.8-1~deb7u1 (source all amd64) into oldstable

2017-01-25 Thread Emilio Pozuelo Monfort
openjdk-7-jre-zero Architecture: source all amd64 Version: 7u121-2.6.8-1~deb7u1 Distribution: wheezy-security Urgency: medium Maintainer: OpenJDK Team <open...@lists.launchpad.net> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: icedtea-7-jre-cacao - Transiti

Accepted libxpm 1:3.5.10-1+deb7u1 (source amd64) into oldstable

2017-01-25 Thread Emilio Pozuelo Monfort
<debia...@lists.debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: libxpm-dev - X11 pixmap library (development headers) libxpm4- X11 pixmap library libxpm4-dbg - X11 pixmap library (debug package) xpmutils - X11 pixmap utilities Changes: libxpm

Accepted firefox-esr 45.7.0esr-1~deb7u1 (source all amd64) into oldstable

2017-01-25 Thread Emilio Pozuelo Monfort
: wheezy-security Urgency: medium Maintainer: Maintainers of Mozilla-related packages <pkg-mozilla-maintain...@lists.alioth.debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: firefox-esr - Mozilla Firefox web browser - Extended Support Release (ESR) fir

Re: postponing php5 issue

2017-02-22 Thread Emilio Pozuelo Monfort
On 22/02/17 20:48, Antoine Beaupré wrote: > On 2017-02-21 21:57:23, Emilio Pozuelo Monfort wrote: >> On 20/02/17 23:19, Antoine Beaupré wrote: >>> It seems a bit too much to do a DLA for a single issue in the php5 >>> package (CVE-2016-7478, namely): >>> >

Accepted gst-plugins-bad0.10 0.10.23-7.1+deb7u5 (source all amd64) into oldstable

2017-02-18 Thread Emilio Pozuelo Monfort
Architecture: source all amd64 Version: 0.10.23-7.1+deb7u5 Distribution: wheezy-security Urgency: medium Maintainer: Maintainers of GStreamer packages <pkg-gstreamer-maintain...@lists.alioth.debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: gstreamer0.10-plugins-bad

Accepted gst-plugins-base0.10 0.10.36-1.1+deb7u2 (source all amd64) into oldstable

2017-02-18 Thread Emilio Pozuelo Monfort
ain...@lists.alioth.debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: gir1.2-gst-plugins-base-0.10 - Description: GObject introspection data for the GStreamer Plugins gstreamer0.10-alsa - GStreamer plugin for ALSA gstreamer0.10-gnomevfs - GStreamer plugin

Accepted gst-plugins-good0.10 0.10.31-3+nmu1+deb7u2 (source all amd64) into oldstable

2017-02-18 Thread Emilio Pozuelo Monfort
amd64 Version: 0.10.31-3+nmu1+deb7u2 Distribution: wheezy-security Urgency: medium Maintainer: Maintainers of GStreamer packages <pkg-gstreamer-maintain...@lists.alioth.debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: gstreamer0.10-gconf - GStreamer plugin

Accepted gst-plugins-ugly0.10 0.10.19-2+deb7u1 (source all amd64) into oldstable

2017-02-18 Thread Emilio Pozuelo Monfort
: wheezy-security Urgency: medium Maintainer: Maintainers of GStreamer packages <pkg-gstreamer-maintain...@lists.alioth.debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: gstreamer0.10-plugins-ugly - GStreamer plugins from the "ugly" set gstreame

Re: postponing php5 issue

2017-02-21 Thread Emilio Pozuelo Monfort
On 20/02/17 23:19, Antoine Beaupré wrote: > It seems a bit too much to do a DLA for a single issue in the php5 > package (CVE-2016-7478, namely): > > https://security-tracker.debian.org/tracker/source-package/php5 > > I looked at the issue and the patch is easily ported, but i suggest we >

[SECURITY] [DLA 821-1] openjdk-7 security update

2017-02-10 Thread Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: openjdk-7 Version: 7u121-2.6.8-2~deb7u1 CVE ID : CVE-2016-5546 CVE-2016-5547 CVE-2016-5548 CVE-2016-5552 CVE-2017-3231 CVE-2017-3241 CVE-2017-3252 CVE-2017-3253 CVE-2017-3260

Re: Print undetermined issues in lts-cve-triage

2017-02-12 Thread Emilio Pozuelo Monfort
On 03/02/17 16:37, Guido Günther wrote: > On Fri, Feb 03, 2017 at 12:25:19PM +0100, Emilio Pozuelo Monfort wrote: >> On 03/02/17 10:58, Guido Günther wrote: >>> Hi, >>> while looking at the recent changes in data/CVE/list I noticed a bunch >>> of gstreamer i

Accepted openjdk-7 7u121-2.6.8-2~deb7u1 (source all amd64) into oldstable

2017-02-09 Thread Emilio Pozuelo Monfort
openjdk-7-jre-zero Architecture: source all amd64 Version: 7u121-2.6.8-2~deb7u1 Distribution: wheezy-security Urgency: medium Maintainer: OpenJDK Team <open...@lists.launchpad.net> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: icedtea-7-jre-cacao - Transiti

Re: Fixing CVE-2017-5522 (stack buffer overflow) for mapserver in wheezy

2017-01-19 Thread Emilio Pozuelo Monfort
On 19/01/17 08:14, Sebastiaan Couwenberg wrote: > On 01/18/2017 10:17 PM, Ola Lundqvist wrote: >> Yes they are ok for wheezy-security. Thank you for your support. > > I've updated the secure-testing repo for this issue and sent the DLA. I haven't seen the DLA. Did you gpg-sign it? If you sent it

Re: nvidia-graphics-drivers 304.135 proposed packages for wheezy-lts

2017-02-27 Thread Emilio Pozuelo Monfort
Hi Andreas, On 26/02/17 00:03, Andreas Beckmann wrote: > Hi, > > here comes the next round: > > On 2017-01-10 16:13, Andreas Beckmann wrote: >> I've prepared a new upstream release of the proprietary nvidia graphics >> driver for wheezy-lts. This will fix several security bugs: > >* New

Re: CVE-2016-2313 fix wrong

2016-08-31 Thread Emilio Pozuelo Monfort
On 29/07/16 20:05, Emilio Pozuelo Monfort wrote: > On 28/07/16 14:59, Matus UHLAR - fantomas wrote: >>> On 28/07/16 13:35, Matus UHLAR - fantomas wrote: >>>> i believe the fix for CVE-2016-2313 in >>>> CVE-2016-2313-authentication-bypass.patch is invalid. >

Accepted cacti 0.8.8a+dfsg-5+deb7u10 (source all) into oldstable

2016-08-31 Thread Emilio Pozuelo Monfort
org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: cacti - web interface for graphing of monitoring systems Changes: cacti (0.8.8a+dfsg-5+deb7u10) wheezy-security; urgency=medium . * CVE-2016-2313-guest-auth.patch: + Fix regression in the fix for C

Re: updates to find-work

2016-09-06 Thread Emilio Pozuelo Monfort
On 07/09/16 00:01, Brian May wrote: > Hello, > > Do we have any sort of handle formal updates to find-work? > > If not, does anybody have any objections if I were to commit the > following change? It adds a --unassigned command line option that only > lists packages that are not taken by

[SECURITY] [DLA 560-2] cacti regression update

2016-09-01 Thread Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: cacti Version: 0.8.8a+dfsg-5+deb7u10 The fix for CVE-2016-2313 did not take into account guest users. This update fixes it. For Debian 7 "Wheezy", these problems have been fixed in version 0.8.8a+dfsg-5+deb7u10. We

Re: Security update of firefox-esr for Wheezy

2016-09-01 Thread Emilio Pozuelo Monfort
On 08/08/16 10:20, Raphael Hertzog wrote: > On Mon, 08 Aug 2016, Emilio Pozuelo Monfort wrote: >>> Shall we mark gcc-4.8 as unsupported in wheezy, explaining that its only >>> purpose is to enable build of other packages? >> >> That would make sense. &g

LTS report for August 2016

2016-09-04 Thread Emilio Pozuelo Monfort
Hi, This month I was allocated 14.75 hours to work on Debian-LTS. I spent 13.5 hours doing the following: - openjdk-7: after some back and forth, finally pushed the update for openjdk-7 - icedtea-web: pushed the update to make icedtea-plugin default to openjdk-7 - fontconfig: prepared, tested

Re: Security update of firefox-esr for Wheezy

2016-09-03 Thread Emilio Pozuelo Monfort
On 02/09/16 08:39, Guido Günther wrote: > On Fri, Sep 02, 2016 at 01:26:05AM +0200, Emilio Pozuelo Monfort wrote: >> On 08/08/16 10:20, Raphael Hertzog wrote: >>> On Mon, 08 Aug 2016, Emilio Pozuelo Monfort wrote: >>>>> Shall we mark gcc-4.8 as unsupported in

Accepted tiff 4.0.2-6+deb7u6 (source all amd64) into oldstable

2016-08-30 Thread Emilio Pozuelo Monfort
Urgency: medium Maintainer: Ondřej Surý <ond...@debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: libtiff-doc - TIFF manipulation and conversion documentation libtiff-opengl - TIFF manipulation and conversion tools libtiff-tools - TIFF manipulation an

[SECURITY] [DLA 606-1] tiff security update

2016-08-30 Thread Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: tiff Version: 4.0.2-6+deb7u6 CVE ID : CVE-2016-3991 CVE-2016-5314 CVE-2016-5315 CVE-2016-5316 CVE-2016-5317 CVE-2016-5320 CVE-2016-5321 CVE-2016-5322 CVE-2016-5323 CVE-2016-5875

Re: Security update of firefox-esr for Wheezy

2016-10-01 Thread Emilio Pozuelo Monfort
On 30/09/16 12:21, Guido Günther wrote: > Hi Emilio, > On Sat, Sep 03, 2016 at 12:12:55PM +0200, Emilio Pozuelo Monfort wrote: >> On 02/09/16 08:39, Guido Günther wrote: >>> On Fri, Sep 02, 2016 at 01:26:05AM +0200, Emilio Pozuelo Monfort wrote: >>>> On 08/0

Re: status of tzdata packages in wheezy

2016-10-26 Thread Emilio Pozuelo Monfort
On 26/10/16 10:58, Emilio Pozuelo Monfort wrote: > Hi Erdem, > > On 26/10/16 08:31, Erdem Bayer wrote: >> Hello >> >> As explained in debian bug 838781, Turkey choosed to change its DST policy >> and >> will not be updating the time at the end of this mon

LTS Report for October 2016

2016-10-26 Thread Emilio Pozuelo Monfort
Hi, In this month I was allocated 13h, which I spent doing the following: - Finished the update I had started to libarchive - Tested libxml2 packages - Updated X11 packages (libx11, libxi, libxtst), fixing some regressions in the security patches:

[SECURITY] [DLA 686-1] libxtst security update

2016-10-26 Thread Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: libxtst Version: 2:1.2.1-1+deb7u2 CVE ID : CVE-2016-7951 CVE-2016-7952 Debian Bug : 840444 Tobias Stoeckmann from the OpenBSD project discovered the following vulnerability in libXtst, the X Record extension:

Accepted libxi 2:1.6.1-1+deb7u2 (source amd64) into oldstable

2016-10-26 Thread Emilio Pozuelo Monfort
<debia...@lists.debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: libxi-dev - X11 Input extension library (development headers) libxi6 - X11 Input extension library libxi6-dbg - X11 Input extension library (debug package) libxi6-udeb - X11 Input exten

[SECURITY] [DLA 681-1] tzdata new upstream version

2016-10-26 Thread Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: tzdata Version: 2016h-0+deb7u1 This update includes the changes in tzdata up to 2016h. Notable changes are: - Asia/Gaza and Asia/Hebron (DST ending on 2016-10-29 at 01:00, not 2016-10-21 at 00:00). - Europe/Istanbul

Accepted tzdata 2016h-0+deb7u1 (source all) into oldstable

2016-10-26 Thread Emilio Pozuelo Monfort
-gl...@lists.debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: tzdata - time zone and daylight-saving time data tzdata-java - time zone and daylight-saving time data for use by java runtimes Closes: 838781 Changes: tzdata (2016h-0+deb7u1) wheezy-security; urgency=medium

Accepted libdatetime-timezone-perl 1:1.58-1+2016h (source all) into oldstable

2016-10-26 Thread Emilio Pozuelo Monfort
pkg-perl-maintain...@lists.alioth.debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: libdatetime-timezone-perl - framework exposing the Olson time zone database to Perl Changes: libdatetime-timezone-perl (1:1.58-1+2016h) wheezy-security; urgency=medium .

[SECURITY] [DLA 703-1] libdatetime-timezone-perl new upstream version

2016-11-06 Thread Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: libdatetime-timezone-perl Version: 1:1.58-1+2016i This update includes the changes in tzdata 2016i for the Perl bindings. For the list of changes, see DLA-702-1. For Debian 7 "Wheezy", these problems have been fixed in

[SECURITY] [DLA 702-1] tzdata new upstream version

2016-11-06 Thread Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: tzdata Version: 2016i-0+deb7u1 This update includes the changes in tzdata 2016i. Notable changes are: - Pacific/Tongatapu (DST starting on 2016-11-06 at 02:00). - Northern Cyprus is now +03 year round, the Asia/Famagusta

[SECURITY] [DLA 700-1] libxslt security update

2016-11-05 Thread Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: libxslt Version: 1.1.26-14.1+deb7u2 CVE ID : CVE-2016-4738 Debian Bug : 842570 A heap overread bug was found in libxslt, which can cause arbitrary code execution or denial of service. For Debian 7 "Wheezy",

Accepted libxslt 1.1.26-14.1+deb7u2 (source amd64) into oldstable

2016-11-05 Thread Emilio Pozuelo Monfort
: medium Maintainer: Debian XML/SGML Group <debian-xml-sgml-p...@lists.alioth.debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: libxslt1-dbg - XSLT 1.0 processing library - debugging symbols libxslt1-dev - XSLT 1.0 processing library - development kit

[SECURITY] [DLA 704-1] openjdk-7 security update

2016-11-06 Thread Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: openjdk-7 Version: 7u111-2.6.7-2~deb7u1 CVE ID : CVE-2016-5542 CVE-2016-5554 CVE-2016-5573 CVE-2016-5582 CVE-2016-5597 Debian Bug : 841692 Several vulnerabilities have been discovered in

Re: testing libxml2 for Wheezy LTS

2016-10-25 Thread Emilio Pozuelo Monfort
Hi Thorsten, On 23/10/16 20:04, Thorsten Alteholz wrote: > Hi everybody, > > I uploaded version 2.8.0+dfsg1-7+wheezy7 of libxml2 to: > > https://people.debian.org/~alteholz/packages/wheezy-lts/libxml2/amd64/ > > Please give it a try and tell me about any problems you met. It would be nice >

September report

2016-10-19 Thread Emilio Pozuelo Monfort
Hi, September was a bad month for me, and I only managed to spend 1h out of 12.30h, working on the libarchive update. I am returning the rest of the time to the pool so it can be allocated among the contributors next month. Sorry for that and for the delay in the report, I should be back to

[SECURITY] [DLA 712-1] gst-plugins-bad0.10 security update

2016-11-19 Thread Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: gst-plugins-bad0.10 Version: 0.10.23-7.1+deb7u3 CVE ID : CVE-2016-9445 CVE-2016-9446 CVE-2016-9447 CVE-2016-9445 CVE-2016-9446 Chris Evans discovered that the GStreamer plugin to decode VMware screen

Re: status of tzdata packages in wheezy

2016-10-26 Thread Emilio Pozuelo Monfort
Hi Erdem, On 26/10/16 08:31, Erdem Bayer wrote: > Hello > > As explained in debian bug 838781, Turkey choosed to change its DST policy > and > will not be updating the time at the end of this month. IANA released two > updates about Turkey, 2016g and 2016h, these packages hit the stable repos

[SECURITY] [DLA 657-1] libarchive security update

2016-10-16 Thread Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: libarchive Version: 3.0.4-3+wheezy4 CVE ID : CVE-2016-5418 Debian Bug : 837714 It was found that libarchive mishandled hardlink archive entries of non-zero data size, possibly allowing remote attackers to to

Re: libarchive12: ldconfig warns that libarchive.so.12 is not a symbolic link

2016-10-16 Thread Emilio Pozuelo Monfort
gt; virtualbox VM with the build directory mounted as vboxsf share mount. > Apparently, symlinks get screwed up up on vboxsf mounts. > > Another LTS update of libarchive is underway anyway, Emilio Pozuelo > Monfort is working on it. I suggest to wait until his upload, which will > fix the bug

Accepted libarchive 3.0.4-3+wheezy4 (source amd64) into oldstable

2016-10-15 Thread Emilio Pozuelo Monfort
Maintainers <ah-libarch...@debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: bsdcpio- Implementation of the 'cpio' program from FreeBSD bsdtar - Implementation of the 'tar' program from FreeBSD libarchive-dev - Multi-format archive and compres

Accepted tzdata 2016j-0+deb7u1 (source all) into oldstable

2016-11-29 Thread Emilio Pozuelo Monfort
-gl...@lists.debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: tzdata - time zone and daylight-saving time data tzdata-java - time zone and daylight-saving time data for use by java runtimes Closes: 845691 Changes: tzdata (2016j-0+deb7u1) wheezy-security; urgency=medium

[SECURITY] [DLA 725-1] tzdata new upstream version

2016-11-29 Thread Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: tzdata Version: 2016j-0+deb7u1 This update includes the changes in tzdata 2016j. Notable changes are: - Saratov, Russia switches from +03 to +04 on 2016-12-04 at 02:00. For Debian 7 "Wheezy", these problems have been

[SECURITY] [DLA 735-1] gst-plugins-base0.10 security update

2016-12-07 Thread Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: gst-plugins-base0.10 Version: 0.10.36-1.1+deb7u1 CVE ID : CVE-2016-9811 An out of bounds heap read issue was found in gst-plugins-base0.10. For Debian 7 "Wheezy", these problems have been fixed in version

[SECURITY] [DLA 743-1] firefox-esr security update

2016-12-15 Thread Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: firefox-esr Version: 45.6.0esr-1~deb7u1 CVE ID : CVE-2016-9893 CVE-2016-9895 CVE-2016-9897 CVE-2016-9898 CVE-2016-9899 CVE-2016-9900 CVE-2016-9901 CVE-2016-9902 CVE-2016-9904

Accepted game-music-emu 0.5.5-2+deb7u1 (source amd64) into oldstable

2016-12-15 Thread Emilio Pozuelo Monfort
org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: libgme-dev - Playback library for video game music files - development files libgme0- Playback library for video game music files - shared library Changes: game-music-emu (0.5.5-2+deb7u1) wheezy-security; ur

Accepted firefox-esr 45.6.0esr-1~deb7u1 (source all amd64) into oldstable

2016-12-15 Thread Emilio Pozuelo Monfort
: wheezy-security Urgency: medium Maintainer: Maintainers of Mozilla-related packages <pkg-mozilla-maintain...@lists.alioth.debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: firefox-esr - Mozilla Firefox web browser - Extended Support Release (ESR) fir

[SECURITY] [DLA 684-2] libx11 regression update

2017-01-14 Thread Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: libx11 Version: 2:1.5.0-1+deb7u4 A possible invalid free was introduced in libx11 2:1.5.0-1+deb7u3, which could lead to application crashes or other issues. For Debian 7 "Wheezy", these problems have been fixed in version

Accepted libx11 2:1.5.0-1+deb7u4 (source amd64 all) into oldstable

2017-01-14 Thread Emilio Pozuelo Monfort
Distribution: wheezy-security Urgency: medium Maintainer: Debian X Strike Force <debia...@lists.debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: libx11-6 - X11 client-side library libx11-6-dbg - X11 client-side library (debug package) libx11-6-udeb - X11

[SECURITY] [DLA 784-1] gcc-mozilla new package

2017-01-14 Thread Emilio Pozuelo Monfort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: gcc-mozilla Version: 4.8.4-0deb7u1 GCC 4.8 has been packaged as gcc-mozilla for Debian 7. This package will be needed for future updates to firefox-esr and icedove, and possibly other packages that require new versions of

Accepted gcc-mozilla 4.8.4-0deb7u1 (source amd64) into oldstable, oldstable

2017-01-11 Thread Emilio Pozuelo Monfort
org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Description: gcc-mozilla - GCC, the GNU Compiler Collection Changes: gcc-mozilla (4.8.4-0deb7u1) wheezy-security; urgency=medium . * Upload to Debian wheezy for firefox-esr and icedove. Ch

Re: Versioning of new releases in (old)stable (Was: nss security update package ready for review)

2016-12-01 Thread Emilio Pozuelo Monfort
On 01/12/16 16:25, Jonas Meurer wrote: > Hi Security and LTS folks, > > Am 01.12.2016 um 15:54 schrieb Salvatore Bonaccorso: >> On Wed, Nov 30, 2016 at 04:05:20PM -0500, Antoine Beaupré wrote: >>> +nss (2:3.26.2-1+debu7u1) UNRELEASED; urgency=high >>> + >>> + * Non-maintainer upload by the LTS

  1   2   3   4   5   >