Re: squeeze update of axis?

2015-02-18 Thread Markus Koschany
a domain name in the subject's Common Name +(CN) or subjectAltName field of the X.509 certificate, which allows +man-in-the-middle attackers to spoof SSL servers via a certificate with a +subject that specifies a common name in a field that is not the CN field. + + -- Markus Koschany

Re: squeeze update of flightgear?

2015-03-25 Thread Markus Koschany
On 25.03.2015 19:56, Bret Busby wrote: On 26/03/2015, Moritz Muehlenhoff j...@inutil.org wrote: On Wed, Mar 25, 2015 at 09:28:01AM +0100, Markus Wanner wrote: I'm sorry, I don't think I'll have time to work on this, myself. (Nor do I think games are an important part of an LTS distribution.

Re: squeeze update of checkpw?

2015-03-30 Thread Markus Koschany
via -- in usernames (Closes: #780139) + + -- Markus Koschany a...@gambaru.de Mon, 30 Mar 2015 14:02:06 +0200 + checkpw (1.02-1) unstable; urgency=low * new upstream point release. only in patch2: unchanged: --- checkpw-1.02.orig/debian/diff/CVE-2015-0885.diff +++ checkpw-1.02/debian/diff/CVE

Re: libspring-2.5-java and requesting membership for secure-testing

2015-03-30 Thread Markus Koschany
On 30.03.2015 14:46, Raphael Hertzog wrote: [...] No it's correct, the last CVE issue was mis-assigned to that package. That said there are other java packages in need of some love. For example commons-httpclient has been waiting for months:

libspring-2.5-java and requesting membership for secure-testing

2015-03-30 Thread Markus Koschany
Hello, I have recently started to investigate whether I could fix some open LTS issues and discovered the entry for libspring-2.5-java. According to https://security-tracker.debian.org/tracker/source-package/libspring-2.5-java there is no open security issue left. Is this an oversight?

Re: squeeze update of commons-httpclient

2015-05-02 Thread Markus Koschany
On 16.04.2015 11:31, Markus Koschany wrote: On 16.04.2015 09:00, Thijs Kinkhorst wrote: [...] I can take care of this, but did you also prepare a package for wheezy? If so, I missed it. Hi Thijs, I already filed a bug report for wheezy against release.debian.org. [1] The security team

Re: squeeze update of commons-httpclient

2015-04-16 Thread Markus Koschany
On 16.04.2015 09:00, Thijs Kinkhorst wrote: [...] I can take care of this, but did you also prepare a package for wheezy? If so, I missed it. Hi Thijs, I already filed a bug report for wheezy against release.debian.org. [1] The security team has marked this CVE as no-dsa. The debdiff for

squeeze update of commons-httpclient

2015-04-15 Thread Markus Koschany
is +now completely resolved by applying this patch and the +06_fix_CVE-2012-5783.patch. + * Change java.source and java.target ant properties to 1.5, otherwise +commons-httpclient will not compile with this patch. + + -- Markus Koschany a...@gambaru.de Wed, 15 Apr 2015 22:18:19 +0200

Re: squeeze update of checkpw?

2015-04-09 Thread Markus Koschany
On 09.04.2015 12:42, Thorsten Alteholz wrote: Hi Markus, thanks for preparing the patch. I uploaded the package now. On Mon, 30 Mar 2015, Markus Koschany wrote: Please find attached a debdiff for review to this e-mail. I have only two remarks. The package should go to squeeze-lts

Re: squeeze update of libapache-mod-jk?

2015-06-09 Thread Markus Koschany
On 09.06.2015 18:22, Raphael Hertzog wrote: Hi, On Sat, 30 May 2015, Markus Koschany wrote: please find attached the debdiff and fix for libapache-mod-jk in squeeze. Feedback and testing are appreciated. I did a quick review and it looks good. It builds fine in my chroot. But I don't

Re: squeeze update of libapache-mod-jk?

2015-05-30 Thread Markus Koschany
On 26.05.2015 19:21, Markus Koschany wrote: On 26.05.2015 17:23, Raphael Hertzog wrote: Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Squeeze version of libapache-mod-jk: https://security-tracker.debian.org/tracker/CVE

Re: squeeze update of libapache-mod-jk?

2015-05-26 Thread Markus Koschany
On 26.05.2015 17:23, Raphael Hertzog wrote: Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Squeeze version of libapache-mod-jk: https://security-tracker.debian.org/tracker/CVE-2014-8111 Would you like to take care of

Re: Unsupported packages for Wheezy LTS

2015-11-19 Thread Markus Koschany
Am 19.11.2015 um 21:45 schrieb Moritz Mühlenhoff: [...] > Another package which needs to be sorted out is the support for > Java. wheezy has both openjdk-6 and openjdk-7 (jessie has only > -7 and stretch will also only have one version). > > Currently the maintenance heavily relies on the

Re: Security update of libxstream-java

2016-06-02 Thread Markus Koschany
On 02.06.2016 22:03, Moritz Muehlenhoff wrote: > On Thu, Jun 02, 2016 at 09:32:27PM +0200, Markus Koschany wrote: >> On 02.06.2016 11:35, Emmanuel Bourg wrote: >>> Le 2/06/2016 à 11:19, Markus Koschany a écrit : >>> >>>> I saw that you have claimed libxs

Re: Security update of libxstream-java

2016-06-02 Thread Markus Koschany
On 02.06.2016 11:35, Emmanuel Bourg wrote: > Le 2/06/2016 à 11:19, Markus Koschany a écrit : > >> I saw that you have claimed libxstream-java in dla-needed.txt. It's been >> a while since the security update for Jessie has been released. Is there >> a reason why lib

Re: Debian LTS: uploaded packages to wheezy-security not available

2016-06-07 Thread Markus Koschany
On 06.06.2016 00:52, Ansgar Burchardt wrote: > Hi, > > Markus Koschany <a...@debian.org> writes: >> Am 04.05.2016 um 13:43 schrieb Markus Koschany: >>> Hi Ansgar, >>> >>> In preparation for the default Java switch I have uploaded more packages &

Re: Debian LTS: uploaded packages to wheezy-security not available

2016-06-08 Thread Markus Koschany
On 08.06.2016 10:26, Ansgar Burchardt wrote: > Markus Koschany <a...@debian.org> writes: >> thanks for looking into these issues. Yesterday I tried to upload >> libxstream-java and libpdfbox-java. Dak doesn't seem to like them too. I >> guess I'm very lucky in find

[SECURITY] [DLA 505-1] libpdfbox-java security update

2016-06-08 Thread Markus Koschany
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: libpdfbox-java Version: 1:1.7.0+dfsg-4+deb7u1 CVE ID : CVE-2016-2175 Apache PDFBox did not properly initialize the XML parsers, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks

[SECURITY] [DLA 504-1] libxstream-java security update

2016-06-08 Thread Markus Koschany
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: libxstream-java Version: 1.4.2-1+deb7u1 CVE ID : CVE-2016-3674 Debian Bug : 819455 It was discovered that XStream, a Java library to serialize objects to XML and back again, was susceptible to XML External

[SECURITY] [DLA 508-1] expat security update

2016-06-08 Thread Markus Koschany
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: expat Version: 2.1.0-1+deb7u4 CVE ID : CVE-2012-6702 CVE-2016-5300 Two related issues have been discovered in Expat, a C library for parsing XML. CVE-2012-6702 This issue was introduced when CVE-2012-0876 was

Re: bits.debian.org: Wheezy LTS post about armel and armhf support

2016-05-28 Thread Markus Koschany
Hi all, I haven't seen our Wheezy LTS post on bits.debian.org yet. Is there anything we can do? Regards, Markus signature.asc Description: OpenPGP digital signature

Re: Debian LTS: uploaded packages to wheezy-security not available

2016-05-28 Thread Markus Koschany
Am 04.05.2016 um 13:43 schrieb Markus Koschany: > Hi Ansgar, > > In preparation for the default Java switch I have uploaded more packages > to wheezy-security yesterday and most of them are available in the > archive now. However some of them never showed up there, although I made

[SECURITY] [DLA 490-1] bozohttpd security update

2016-05-25 Thread Markus Koschany
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: bozohttpd Version: 2018-1+deb7u1 CVE ID : CVE-2014-5015 CVE-2015-8212 Debian Bug : 755197 Two security vulnerabilities have been discovered in bozohttpd, a small HTTP server. CVE-2014-5015 Bozotic HTTP

[SECURITY] [DLA 501-1] gdk-pixbuf security update

2016-06-02 Thread Markus Koschany
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: gdk-pixbuf Version: 2.26.1-1+deb7u5 CVE ID : CVE-2015-7552 It was discovered that the original fix for CVE-2015-7552 (DLA-450-1) was incomplete. A heap-based buffer overflow in gdk-pixbuf, a library for image

[SECURITY] Debian 7 Wheezy LTS now supporting armel and armhf

2016-06-02 Thread Markus Koschany
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Debian Long Term Support (LTS) is a project created to extend the life of all Debian stable releases to (at least) 5 years. Thanks to the LTS sponsors, Debian's buildd maintainers and the Debian FTP Team are excited to announce that two new

Security update of libxstream-java

2016-06-02 Thread Markus Koschany
Hello, I saw that you have claimed libxstream-java in dla-needed.txt. It's been a while since the security update for Jessie has been released. Is there a reason why libxstream-java hasn't been updated in Wheezy yet? Regards, Markus signature.asc Description: OpenPGP digital signature

Re: Wheezy update of vlc?

2016-06-02 Thread Markus Koschany
On 29.05.2016 22:21, Santiago Ruano Rincón wrote: > El 29/05/16 a las 19:53, Thorsten Alteholz escribió: >> Hello dear maintainer(s), >> >> the Debian LTS team would like to fix the security issues which are >> currently open in the Wheezy version of vlc: >>

Re: Debian LTS Security update of ruby-mail (advice needed)

2016-05-26 Thread Markus Koschany
Am 26.05.2016 um 09:21 schrieb Ola Lundqvist: > Hi Markus > > I realized (too late) that I had not checked the dak mail before I sent > the mail. Sorry about that. > > Thanks for the note about sa option. I'll fix this as soon as possible. > Do you think I need to step the revision or is a

Re: Debian LTS Security update of ruby-mail (advice needed)

2016-05-26 Thread Markus Koschany
Hi Ola, you have sent the security announcement for ruby-mail yesterday but the package hasn't been uploaded yet. One reason for that might be that it is the first upload to security-master thus ruby-mail must be built with -sa. You can follow all changes at

Re: bits.debian.org: Wheezy LTS post about armel and armhf support

2016-06-01 Thread Markus Koschany
On 31.05.2016 22:41, Ana Guerrero Lopez wrote: [...] > > In bits and annoucements we prefer to be more verbose, so the message is > complete and understandable for the wider audience, even the ones not > familiarized with the topic. > > Given that this is a short news/update on former news, we

Re: icu package and debdiff [new contributor, first attempt]

2016-06-20 Thread Markus Koschany
Hello Roberto, On 17.06.2016 18:48, Roberto C. Sánchez wrote: > (This message is directed to Antoine as he gave me the initial feedback, > but I welcome comments and suggestions from anyone). > > Hi Antoine, > > Thanks for the feedback on this a few weeks ago. I've been quite busy > but I

squeeze update of radicale?

2016-01-18 Thread Markus Koschany
let us know whether you would like to review and/or test the updated package before it gets released. Thank you very much. Markus Koschany, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone

Accepted openjdk-6 6b38-1.13.10-1~deb6u1 (source i386 all) into squeeze-lts

2016-02-04 Thread Markus Koschany
Architecture: source i386 all Version: 6b38-1.13.10-1~deb6u1 Distribution: squeeze-lts Urgency: high Maintainer: OpenJDK Team <open...@lists.launchpad.net> Changed-By: Markus Koschany <a...@debian.org> Description: icedtea-6-jre-cacao - Alternative JVM for OpenJDK, using Cacao openjdk-

[SECURITY] [DLA 410-1] openjdk-6 security update

2016-02-04 Thread Markus Koschany
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: openjdk-6 Version: 6b38-1.13.10-1~deb6u1 CVE ID : CVE-2015-7575 CVE-2015-8126 CVE-2015-8472 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494 Several

Re: Preparing to announce Squeeze LTS end-of-life

2016-02-11 Thread Markus Koschany
Am 11.02.2016 um 19:09 schrieb Miroslav Skoric: > On 02/10/2016 10:17 AM, Matus UHLAR - fantomas wrote: > >> >> so, are you prepared for valentine's day massacre? >> > > Actually not: It is Wheezy (7.9) now, and I predict its valentine's day > massacre to approach in few years. Btw, when is the

Re: Preparing to announce Squeeze LTS end-of-life

2016-02-11 Thread Markus Koschany
[ I am subscribed to debian-lts. No need to CC me ] Am 11.02.2016 um 20:36 schrieb Moritz Mühlenhoff: > On Thu, Feb 11, 2016 at 08:19:02PM +0100, Markus Koschany wrote: >> Am 11.02.2016 um 19:09 schrieb Miroslav Skoric: >>> On 02/10/2016 10:17 AM, Matus UHLAR - fantomas wrote

Re: Preparing to announce Squeeze LTS end-of-life

2016-02-11 Thread Markus Koschany
Am 12.02.2016 um 01:08 schrieb Holger Levsen: > Hi, > > On Donnerstag, 11. Februar 2016, Markus Koschany wrote: >>> In the light of the recent confusion about what "February 2016" means >>> you should really communicate a fixed date upfront. >> Si

Re: Preparing to announce Squeeze LTS end-of-life

2016-02-13 Thread Markus Koschany
Hi, Am 13.02.2016 um 09:23 schrieb Holger Levsen: > Hi, > > On Freitag, 12. Februar 2016, Markus Koschany wrote: [...] >> For now it should be clear that Wheezy LTS will be supported >> until the end of May 2018. > > Sadly, if you only read the "Debian 6.

Re: Summary of the LTS BoF held during DebConf

2016-01-28 Thread Markus Koschany
Am 28.01.2016 um 20:05 schrieb Moritz Mühlenhoff: > On Thu, Jan 28, 2016 at 08:02:47PM +0100, Markus Koschany wrote: >> In my opinion OpenJDK 7 should be an adequate replacement for OpenJDK 6 >> and I can't think of any serious regressions since all Java packages >> have pro

Wiki update LTS/Using and EOL announcement

2016-02-28 Thread Markus Koschany
Hi all, I have updated https://wiki.debian.org/LTS/Using to prepare for the switch to Wheezy LTS. What do you think about sending an EOL announcement to debian-lts-announce on March 1st? We could simply reuse the official NEWS post [1] and would probably reach those people who normally don't read

Accepted pcre3 8.02-1.1+deb6u1 (source amd64) into squeeze-lts

2016-02-29 Thread Markus Koschany
: Mark Baker <m...@mnb.org.uk> Changed-By: Markus Koschany <a...@debian.org> Description: libpcre3 - Perl 5 Compatible Regular Expression Library - runtime files libpcre3-dbg - Perl 5 Compatible Regular Expression Library - debug symbols libpcre3-dev - Perl 5 Compatible Regular Expres

Re: Wiki update LTS/Using and EOL announcement

2016-02-29 Thread Markus Koschany
Am 28.02.2016 um 18:12 schrieb Holger Levsen: > Hi Markus, > > On Sonntag, 28. Februar 2016, Markus Koschany wrote: >> I have updated https://wiki.debian.org/LTS/Using to prepare for the >> switch to Wheezy LTS. What do you think about sending an EOL >> announce

[SECURITY] [DLA 441-1] pcre3 security update

2016-02-29 Thread Markus Koschany
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: pcre3 Version: 8.02-1.1+deb6u1 Debian Bug : 815921 HP's Zero Day Initiative has identified a vulnerability affecting the pcre3 package. It was assigned ZDI id ZDI-CAN-3542. A CVE identifier has not been assigned yet.

Accepted bsh 2.0b4-12+deb6u1 (source all i386) into squeeze-lts

2016-02-29 Thread Markus Koschany
ain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: bsh- Java scripting environment (BeanShell) Version 2 bsh-doc- Documentation for bsh bsh-gcj- Java scripting environment (BeanShell) Version 2 (native code) bsh-src- Ja

Re: Unsupported packages for Wheezy LTS

2016-02-29 Thread Markus Koschany
Am 29.02.2016 um 15:17 schrieb Raphael Hertzog: > On Thu, 19 Nov 2015, Moritz Mühlenhoff wrote: >> Another package which needs to be sorted out is the support for >> Java. wheezy has both openjdk-6 and openjdk-7 (jessie has only >> -7 and stretch will also only have one version). > > I asked our

[SECURITY] [DLA 443-1] bsh security update

2016-02-29 Thread Markus Koschany
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: bsh Version: 2.0b4-12+deb6u1 CVE ID : CVE-2016-2510 A remote code execution vulnerability was found in BeanShell, an embeddable Java source interpreter with object scripting language features. CVE-2016-2510:

Re: Wiki update LTS/Using and EOL announcement

2016-02-29 Thread Markus Koschany
Am 29.02.2016 um 20:27 schrieb Paul Gevers: > Hi Markus, > > On 29-02-16 20:25, Matus UHLAR - fantomas wrote: >> you only can upgrade to wheezy directly. upgrade accross versions is not >> supported. > > I know, but that is not what I meant. I meant (and wrote), upgrade via > wheezy. Hi Paul,

Accepted tomcat6 6.0.45-1~deb6u1 (source all) into squeeze-lts

2016-02-27 Thread Markus Koschany
Architecture: source all Version: 6.0.45-1~deb6u1 Distribution: squeeze-lts Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: libservlet2.4-java - Transitional package for libser

[SECURITY] [DLA 435-1] tomcat6 security update

2016-02-27 Thread Markus Koschany
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: tomcat6 Version: 6.0.45-1~deb6u1 CVE ID : CVE-2015-5174 CVE-2015-5345 CVE-2015-5351 CVE-2016-0706 CVE-2016-0714 CVE-2016-0763 Tomcat 6, an implementation of the Java Servlet and the JavaServer Pages

Re: squeeze update of radicale?

2016-01-19 Thread Markus Koschany
Am 19.01.2016 um 04:36 schrieb Jonas Smedegaard: > Hi Markus and other Debian LTS maintainers, > > Quoting Markus Koschany (2016-01-19 00:50:04) >> the Debian LTS team would like to fix the security issues which are >> currently open in the Squeeze version of radicale:

Re: no-dsa vs. end-of-life

2016-01-26 Thread Markus Koschany
Am 26.01.2016 um 22:08 schrieb Guido Günther: > Hi, > I see many packages marked: > > [squeeze] - foo (not supported in Squeeze LTS) > > shouldn't that be > > [squeeze] - foo (not supported in Squeeze LTS) > > since no-dsa implies that the bug migh be fixed eventually in

Accepted radicale 0.3-2+deb6u1 (source all) into squeeze-lts

2016-01-26 Thread Markus Koschany
hanged-By: Markus Koschany <a...@debian.org> Description: python-radicale - simple calendar server - module radicale - simple calendar server - daemon Changes: radicale (0.3-2+deb6u1) squeeze-lts; urgency=high . * Non-maintainer upload by the Debian LTS Team. * CVE-2015-8748: P

[SECURITY] [DLA 418-1] wordpress security update

2016-02-16 Thread Markus Koschany
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: wordpress Version: 3.6.1+dfsg-1~deb6u9 CVE ID : CVE-2016-2221 CVE-2016- Debian Bug : 813697 WordPress versions 4.4.1 and earlier are affected by two security issues: a possible Side Request Forgery

[SECURITY] [DLA 422-1] python-imaging security update

2016-02-21 Thread Markus Koschany
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: python-imaging Version: 1.1.7-2+deb6u2 CVE ID : CVE-2016-0775 Debian Bug : 813909 Two buffer overflows were discovered in python-imaging, a Python library for loading and manipulating image files, which may

Accepted wordpress 3.6.1+dfsg-1~deb6u9 (source all) into squeeze-lts

2016-02-16 Thread Markus Koschany
org> Changed-By: Markus Koschany <a...@debian.org> Description: wordpress - weblog manager wordpress-l10n - weblog manager - language files Closes: 813697 Changes: wordpress (3.6.1+dfsg-1~deb6u9) squeeze-lts; urgency=high . * Non-maintainer upload by the Debian LTS Team. * Fix open

Accepted python-imaging 1.1.7-2+deb6u2 (source all i386) into squeeze-lts

2016-02-21 Thread Markus Koschany
Version: 1.1.7-2+deb6u2 Distribution: squeeze-lts Urgency: high Maintainer: Matthias Klose <d...@debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: python-imaging - Python Imaging Library python-imaging-dbg - Python Imaging Library (debug extension) python

Re: working for wheezy-security until wheezy-lts starts

2016-03-13 Thread Markus Koschany
Am 13.03.2016 um 04:32 schrieb Brian May: > Brian May writes: > >>> 2. Spend some time on investigating what it takes to backport >>> libav from jessie to wheezy. 11.x is still supported by >>> libav upstream and we could share triage work for jessie/wheezy >>> going forwards.

Re: Archive of squeeze-lts ?

2016-03-24 Thread Markus Koschany
Am 24.03.2016 um 18:59 schrieb Johnathon Tinsley: >>> >>> I'm seeing this when trying to fetch lts packages from >>> archive.debian.org at the moment. Anyone know a good contact for them? >>> >>> E: Release file expired, ignoring >>> http://archive.debian.org/debian/dists/squeeze-lts/Release

Re: Bug#818843: debian-security-support: new earlyend type, consider future end of support

2016-03-21 Thread Markus Koschany
Am 21.03.2016 um 00:38 schrieb Santiago Ruano Rincón: > Package: debian-security-support > Severity: wishlist > Tags: -1 + patch > > Hi, > > Packages such as tomcat6 will get support until the end of 2016, at the > same time than Ubuntu LTS. To consider this kind of cases and warn the > user

Re: teaching people to ignore warnings is bad (Re: Archive of squeeze-lts ?)

2016-03-24 Thread Markus Koschany
Hi, Am 25.03.2016 um 00:26 schrieb Holger Levsen: > Hi, > > On Thu, Mar 24, 2016 at 07:26:22PM +0100, Markus Koschany wrote: >> squeeze-lts has been archived on archive.debian.org. The warning is >> valid and it reminds people that the support for Squeeze has ended. >&g

Re: Wiki update LTS/Using and EOL announcement

2016-03-01 Thread Markus Koschany
Am 01.03.2016 um 13:16 schrieb Bonno Bloksma (list account): > Hi, > > On 2016-02-29 20:27, Paul Gevers wrote: >>> I know, but that is not what I meant. I meant (and wrote), upgrade via >>> wheezy. >> >> I think that (what you wrote ealier) would be a sensible recommendation to >> make. >> >>

[SECURITY] Debian 6 Squeeze has reached end-of-life

2016-03-01 Thread Markus Koschany
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 The Debian Long Term Support (LTS) Team hereby announces that Debian 6 ("Squeeze") support has reached its end-of-life on February 29, 2016, five years after its initial release on February 6, 2011. There will be no further security support for

Re: Unsupported packages for Wheezy LTS

2016-03-01 Thread Markus Koschany
Am 29.02.2016 um 18:04 schrieb Raphael Hertzog: > On Mon, 29 Feb 2016, Markus Koschany wrote: >> Matthias Klose, the OpenJDK maintainer, stated that he intends to >> support OpenJDK 6 until Ubuntu 12.04 reaches EOL in April 2017 [1] and I >> think it should be feasible to

Re: Non-security uploads for wheezy-lts

2016-03-02 Thread Markus Koschany
Am 01.03.2016 um 15:45 schrieb Scott Kitterman: > I understand that the plan is not to create a separate package suite for > Wheezy as was done for Squeeze and to upload to wheezy-security instead. > How > are uploads that aren't strictly security uploads going to be handled? > > Specifically,

Re: Status report: Making OpenJDK 7 the default in Wheezy LTS

2016-04-01 Thread Markus Koschany
Hi Guido, Am 01.04.2016 um 12:32 schrieb Guido Günther: [...] > This all sound reasonable to me. I wonder if we should prepare a update > repository before that to make testing simpler (or maybe do this via > backports)? I think the situation looks like that: 1. Changing the runtime

Re: Bug#818843: debian-security-support: new earlyend type, consider future end of support

2016-04-01 Thread Markus Koschany
Am 29.03.2016 um 23:17 schrieb Santiago Ruano Rincón: > El 21/03/16 a las 18:00, Markus Koschany escribió: >> Am 21.03.2016 um 00:38 schrieb Santiago Ruano Rincón: > ... >>> Also, would it be better to have a separate list file for earlyend? >> >> Hi, >>

Status report: Making OpenJDK 7 the default in Wheezy LTS

2016-03-28 Thread Markus Koschany
Hi all, here is a summary about the current status of making OpenJDK 7 the default Java JRE / JDK in Wheezy-LTS. Intended changes === 1. Making OpenJDK 7 the default by updating src:java-common, so that default-jre and default-jdk will install OpenJDK 7 instead of OpenJDK

Announcing the start of Wheezy LTS

2016-04-21 Thread Markus Koschany
Hello Publicity Team, hello translation teams the Debian Long Term Support Team would like to announce the start of Wheezy LTS on 26 April 2016. I have committed our draft to https://anonscm.debian.org/cgit/publicity/announcements.git/commit/?id=d816ef401c55297904868a4b8d0b7f18d5bc9154 Justin B

Re: LTS Frontdesk duties

2016-04-21 Thread Markus Koschany
Am 21.04.2016 um 16:33 schrieb Antoine Beaupré: > On 2016-04-21 04:48:26, Raphael Hertzog wrote: [...] >> So I suggest you to go ahead and do assignations. If you want to let >> people pick weeks by themselves, just do it for a few days and then >> arbitrarily assign the remaining weeks. > > I

Re: please post an announcement wrt wheezy-lts architectures

2016-04-27 Thread Markus Koschany
Hi, Am 27.04.2016 um 17:26 schrieb Adam Borowski: > Hi guys! > It looks like a vital piece of information is missing from Monday's news on > debian-announce: the list of architectures. If I'm reading this list's > archives right, it is amd64 i386 armhf armel. Yet what the public thinks > is

Re: Announcing Wheezy LTS via debian-security-announce

2016-04-23 Thread Markus Koschany
Am 20.04.2016 um 19:14 schrieb Markus Koschany: [...] > First of all thanks for all the feedback and the review from Justin B > Rye and victory. I like the new draft. Judging from Moritz' response > there doesn't seem to be much interest in releasing the announcement on > two diffe

Re: Call for tests: Making OpenJDK 7 the default in Wheezy LTS

2016-04-25 Thread Markus Koschany
Am 25.04.2016 um 11:41 schrieb Rene Engelhard: > Hi, > > On Wed, Apr 20, 2016 at 06:22:51PM +0200, Markus Koschany wrote: >> I would like to ask everyone who uses Java in server or desktop >> environments to test their applications with OpenJDK 7 and to prepare >&g

[SECURITY] Security support for Wheezy handed over to the LTS team

2016-04-25 Thread Markus Koschany
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 As of 25 April, one year after the release of Debian 8, alias "Jessie", and nearly three years after the release of Debian 7, alias "Wheezy", regular security support for Wheezy comes to an end. The Debian Long Term Support (LTS) Team will take over

Re: Call for tests: Making OpenJDK 7 the default in Wheezy LTS

2016-04-25 Thread Markus Koschany
Am 25.04.2016 um 12:23 schrieb Holger Levsen: > On Mon, Apr 25, 2016 at 12:17:52PM +0200, Markus Koschany wrote: >> I think in those cases it is reasonable to recommend to manually change >> build dependencies back to OpenJDK 6 because rebuilding a package does >> not

[SECURITY] [DLA 449-1] botan1.10 security update

2016-04-30 Thread Markus Koschany
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: botan1.10 Version: 1.10.5-1+deb7u1 CVE ID : CVE-2014-9742 CVE-2015-5726 CVE-2015-5727 CVE-2015-7827 CVE-2016-2194 CVE-2016-2195 CVE-2016-2849 Several security vulnerabilities were

[SECURITY] [DLA 450-1] gdk-pixbuf security update

2016-04-30 Thread Markus Koschany
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: gdk-pixbuf Version: 2.26.1-1+deb7u4 CVE ID : CVE-2015-7552 CVE-2015-7674 A heap-based buffer overflow has been discovered in gdk-pixbuf, a library for image loading and saving facilities, fast scaling and

Re: Draft for bits.debian.org regarding armel and armhf support

2016-05-18 Thread Markus Koschany
[P.S. The team is subscribed to debian-lts ;-)] Am 18.05.2016 um 17:35 schrieb Antoine Beaupré: > On 2016-05-18 06:33:57, Raphael Hertzog wrote: >> On Wed, 18 May 2016, Holger Levsen wrote: >>> I just wondered whether we should also include the info that openjdk6 >>> will very soon be deprecated

Re: Wheezy update of sogo?

2016-05-18 Thread Markus Koschany
Am 18.05.2016 um 21:01 schrieb Jeroen Dekkers: > Hi Markus, > > Sorry for the late reply. This bug also isn't fixed in jessie, the > reason for this is that upstream isn't going to fix this for SOGo 2 > and earlier. The security bug is about the complete lack of CSRF > protection and implementing

Re: Wireshark in wheezy-lts

2016-05-23 Thread Markus Koschany
Am 21.05.2016 um 16:31 schrieb Balint Reczey: > Dear LTS Team, > > I would like to suggest (and volunteer for) back-porting > jessie-security's wireshark version to wheezy-lts. Hi Balint, FYI, Steffen Moeller is also currently working on a security update for wireshark (dla-needed.txt). Maybe

Wheezy update of sogo?

2016-05-09 Thread Markus Koschany
package before it gets released. Thank you very much. Markus Koschany, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc

Re: icu package and debdiff [new contributor, first attempt]

2016-05-09 Thread Markus Koschany
Hello Roberto, welcome on board! Am 08.05.2016 um 05:34 schrieb Roberto C. Sánchez: > Hi All, > > I'm still "in-training" and I thought I would attempt to prepare an > upload of the icu package for wheezy. > > The package is here: https://people.debian.org/~roberto/ > dsc -

Re: Wheezy update of ikiwiki?

2016-05-09 Thread Markus Koschany
Am 08.05.2016 um 23:58 schrieb Simon McVittie: [...] > Note that I haven't done any real-world testing on this version, because > I haven't run wheezy since around the time jessie was released, and my > production ikiwiki instances use the latest upstream release from > jessie-backports. t/img.t

Re: Wheezy update of ikiwiki?

2016-05-09 Thread Markus Koschany
Am 09.05.2016 um 19:50 schrieb Simon McVittie: [...] >> This used to work with the current version in Wheezy. Is this >> intentional or a regression? > > There was no option of that name in the current version in Wheezy. All > versions prior to last Friday effectively had the same behaviour as if

Re: Wheezy update of ikiwiki?

2016-05-09 Thread Markus Koschany
Am 09.05.2016 um 23:51 schrieb Simon McVittie: > On Mon, 09 May 2016 at 20:05:17 +0200, Markus Koschany wrote: >> Please proceed with the upload to wheezy-security at your leisure. > > I've uploaded a second test version, fixing a regression which I've > also just fixed i

Re: Unsupported packages for Wheezy LTS

2016-05-12 Thread Markus Koschany
Am 12.05.2016 um 15:16 schrieb Santiago Ruano Rincón: [...] qemu qemu-kvm xen > xen will be supported. libvirt > > qemu and qemu-kvm were triaged as unsupported for CVE-2016-3712, but I > think Guido is studying how to support virtualisation related packages, > and maybe we

Re: libidn test packages [resent]

2016-05-17 Thread Markus Koschany
Am 17.05.2016 um 16:59 schrieb Antoine Beaupré: > Reducing CCs. > > On 2016-05-14 04:19:50, Brian May wrote: >> Antoine Beaupré writes: >> >>> I reviewed the patch quickly, nothing strikes me as completely wrong, >>> but I am not currently in a position to test the patchset.

Re: [Secure-testing-commits] r41743 - data/CVE

2016-05-17 Thread Markus Koschany
Am 17.05.2016 um 16:49 schrieb Antoine Beaupré: > On 2016-05-17 07:42:52, Santiago Ruano Rincón wrote: >> Thanks for triaging this. But, don't forget to update >> https://anonscm.debian.org/cgit/collab-maint/debian-security-support.git/tree/security-support-ended.deb7 >> when needed. > >

Draft for bits.debian.org regarding armel and armhf support

2016-05-15 Thread Markus Koschany
Hi all, since armel and armhf are de facto supported in Wheezy LTS now, I have drafted a short announcement for bits.debian.org in markdown. What do you think about the text? Title: Wheezy LTS with armel and armhf support Date: 2016-05-15 22:13 Author: Markus Koschany Tags: Wheezy, LTS Status

[SECURITY] [DLA 473-1] wpa security update

2016-05-14 Thread Markus Koschany
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: wpa Version: 1.0-3+deb7u4 CVE ID : CVE-2016-4476 CVE-2016-4477 Debian Bug : 823411 A vulnerability was found in how hostapd and wpa_supplicant writes the configuration file update for the WPA/WPA2 passphrase

Icedove security update for Wheezy LTS

2016-05-13 Thread Markus Koschany
Hello Christoph, thanks for your Icedove security update. We usually send an e-mail to debian-lts-announce to make users aware of the changes. Do you want to take care of this yourself? Then please follow our workflow that we have outlined at

[SECURITY] [DLA 471-1] jansson security update

2016-05-13 Thread Markus Koschany
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: jansson Version: 2.3.1-2+deb7u1 CVE ID : CVE-2016-4425 Debian Bug : 823238 Applications that depend on Jansson, a C library for encoding, decoding and manipulating JSON data, could crash due to stack exhaustion

Re: Draft for bits.debian.org regarding armel and armhf support

2016-05-18 Thread Markus Koschany
Am 18.05.2016 um 12:33 schrieb Raphael Hertzog: > On Wed, 18 May 2016, Holger Levsen wrote: >> I just wondered whether we should also include the info that openjdk6 >> will very soon be deprecated and users should update to openjdk7? As >> evident from this list, even LTS contributors missed this

bits.debian.org: Wheezy LTS post about armel and armhf support

2016-05-18 Thread Markus Koschany
:51 Author: Markus Koschany Tags: Wheezy, LTS Status: draft Wheezy's [LTS](https://wiki.debian.org/LTS) period started a few weeks ago and more than thirty updates [have been announced](https://lists.debian.org/debian-lts-announce/) so far. Thanks to our sponsors and to the help from Debian's

Re: bits.debian.org: Wheezy LTS post about armel and armhf support

2016-05-18 Thread Markus Koschany
Am 18.05.2016 um 16:18 schrieb Ana Guerrero Lopez: > On Wed, May 18, 2016 at 03:56:00PM +0200, Markus Koschany wrote: >> Hi folks, >> >> the LTS team would like to make a short announcement on bits.debian.org. >> We think it is worth mentioning that armel and armhf are

[SECURITY] [DLA 475-1] python-tornado security update

2016-05-15 Thread Markus Koschany
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: python-tornado Version: 2.3-2+deb7u1 CVE ID : CVE-2014-9720 It was discovered that python-tornado, a Python web framework and asynchronous networking library, was susceptible for the BREACH attack. The XSRF token is

[SECURITY] [DLA 451-1] openjdk-7 security update

2016-05-03 Thread Markus Koschany
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: openjdk-7 Version: 7u101-2.6.6-2~deb7u1 CVE ID : CVE-2016-0636 CVE-2016-0686 CVE-2016-0687 CVE-2016-0695 CVE-2016-3425 CVE-2016-3426 CVE-2016-3427 Several vulnerabilities have been discovered in

[SECURITY] [DLA 452-1] smarty3 security update

2016-05-03 Thread Markus Koschany
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: smarty3 Version: 3.1.10-2+deb7u1 CVE ID : CVE-2014-8350 Debian Bug : 765920 Smarty3, a template engine for PHP, allowed remote attackers to bypass the secure mode restrictions and execute arbitrary PHP code as

Debian LTS: uploaded packages to wheezy-security not available

2016-05-04 Thread Markus Koschany
Hi Ansgar, In preparation for the default Java switch I have uploaded more packages to wheezy-security yesterday and most of them are available in the archive now. However some of them never showed up there, although I made sure to build with -sa. I guess there is an issue with dak again. The

LTS updates not pushed to security mirrors

2016-05-01 Thread Markus Koschany
Am 01.05.2016 um 10:38 schrieb Peter Palfrader: [...] > The security mirror is current. Hi, I was informed that LTS updates are currently only pushed to the mirrors when the Security Team has issued a new DSA for it. Of course this is less than optimal but the ftp team is already aware of it. We

Sending LTS changes to debian-lts-changes

2016-05-02 Thread Markus Koschany
Hi Ansgar, thank you for fixing the mirror bug. Moritz Mühlenhoff informed us on IRC that accepted mails for LTS uploads are still sent to dak AT security.debian.org. Can you filter those mails so that they are sent to debian-lts-changes instead and if possible also to dispatch _AT_

  1   2   3   4   5   6   7   8   >