Hello,
On Mon, May 17, 2021 at 1:00 PM Ola Lundqvist wrote:
> firmware-nonfree
> NOTE: 20201207: wait for the update in buster and backport that (Emilio)
>
> The problem here is that will likely not happen due to the following note in
> the security tracker on all the connected CVEs:
>
On Mon, May 17, 2021 at 01:09:10PM +0530, Utkarsh Gupta wrote:
> This shouldn't just run once, it should keep checking once in a while.
> And once especially when we're nearing EOL of the LTS and ELTS releases.
yes.
I'd be glad to setup such a script running regularly on jenkins.debian.net
and
Hi,
I thought you'd rebuild but here you go.
I intend to upload today.
Cheers!
Sylvain
On 17/05/2021 08:13, Ola Lundqvist wrote:
Hi again Sylvain
Today I was about to test the packages but I realize that I only have a
libcurl-doc deb file to test.
Will you upload the rest for testing
Hi fellow LTS contributors
I have a question about go package support.
The question is whether we should try to support it in LTS or not:
According to this we do not give security support for go packages in
buster.
Hi
Should we try to automate the detection of such issues? It should be fairly
easy to do.
Package renaming complicates the checks but on the other hand if the
package is renamed the issue is not as big anymore.
// Ola
On Sun, 16 May 2021 at 10:55, Holger Levsen wrote:
> On Sat, May 15, 2021
On Mon, May 17, 2021 at 2:18 PM Utkarsh Gupta wrote:
> I think we shouldn't wait for when the package in the older release
> has a greater version but check them *before*. [...]
Or well, we could check after as well. But I am much more inclined towards
"avoiding" such a problem in the first
Hello,
On Mon, May 17, 2021 at 2:05 PM Ola Lundqvist wrote:
> 3) Merge the normal release with the security release (takes the latest)
Yeah, the goal is to cover all sorts of releases (normal, -pu, security) and
get the highest version amongst them.
> 4) Compare the two merged sets and check
Hi fellow LTS contributors
I noticed that firmware-nonfree has the following note in the
dla-needed.txt file.
firmware-nonfree
NOTE: 20201207: wait for the update in buster and backport that (Emilio)
The problem here is that will likely not happen due to the following note
in the security
On Mon, May 17, 2021 at 09:33:47AM +0200, Ola Lundqvist wrote:
> Should we try to automate the detection of such issues? It should be fairly
> easy to do.
yes, please.
> Package renaming complicates the checks but on the other hand if the
> package is renamed the issue is not as big anymore.
Hi
These are my thoughts on how the script would work:
1) Run the script with the following inputs:
- older release apt packages file
- older security release apt packages file
- later release apt packages file
- later security release apt package file
2) The script will then parse those files
Hi
Yes that makes sense. I can write some tool for that too. But now I'm
focusing on finding already existing problems. The script is almost ready.
I'm testing it right now.
// Ola
On Mon, 17 May 2021 at 10:49, Utkarsh Gupta wrote:
> Hello,
>
> On Mon, May 17, 2021 at 2:05 PM Ola Lundqvist
Hi
I'll write a script that do the conversion. It should not take that long.
// Ola
On Mon, 17 May 2021 at 09:39, Utkarsh Gupta wrote:
> Hello,
>
> On Mon, May 17, 2021 at 1:04 PM Ola Lundqvist wrote:
> > Should we try to automate the detection of such issues? It should be
> fairly easy to
Hi again Sylvain
Today I was about to test the packages but I realize that I only have a
libcurl-doc deb file to test.
Will you upload the rest for testing too?
// Ola
On Sun, 16 May 2021 at 09:08, Ola Lundqvist wrote:
> Hi
>
> I have reviewed the changes and it looks good.
> I'll see if I
Hello,
On Mon, May 17, 2021 at 1:04 PM Ola Lundqvist wrote:
> Should we try to automate the detection of such issues? It should be fairly
> easy to do.
This shouldn't just run once, it should keep checking once in a while.
And once especially when we're nearing EOL of the LTS and ELTS
Thanks for the additional testing.
Uploaded.
Cheers!
Sylvain
On 17/05/2021 12:39, Ola Lundqvist wrote:
Hi again
I was able to reproduce the issue and I can confirm that it is solved
by the update.
On an unfixed version I run the following:
curl -L -e ";auto" -raw -v
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
- -
Debian LTS Advisory DLA-2664-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Sylvain Beucler
May 17, 2021
hi,
Nobody claimed 4 packages or more.
Following package was unclaimed for LTS:
-ansible (Markus Koschany)
Here I'm having doubts about needing to unclaim this... Do take it back
as you see fit, Markus.
Nothing was unclaimed for ELTS.
Only one reserved DLA has not been published yet:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Sat, 15 May 2021 18:11:21 +0200
Source: curl
Binary: curl libcurl3 libcurl3-gnutls libcurl3-nss libcurl4-openssl-dev
libcurl4-gnutls-dev libcurl4-nss-dev libcurl3-dbg libcurl4-doc
Architecture: source
Version: 7.52.1-5+deb9u14
On Mon, May 17, 2021 at 04:54:39PM +0530, Utkarsh Gupta wrote:
> > debian-security-support: 1:9+2021.01.23 newer than 2020.06.21~deb10u1
> Holger, can you TAL?
Gee... I don't know what TAL means...
That said, I'm aware of this issue and have been waiting for an issue worth
updating
On 17/05/21 04:54 PM, Utkarsh Gupta wrote:
> Hello,
>
> On Mon, May 17, 2021 at 3:08 PM Ola Lundqvist wrote:
> > mqtt-client: 1.14-1+deb9u1 newer than 1.14-1
>
> Abhijith, can you please take care of this? You need a -pu update
> prepared for this.
Okay, I will take care of this. Issue is no
Hi firmware-nonfree maintainers
I have a question from an LTS perspective about the possible security
updates we have for the firmware-nonfree package.
You can find them here:
https://security-tracker.debian.org/tracker/source-package/firmware-nonfree
I can see that all the related CVEs are
Hi again
I was able to reproduce the issue and I can confirm that it is solved by
the update.
On an unfixed version I run the following:
curl -L -e ";auto" -raw -v http://test:p...@inguza.com/'
And the resulting Referer output was:
> Referer: http://test:p...@inguza.com/
With the fixed
Hi Sylvain
I have done some regression testing and it looks fine.
I'll try to reproduce the actual issue too.
// Ola
On Mon, 17 May 2021 at 11:09, Sylvain Beucler wrote:
> Hi,
>
> I thought you'd rebuild but here you go.
>
> I intend to upload today.
>
> Cheers!
> Sylvain
>
> On 17/05/2021
Hi all
And this is the result:
Fist I instructed apt to download stretch and buster source packages files.
After that I run the command like this:
ola@tigereye:~$ ./checkversions.pl --old
/var/lib/apt/lists/httpredir.debian.org_debian_dists_stretch_main_source_Sources
--old-sec
On Mon, May 17, 2021 at 11:54:05AM +0200, Ola Lundqvist wrote:
> Hi firmware-nonfree maintainers
>
> I have a question from an LTS perspective about the possible security
> updates we have for the firmware-nonfree package.
>
> You can find them here:
>
Hello,
On Mon, May 17, 2021 at 3:08 PM Ola Lundqvist wrote:
> mqtt-client: 1.14-1+deb9u1 newer than 1.14-1
Abhijith, can you please take care of this? You need a -pu update
prepared for this.
> ruby-websocket-extensions: 0.1.2-1+deb9u1 newer than 0.1.2-1
Already has an opened -pu bug.
>
Hi
Ok, thanks for the clarification.
But we should then generally mark golang updates as no-dsa unless they are
critical, right?
For example golang-gogoprotobuf are rather questionable whether we should
fix at all.
// Ola
On Mon, 17 May 2021 at 11:44, Sylvain Beucler wrote:
> Hi,
>
>
Hello,
On Mon, May 17, 2021 at 5:06 PM Holger Levsen wrote:
> > Holger, can you TAL?
> Gee... I don't know what TAL means...
Heh. Take A Look (TAL) :)
> That said, I'm aware of this issue and have been waiting for an issue worth
> updating debian-security-support in buster. I don't think the
Hi,
According to debian-security-support, golang packages are not
"unsupported" but with "limited support".
Currently some packages are updated in stable and rdeps are manually
bin-num'd (e.g. #946467), see also
https://www.debian.org/News/2020/20200718 for stretch-before-LTS.
It looks like
Ola Lundqvist writes:
> I can also see a note in dla-needed for Thorsten working on automating go
> updates.
I did a bit of work trying to automate go updates on my system:
* Identifying what packages need to be updated.
* Downloading said packages.
* Rebuilding.
* Uploading.
But there is
30 matches
Mail list logo
