Brian May <b...@debian.org> writes:
> I have a version available for testing with a fix for the UDF issue
> (CVE-2016-2335):
>
> https://people.debian.org/~bam/debian/pool/main/p/p7zip/
>
> (only i386 version so far, hope to upload amd64 version ASAP).
Now got AMD64 versi
:
sbuild-build-depends-roundcube-dummy : Depends: libjs-jquery-ui (>= 1.10) but
it is not going to be installed
E: Unable to correct problems, you have held broken packages.
apt-get failed.
E: Package installation failed
Not removing build depends: cloned chroot in use
--
Brian May <b...@debian.org>
Just guessing a bit here:
Brian May <b...@debian.org> writes:
> CVE-2016-4562
>
> The DrawDashPolygon function in MagickCore/draw.c in ImageMagick before
> 6.9.4-0 and 7.x before 7.0.1-2 mishandles calculations of certain
> vertices integer data, which allows remote attack
Brian May <b...@debian.org> writes:
> I asked here https://twitter.com/penguin_brian/status/739583514153091072
I got a response:
@penguin_brian there is wrong info. Ofc vulnerable code exist since :
9.32 alpha 2013-12-01
https://twitter.com/_Icewall/status/739731922998448129
L
an.org/LTS
- --
Brian May <b...@debian.org>
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
iQIcBAEBCAAGBQJXWpEbAAoJEBeEV3+BH26sdoIQANK5Jdw1Ubha4hjxCuTkM90K
77X87E7qyOpl/4HgyqFDNvutNhZZTDa4NRLfhp22yj0enNPMEIxgNxXQRZpIuq/r
55LQmUmUZY9cy+KCOn/avuwwMesakqJxQrC1DtfocYQi8RWUmmRT5d9fEQ2D+ZeP
BU2gtp7OHdeS/
think
> a backport is not necessary.
Not sure if you were asking me or the mailing list, however no
objections from me. I say go ahead and do it.
--
Brian May <b...@debian.org>
Brian May <b...@debian.org> writes:
> Significant changes to TraceStrokePolygon function:
Here is a diff ignoring white space changes:
@@ -6021,13 +6022,25 @@
}
if (q >= (ssize_t) (max_strokes-6*BezierQuantum-360))
{
+if (~max_strokes < (6*Be
I have a version available for testing at:
https://people.debian.org/~bam/debian/pool/main/i/imagemagick/
Brian May <b...@debian.org> writes:
> CVE-2016-4562
>
> The DrawDashPolygon function in MagickCore/draw.c in ImageMagick before
> 6.9.4-0 and 7.x before 7.0.1-2 misha
Brian May <b...@debian.org> writes:
> Just realized I have been talking a lot of nonsense. UDF support isn't
> about compressing files from UDF file systems, it is about compressing
> UDF images. So yes, it is a format issue like Ben said, and it should
> get fixed.
I have a
sues at TALOS, since
> http://www.talosintel.com/reports/TALOS-2016-0093/ claims that as well
> 9.20 is affected.
Yes, I noticed this too. Will check.
--
Brian May <b...@debian.org>
nguin_brian/status/739583514153091072
I note the following code which is the same (if my arithmetic is
correct):
const UInt32 kBufSize = (1 << 16);
In report this is:
const size_t kBufSize = kCompressionBlockSize; // 0x1
However everything else looks very different.
--
Brian May <b...@debian.org>
Hello,
Do we care about vulerabilities that are specific to HFS+?
http://www.talosintel.com/reports/TALOS-2016-0093/
CVE-2016-2334
Regards
--
Brian May <br...@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/
Brian May <br...@linuxpenguins.xyz> writes:
> Hello,
>
> Do we care about vulerabilities that are specific to HFS+?
>
> http://www.talosintel.com/reports/TALOS-2016-0093/
> CVE-2016-2334
Along similar lines, just noticed that the next issue is UDF specific.
http://ww
Brian May <b...@debian.org> writes:
> Looks like the test certificates may have expired.
>
> https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1581084
Yes, builds fine now after applying the patch from the above link.
--
Brian May <b...@debian.org>
t 4.1.6.1-1+deb7u1. i found the same
> error here:
>
> https://bugs.launchpad.net/ubuntu/+source/xen/+bug/1515145
--
Brian May <b...@debian.org>
Brian May <b...@debian.org> writes:
> It appears that we need an extra patch to get the fix for xsa97 working
> properly. See the linked Ubuntu bug report.
>
> https://bugs.launchpad.net/ubuntu/+source/xen/+bug/1515145
>
> Just wondering if you included this in version
Brian May <br...@linuxpenguins.xyz> writes:
> It might be worth somebody else testing it, just in case this is
> something specific to my build.
>
> Will continue investigating.
Looks like the test certificates may have expired.
https://bugs.launchpad.net/ubuntu/+source/op
identified for CVE-2016-2372 was
the same as one of the patches for CVE-2016-2369 so I didn't apply it
twice.
Still need to test this and make a copy for testing.
--
Brian May <br...@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/
diff -Nru pidgin-2.10.10/debian/changelog pidgin-2.10.10/
Brian May <b...@debian.org> writes:
> Which package owns /lib/i686/cmov/libm.so.6?
I am not able to find this file in any package on my chroot.
--
Brian May <b...@debian.org>
trtod_nan
DF *UND* GLIBC_2.0 __strtod_nan
That doesn't look healthy to me.
--
Brian May <b...@debian.org>
Brian May <b...@debian.org> writes:
> That doesn't look healthy to me.
Spoke too soon.
(squeeze-i386-default)root@prune:/home/brian# objdump -T /lib/libc.so.6 | grep
__strtod_nan
0003b180 gDF .text 00b5 GLIBC_2.0 __strtod_nan
On i386, looks like GLIBC_2.0 i
symbol
without actually loading the new symbol.
--
Brian May <b...@debian.org>
with 0072 if I persisted, not sure I
would necessarily be able to trust the results.
So I am inclined to apply the 0071 patch to the version in squeeze, and
then mark TEMP-0811308-B63DA1 as resolved. Or should I do something else
like create seperate entries for each issue or something?
--
Brian May &l
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Sun, 31 Jan 2016 16:00:03 +1100
Source: gajim
Binary: gajim
Architecture: source
Version: 0.13.4-3+squeeze4
Distribution: squeeze-lts
Urgency: medium
Maintainer: Yann Leboulanger <aste...@lagaule.org>
Changed-By: Brian
Brian May <br...@linuxpenguins.xyz> writes:
> The version for testing is available here:
>
> https://linuxpenguins.xyz/debian/pool/main/g/gajim/
Just noticed this version has some quilt files in the source which are
not applicable because gajim doesn't use quilt format. Ignore t
cause any breakage other then with already running
processes. Especially as squeeze-lts support will be ending soon.
--
Brian May <b...@debian.org>
s.debian.org/msgid-search/20160208082335.ga10...@fantomas.sk
I don't think there was a bug report filed in the BTS.
The previous upload was announced here:
https://lists.debian.org/msgid-search/20160205162120.GA20334@novelo
--
Brian May <b...@debian.org>
Sébastien Delafond <s...@debian.org> writes:
> - imagemagick in squeeze appears to only be vulnerable
> TEMP-0811308-B63DA1[0].
This is five separate issues. See #811308. So does it make sense to ask
for a separate CVE for each issue?
--
Brian May <b...@debian.org>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Sat, 23 Jan 2016 11:22:06 +1100
Source: pound
Binary: pound
Architecture: source
Version: 2.6-1+deb6u1
Distribution: squeeze-lts
Urgency: high
Maintainer: Brett Parker <idu...@sommitrealweird.co.uk>
Changed-By: Brian
e attackers to obtain cleartext data via a
padding-oracle attack, aka the "POODLE" issue.
- --
Brian May <b...@debian.org>
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
iQIcBAEBCAAGBQJWpFguAAoJEJyE7hq50CY2GzIP/j7ZUsYNARMcrM4lSpL63dfu
zubAAXjUN/tkf4u18MsQMWdg
Raphael Hertzog <hert...@debian.org> writes:
> On Sat, 23 Jan 2016, Brian May wrote:
>> * Wasn't sure what to do with the version number - I have to use a lower
>> then then wheezy - so I merged the changelog entries for 2.6-* into
>> one and named the version 2.6
ccount (I don't think I do), and tried the
forget password routine. I am wondering if it has detected a security
violation and blocked my IP address. If so, seems a very paranoid
server.
Will try again tomorrow.
--
Brian May <b...@debian.org>
ve had to restart
all processes anyway.
--
Brian May <b...@debian.org>
omic operation or do we
have to do them one at a time? The later could be potentially risky and
break things if both versions end up being included in the one
application, especially if versioned symbols not used (I haven't
checked).
--
Brian May <b...@debian.org>
Brian May <b...@debian.org> writes:
>> 2. Spend some time on investigating what it takes to backport
>> libav from jessie to wheezy. 11.x is still supported by
>> libav upstream and we could share triage work for jessie/wheezy
>> going forwards. 0
.html
So I am wondering if I can just mark xen in squeeze and wheezy as not
being affected by CVE-2015-2756 too?
--
Brian May <b...@debian.org>
of time now, will continue looking at this later.
--
Brian May <b...@debian.org>
>From 16794c97e99228ca551ff09fa696d00f39ceee82 Mon Sep 17 00:00:00 2001
From: Konrad Rzeszutek Wilk <konrad.w...@oracle.com>
Date: Wed, 19 Nov 2014 12:57:11 -0500
Subject: Limit XEN_DOMCTL_memory_ma
n wheezy has 4.1.4, Ubuntu precise has 4.1.6; no idea if this
matters. Am speculating that 4.1.6 might have security updates.
So one possible strategy might be to take Ubuntu's package as is and
port it to Debian wheezy.
Wonder how many of the CVEs the Ubuntu version fixes.
--
Brian May <b...@debian.org>
n't clear the symbols files for the C ABIs, only the C++ ABI
-- Simon McVittie <s...@debian.org> Wed, 12 Aug 2015 07:50:55 +0100
--
Brian May <b...@debian.org>
Brian May <b...@debian.org> writes:
> However, it looks like version -5.1 (see below) has some non-security
> related changes that might not be appopriate for Jessie, so not yet
> decided. I will investigate further and report here.
Here is my attempt at a Jessie security updat
Brian May <b...@debian.org> writes:
>> However, it looks like version -5.1 (see below) has some non-security
>> related changes that might not be appopriate for Jessie, so not yet
>> decided. I will investigate further and report here.
>
> Here is my attempt at a Je
of these are at the stage where they can be uploaded or almost
there. I will continue working on these next month.
--
Brian May <b...@debian.org>
Luciano Bello <luci...@debian.org> writes:
> On Saturday 26 March 2016 17.40.39 Brian May wrote:
>> > If you didn't get any other comment, fill free to upload to security
>> > master. I'm not part of the LTS team, but I guess you can also update
>> >
was looking at the documentation from
http://secure-testing-master.debian.net/uploading.html
I tried security-master too, but got identical results. Permission
Denied with the upload.
--
Brian May <b...@debian.org>
ecurityUploadQueue.
Found the problem. I didn't notice that this used ftp, and ftp is broken
on my network because I haven't needed it in ages and haven't noticed it
was broken.
So I have uploaded the packages now using my 4G network.
--
Brian May <b...@debian.org>
Brian May <b...@debian.org> writes:
> However the upload of imagemagick for Jessie didn't go so well; I didn't
> realize that packages.debian.org has the correct binary but old source
> (doesn't take into account point updates properly), so I will have to
> redo it with the lat
Luciano Bello <luci...@debian.org> writes:
> On Thursday 07 April 2016 12.36.12 Brian May wrote:
>> Found the problem. I didn't notice that this used ftp, and ftp is broken
>> on my network because I haven't needed it in ages and haven't noticed it
>> was broken.
>
&
Antoine Beaupré <anar...@orangeseeds.org> writes:
> Heads up! The Xen packages prepared by Brian May have passed preliminary
> testing and are ready for wider testing on Wheezy! See:
>
> https://people.debian.org/~anarcat/debian/wheezy-lts/
[...]
> So here's a debdiff bas
Brian May <b...@debian.org> writes:
>> Wonder how many of the CVEs the Ubuntu version fixes.
>
> Will have a look at this now.
Comparing the changelog with our security tracker (by hand; not sure if
anybody has written a tool to automate this, if not might be a good
Luciano Bello <luci...@debian.org> writes:
> On Thursday 10 March 2016 13.39.31 Brian May wrote:
>> I have wheezy packages for testing:
>> https://people.debian.org/~bam/wheezy/imagemagick/
>>
>> I also have jessie packages for testing:
>> https://pe
typo, as it concerns OpenVPN according to the
> security tracker. You probably mean CVE-2015-8104...
Yes, that looks like a typo. Thanks for the correction.
> That is an impressive list, and it does seem like we should merge our
> efforts with Ubuntu here!
Agreed.
--
Brian May <b...@debian.org>
build that myself or do you want to
> followup on Xen yourself?
I won't be able to look again at this until next week. So sure, go
ahead.
If you haven't looked at it by then, I will have a look again.
--
Brian May <b...@debian.org>
Luciano Bello <luci...@debian.org> writes:
> On Sunday 06 March 2016 16.34.26 Brian May wrote:
>> The following patch applied to the imagemagick in Debian wheezy should
>> fix the security problem already resolved in squeeze. The patches have
>> been port
Brian May <br...@linuxpenguins.xyz> writes:
> I will also make debs available for testing.
Available now at: https://people.debian.org/~bam/wheezy/imagemagick/
--
Brian May <b...@debian.org>
happen,
however would be good if it does get resolved.
--
Brian May <b...@debian.org>
ches, however no easy way of being able to link each issue to each
patch. So if a CVE was provided for each issue, it would be relatively
hard to link it to the appropriate patch with 100% certainty.
With so many different issues, I suspect it is going to be overwhelming
requesting a CVE for each iss
Brian May <b...@debian.org> writes:
> What version did you upgrade from?
>
> Does this crash happen immediately after restart, or in response to in
> incoming request?
>
> Can I assume that after doing a full restart, it still crashes in the
> same manner?
Just realiz
Have had a preliminary look at the changes made between the squeeze
version (3.1.6-1.2+squeeze3) and squeeze-lts version
(3.1.6-1.2+squeeze6) however nothing seems to touch either forward.cc or
the server_fd global variable.
Seems to be crashing when trying to close a connection.
--
Brian May <b...@debian.org>
Can I assume that after doing a full restart, it still crashes in the
same manner?
--
Brian May <b...@debian.org>
evert CVE-2016-2569 patch. This fix heavily relies on exception
handling of more recent squid versions, and more intrusive changes.
Closes: #816601
--
Brian May <b...@debian.org>
Brian May <b...@debian.org> writes:
> So one possible strategy might be to take Ubuntu's package as is and
> port it to Debian wheezy.
Have rebuilt Ubuntu's xen package for wheezy.
The results are available for testing.
https://people.debian.org/~bam/wheezy/xen/
The most signific
Brian May <b...@debian.org> writes:
> libpostproc-dev will be uninstallable - does this matter?
Whoops. Just noticed that libpostproc-dev is provided by the old libav,
however not provided by the new libav. I had thought it was another
source package.
So any packages that depend on it
for staging my proposed updates for
testing. https://people.debian.org/~bam/debian/
There is much work remaining fixing the dependancies of libav, which I
plan to continue on - as much as feasible anyway - next month. ffmpeg
might be a stumbling point.
--
Brian May <br...@linuxpenguins.
Brian May <b...@debian.org> writes:
> So guessing the solution might be to backport the stretch version to
> wheezy?
Backporting ffmpeg could prove challenging, this is the version from
jessie-backports:
The following packages have unmet dependencies:
sbuild-build-depends-
e difference (except perhaps as an additional sanity
check you listed the correct CVE), if there are many CVE's the risk of
error in filling out details for one of the CVEs by hand increases. It
could also add more standardised text (such as "This is fixed in version
X; we recommend you upgrade.").
--
Brian May <b...@debian.org>
be it could be used to test with the code vs policy patches?
My code passes these tests.
I have built debs available for testing:
https://people.debian.org/~bam/debian/pool/main/i/imagemagick/
Unless I get feedback I plan to upload next Mondayish, UTC+10 timezone.
--
Brian May <b...@debian.org>
atch is attached.
Any comments??
Thanks
--
Brian May <b...@debian.org>
diff -Nru librsvg-2.36.1/debian/changelog librsvg-2.36.1/debian/changelog
--- librsvg-2.36.1/debian/changelog 2016-03-27 09:46:35.0 +1100
+++ librsvg-2.36.1/debian/changelog 2016-05-12 09:31:01.0 +1000
@@ -1,3
Antoine Beaupré <anar...@orangeseeds.org> writes:
> I do believe you are correct: some DLAs are definitely missing. I wrote
> about libidn in <871t50elvf@angela.anarcat.ath.cx>, the uploader was
> Brian May (in CC).
I sent DLAs for both libidn and librsvg:
libidn
Antoine Beaupré <anar...@orangeseeds.org> writes:
> Indeed, sorry I missed that. Then let me rephrase:
>
> Brian, do you still intend to send that DLA? :)
I did. My emails appears to have gone missing somewhere along the way
:-(
--
Brian May <b...@debian.org>
Antoine Beaupré <anar...@orangeseeds.org> writes:
> It's hard to tell without redoing the exact same process you did
> yourself. :p
Ok, I will go ahead. Will pay particular attention this time, see if my
email goes missing again.
--
Brian May <b...@debian.org>
Markus Koschany <a...@debian.org> writes:
> Don't forget to use Inline-PGP for signing the e-mails. :)
Yes, did that.
Oh wait, maybe I signed with the wrong key. My old key, not my new
one. Ooops.
Apologies for that, will resend the DLAs.
--
Brian May <b...@debian.org>
Brian May <b...@debian.org> writes:
> However I don't see them in the archives. I can try resending...
I resent the DLAs. I suspect I might have used the wrong GPG key for
signing.
Apologies.
--
Brian May <b...@debian.org>
read. This could allow attackers to disclose
sensitive information from an application using the libidn library.
For Debian 7 "Wheezy", these problems have been fixed in version
1.25-2+deb7u1.
We recommend that you upgrade your libidn packages.
- --
Brian May <b...@debian.org>
.6.x and earlier, when using an Intel or Cyrix CPU,
allows local HVM guest users to cause a denial of service (guest
crash) via vectors related to a non-canonical RIP.
- --
Brian May <b...@debian.org>
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
iQIcBAEBCAAGBQJXO6WfAAoJEBe
Brian May <b...@debian.org> writes:
> Any objections by anybody if I upload Antoine Beaupré's packages to
> Debian, this Monday morning at Melbourne timezone?
Done.
Next step, the DLA. I went through the changelog and remove entries that
are already marked as fixed in the securit
, thats' a substantial change
> unto itself anyway?
Any objections by anybody if I upload Antoine Beaupré's packages to
Debian, this Monday morning at Melbourne timezone?
https://people.debian.org/~anarcat/debian/wheezy-lts/
Unless of course Antoine Beaupré wants to do it himself; he said he
might have time this week.
--
Brian May <b...@debian.org>
y, Melbourne timezone.
--
Brian May <b...@debian.org>
tom of
https://github.com/ImageMagick/ImageMagick/commit/a347456a1ef3b900c20402f9866992a17eb5d181
It does seem like that these 2 patches combined don't fix CVE-2016-3714
and I can't see anything that attempts to fix CVE-2016-3715 -
CVE-2016-3718 either.
--
Brian May <b...@debian.org>
understand you, if both of the patches you mention are
applied to imagemagick, this will completely fix CVE-2016-3714?
Thanks
--
Brian May <b...@debian.org>
Brian May <b...@debian.org> writes:
> I see that there are two versions of this work; however I will have a
> look at the above and see if I can stil reproduce the Jessie build
> errors.
Looks like your patch modifies files such as lib/nfkc.c which have been
decl
Brian May <b...@debian.org> writes:
> The current list of packages that fail to build against the new libav is
> (the building is still ongoing):
All build logs in
https://people.debian.org/~bam/wheezy/libav/amd64/buildlogs/
Looks like a total of 85 packages failed to build and
Brian May <b...@debian.org> writes:
> The following packages have unmet dependencies:
> libpostproc-dev : Depends: libavutil-dev (= 6:0.8.17-2) but 6:11.6-1~deb7u1
> is to be installed
> E: Unable to correct problems, you have held broken packages.
Ok, so looks like we would
-2016-4492_CVE-2016-4493.patch: Read/write access violations
* CVE-2016-6131.patch: Libiberty Demangler segfaults
* CVE-2016-.patch: Stack buffer overflow when printing bad bytes in
Intel Hex objects
* Researched security fix for kde4libs. In particular CVE-2016-6232.
--
Brian May &l
I am looking at doing this now, will start off without
git. If there is any demand I can move things across (including prior
revisions) to git later.
--
Brian May <b...@debian.org>
Brian May <b...@debian.org> writes:
> In any case I am looking at doing this now, will start off without
> git. If there is any demand I can move things across (including prior
> revisions) to git later.
Attached is my current patch. It only includes changes to
debian/*. Still
Hello,
I have a version of python-django 1.4.22 for wheezy-security available
for testing at:
https://people.debian.org/~bam/debian/pool/main/p/python-django/
Patch is basically the same as before, except I now include
CVE-2016-2513.diff and removed all the unused patches.
Regards
--
Brian
Brian May <b...@debian.org> writes:
> So far I haven't found the missing versions in between, however will
> keep looking.
It helps if you look in the correct place :-)
http://snapshot.debian.org/package/python-django/
(I was getting confused and looking under archives.debian.or
ally.
As such, I tend to feel the risks of removing this code exceed the risks
of not removing it. I am going to do the same thing as the security team
and mark this as no-dsa.
--
Brian May <b...@debian.org>
Brian May <br...@linuxpenguins.xyz> writes:
> Had a quick look at the matrixssl security vulnerability.
>
> Unfortunately, finding it difficult to work out which of the upstream
> changes fixes this.
Was meaning to be more informative here, unfortunately the trai
et-libc.diff
file, but I can't actually find it. Nor can I see anything in
debian/rules - so I think any changes would require updating the unpack
rule in debian/rules to somehow apply them automatically.
--
Brian May <b...@debian.org>
go. It looks
like it should be reasonably straight forward (famous last words?) to
apply the changes manually to the wheezy version, although the files
have moved (and automatic patching failed). If nobody takes this up by
next month I should have some time then to continue this.
--
Brian May <b...@debian.org>
Distribution: wheezy-security
Urgency: high
Maintainer: Matthias Klose <d...@debian.org>
Changed-By: Brian May <b...@debian.org>
Description:
binutils - GNU assembler, linker and binary utilities
binutils-dev - GNU binary utilities (BFD development files)
binutils-doc - Documentation
VE-2016-2380 / TALOS-CAN-0123
https://bitbucket.org/pidgin/main/commits/8172584fd640
- correct
* CVE-2016-4323 / TALOS-CAN-0128
Patch not given
- Believe correct patch is 5fa3f2bc69d7918d1e537e780839df63d5df59aa
- was patch listed for CVE-2016-2365 / TALOS-CAN-0133
--
Brian May <b...@debian.org>
Brian May <b...@debian.org> writes:
> I have a build of binutils for all pending CVEs except CVE-2016-4491,
My suspicion is that the wheezy version is vulnerable to CVE-2016-4491.
However in more recent versions d_print_comp has been split up into two
functions: d_print_comp wh
agree. Sometimes exploiting a combination of "minor" issues can be
> combined to allow more severe attacks. If the fixes are safe, I think they
> should be released.
I have a version available for testing:
https://people.debian.org/~bam/debian/pool/main/b/binutils/
--
Brian May <b...@debian.org>
Brian May <b...@debian.org> writes:
> I have a build of binutils for all pending CVEs except CVE-2016-4491,
I had another look at CVE-2016-4491. Looks like the following patch from
upstream git is a prerequisite. Unfortunately this patch does not apply
cleanly either. So I found a
aying I should not worry about uploading my package at this
point in time?
--
Brian May <b...@debian.org>
diff -u binutils-2.22/debian/changelog binutils-2.22/debian/changelog
--- binutils-2.22/debian/changelog
+++ binutils-2.22/debian/changelog
@@ -1,3 +1,20 @@
+binutils (2.22-8+deb7u3) whee
based on
the header value."
There are a number of projects in Debian that use twisted, should we
check each one?
Sure would be good if I had an example application that was confirmed
vulnerable.
--
Brian May <b...@debian.org>
include any new vulnerabilites that I know
of. Otherwise I would have listed them.
See https://lists.debian.org/debian-lts/2016/07/msg00069.html for the
reason why I uploaded.
Also see https://lists.debian.org/debian-lts/2016/08/msg00088.html.
--
Brian May <b...@debian.org>
nflict with any other distribution, which is the usual reason for
these prefixes.
(besides, wouldn't a good time to mention this have been before I
uploaded, when I was asking for people to test it?)
--
Brian May <b...@debian.org>
1 - 100 of 515 matches
Mail list logo