On 30/05/2019 09:37, Hugo Lefeuvre wrote:
> Hi,
>
> Apparently, wireshark 1.12.1+g01b65bf-4+deb8u19 failed to build on armel. I
> have absolutely no idea of what happened. At first glance it looks like tar
> segfaulted[0] :-)
>
> Is it possible to restart the build for armel?#
Given back.
Emili
Hi,
During the month of May, I spent 33h on LTS working on the following tasks:
- openjdk-7 security update
- qemu security update
- security-tracker reviews
- sqlite3 triage
- sox: backported patches, run into stability bug in jessie not happening in
sid, bisected it but fix was too invasive so
Hi, during the month of June I spent 16h (of 17 assigned) on LTS on the
following tasks:
- CVE triaging
- php5 update
- looked at vim update, coordinated with maintainer
- poppler update
- dbus update
- thunderbird update
- firefox-esr update
- another thunderbird update
During the month of July
On 07/09/2019 10:01, Pascal Hambourg wrote:
> Hello,
>
> It seems that the i386 build failed.
Thanks for the notice. I'll take a look at it.
Emilio
Hi,
During the month of August I spent 31 hours on the following tasks:
- php5 update
- ghostscript update
- CVE triaging
- evince update
- atril update
- preparatory work for firefox ESR 68 and thunderbird 68
As for ELTS I spent 8.5h on the following:
- php5 update
- CVE triaging
- Investigat
On 30/09/2019 06:40, Sylvain Beucler wrote:
> Hello,
>
> On 27/09/2019 23:12, Pascal Hambourg wrote:
>> Sorry to insist again, but is there any hope that the i386 build will
>> be available ?
>
> It seems this is a memory issue on the builder:
>
> virtual memory exhausted: Operation not permitte
Hi,
During the month of September I spent 30 hours on the following tasks:
- firefox ESR 60 update
- thunderbird ESR 60 update
- ghostscript update
- firefox ESR 68 preparations for jessie and stretch (LLVM 7, cargo, rust,
cbindgen, nasm, nodejs)
As for ELTS I spent 4 hours on frontdesk triage.
Hi,
During the month of October I spent 72 hours on finishing the Firefox ESR 68
update. That update took so much time due to the necessary toolchain updates,
which included rust & cargo, LLVM, and GCC, and to several issues which were
encountered with some of those components and with some old ve
On 14/11/2019 19:51, Roberto C. Sánchez wrote:
> On Thu, Nov 14, 2019 at 01:31:27PM -0500, Roberto C. Sánchez wrote:
>> On Thu, Nov 14, 2019 at 05:19:03PM +, Holger Levsen wrote:
>>> On Wed, Nov 13, 2019 at 08:24:55AM -0500, Roberto C. Sánchez wrote:
> We usually mark affected CVE as in da
Hi,
During the month of November I worked on the Thunderbird update after the
toolchain update work for Firefox ESR 68 made that possible. I also spent time
working on build fixes for Firefox (on armhf for jessie, as well as various
other issues on stretch). Those will also benefit Thunderbird. Th
On 13/12/2019 05:41, Brian May wrote:
> Brian May writes:
>
>> Apparently the fix for ibus creates a regression in glibc that must get
>> fixed also:
>>
>> https://gitlab.gnome.org/GNOME/glib/merge_requests/1176
>>
>> However this patch patches GIO in glibc, and it looks like glibc in
>> Jessie (
On 20/12/2019 00:49, Simon McVittie wrote:
> (LTS team: full quote of bug report below)
>
> On Thu, 19 Dec 2019 at 21:41:59 +, McIntyre, Vincent (CASS, Marsfield)
> wrote:
>> Dear LTS Maintainer,
>
> If a bug is specific to a LTS package, please report it to the
> debian-lts mailing list (I'
On 07/01/2020 07:36, Brian May wrote:
> Brian May writes:
>
>> My build is still running the tests, but I don't expect any problems as
>> the test was getting skipped anyway...
>
> Tests seem to be hanging, on the next test after:
>
> PASS: network-address 37 /gresolver/resolve-address/0
> PASS
On 06/01/2020 13:01, Chris Lamb wrote:
> Hi Holger et al.,
>
>> today I unclaimed for LTS:
>>
>> -ibus (Emilio)
>
> I was working under the assumption that adding a note would reset the
> inactivity timer but this does not seem to be a case for at least
> this unclai (I see a "20191230: work is o
On 07/01/2020 15:44, Emilio Pozuelo Monfort wrote:
> On 06/01/2020 13:01, Chris Lamb wrote:
>> Hi Holger et al.,
>>
>>> today I unclaimed for LTS:
>>>
>>> -ibus (Emilio)
>>
>> I was working under the assumption that adding a note would reset
Hi,
During the month of December, I spent 16.5h on LTS on the following tasks:
- firefox-esr update
- thunderbird update
- spamassasin update
- libssh update
- preparing and testing ibus and glib2.0 (there was a regression update on
stretch so I'm being careful here)
For ELTS I only spent 1h on
On 10/01/2020 19:12, Utkarsh Gupta wrote:
> Hi Chris,
>
> On 10/01/20 11:34 pm, Chris Lamb wrote:
>>> I've been trying to send DLA-2063 (and now DLA-2060) announcement to
>>> -lts-announce but for some reasons I can't seem to post there.
>>
>> This is invariably due to issues regarding the GPG sig
On 31/01/2020 08:10, Ola Lundqvist wrote:
> Hi
>
> I have added firefox-esr to dla-needed.txt file now.
>
> // Ola
>
> On Thu, 30 Jan 2020 at 01:06, Ben Hutchings wrote:
>
>> On Sun, 2020-01-26 at 16:17 +0100, Hugo Lefeuvre wrote:
>>> Hi,
>>>
It seems urgent to me to correct a flaw exploi
On 10/02/2020 03:25, Holger Levsen wrote:
> hi,
>
> today I unclaimed
>
> for LTS:
>
> - xerces-c (Hugo Lefeuvre)
>
> and none for eLTS.
>
> Then, the monthly reports for January are due today. Please publish yours, if
> you haven't already.
>
>
> And, the following DLAs are missing on www.
On 10/02/2020 12:07, Holger Levsen wrote:
> On Mon, Feb 10, 2020 at 11:23:08AM +0100, Emilio Pozuelo Monfort wrote:
> [...]
>>> ERROR: .data or .wml file missing for DLA 2098-1
>> It would be useful if this info came with the person who reserved that DLA.
>
> sure. it&
Hi,
During January I spent 8 hours on LTS updating firefox, thunderbird, and firefox
again, as well as fixing some problems with the VM.
As for ELTS I spent 1.5h doing triaging work.
Cheers,
Emilio
On 13/02/2020 14:02, Holger Levsen wrote:
> Hi Emilio,
>
> On Mon, Feb 10, 2020 at 04:18:08PM +0100, Emilio Pozuelo Monfort wrote:
>>>>> ERROR: .data or .wml file missing for DLA 2098-1
>>>> It would be useful if this info came with the person who reserve
On 20/02/2020 12:40, Abhijith PA wrote:
> Holger,
>
> On 19/02/20 3:15 pm, Emilio Pozuelo Monfort wrote:
>
>
>> The attached patch allows that script to also print author information when
>> using a local copy of the security-tracker repo with the --list option.
>&
On 20/02/2020 13:56, Sylvain Beucler wrote:
> Hi,
>
> On 20/02/2020 13:35, Emilio Pozuelo Monfort wrote:
>> On 20/02/2020 12:40, Abhijith PA wrote:
>>> Holger,
>>>
>>> On 19/02/20 3:15 pm, Emilio Pozuelo Monfort wrote:
>>>
>>>
>
On 20/02/2020 18:00, Salvatore Bonaccorso wrote:
> Hi Holger,
>
> On Thu, Feb 20, 2020 at 04:49:09PM +, Holger Levsen wrote:
>>> Does LTS provide updates for nodejs/nodejs-*, and is there a place where
>>> we can document this decision?
>>
>> I'd lean to call it unsupported and document this
On 22/01/2020 07:29, Brian May wrote:
> Brian May writes:
>
>> commit 7cba800a84730c9c5843acdd775e42b8c1438edf (HEAD)
>> Author: Alexander Larsson
>> Date: Mon Jun 1 10:02:47 2015 +0200
>
> This patch decreases the number of errors from 1 to 52.
Thanks for the investigation Brian. However af
On 20/02/2020 23:30, Holger Levsen wrote:
> On Thu, Feb 20, 2020 at 07:50:30PM +0100, Markus Koschany wrote:
>>> So we should add it to security-support-ended for those releases, and
>>> let it be supported in buster.
>>
>> We currently also mention it here:
>> https://wiki.debian.org/LTS/Jessie
>
On 21/02/2020 00:34, Holger Levsen wrote:
> Hi Emilio,
>
> On Wed, Feb 19, 2020 at 10:45:36AM +0100, Emilio Pozuelo Monfort wrote:
>>> cd ~/Projects/security-tracker
>>> git pull
>>> cd ~/Projects/debian-www/webwml
>>>
On 21/02/2020 17:42, Utkarsh Gupta wrote:
> Hi all,
>
> Whilst working on libpam-radius-auth, I noticed that d/compat has
> value "4" which throws the following error:
>
> dh_clean: error: Compatibility levels before 5 are no longer supported
> (level 4 requested)
>
> Would it be okay to bump d/
On 21/02/2020 17:48, Emilio Pozuelo Monfort wrote:
> On 21/02/2020 17:42, Utkarsh Gupta wrote:
>> Hi all,
>>
>> Whilst working on libpam-radius-auth, I noticed that d/compat has
>> value "4" which throws the following error:
>>
>> dh_clean: e
On 19/02/2020 10:45, Emilio Pozuelo Monfort wrote:
> btw I wonder if that script shouldn't leave elsewhere, such as in the webwml
> repo or in the security-tracker.
I have moved it to the security-tracker in [1]. I made it more useful for DSAs
by ignoring regression updates, as th
Hi all,
I think we can all agree that the problem here is that there was an unexpected
issue (a security upload getting rejected) that required sort of immediate work
from a third party (an ftp-master). I don't think we should make a big deal of
this, as this can happen with any other two teams in
On 01/03/2020 00:28, Holger Levsen wrote:
> On Sat, Feb 29, 2020 at 10:46:48PM +, Holger Levsen wrote:
>>> I have moved it to the security-tracker in [1].
>> hah.
>
> hah and now that I want to use it I realize you moved the MR only... grrr.
> ok, we'll see how this goes.
And it's finally m
Hi,
During the month of February, I spent 29h on LTS on the following tasks:
- firefox-esr update
- thunderbird update
- clamav update
- spamassassin update
- missing webwml script improvements
- jackson-databind update
- python-reportlab update
- CVE triage
- python-pysaml2 update
- openjdk-7 up
On 02/03/2020 12:57, Emilio Pozuelo Monfort wrote:
> On 01/03/2020 00:28, Holger Levsen wrote:
>> On Sat, Feb 29, 2020 at 10:46:48PM +, Holger Levsen wrote:
>>>> I have moved it to the security-tracker in [1].
>>> hah.
>>
>> hah and now that I want
On 09/03/2020 19:29, Chris Lamb wrote:
> Hi Holger et al.,
>
>> ERROR: .data or .wml file missing for DLA 2115-2 (reserved by Chris Lamb)
>__^__
>
> How does we announce a regression (ie. -2, -3) via the website? The
> namespacing used here (capture
On 11/03/2020 21:06, Salvatore Bonaccorso wrote:
> Hi,
>
> A smaller comment on the update:
>
> On Wed, Mar 11, 2020 at 08:19:11PM +0100, Anton Gladky wrote:
>> After discussion with the maintainer I decided to backport the latest
>> upstream version, available in Debian (3.20191218.1). Prepared
On 12/03/2020 21:29, Anton Gladky wrote:
> Thanks Emilio and Salvatore for very valuable comments!
>
> I think then, that it would be more proper way to upload the lower
> upstream version 3.20181128.1 into the Jessie and Stretch to escape
> higher versions on older releases.
Well you used 3.2018
On 12/03/2020 22:02, Brian May wrote:
> Ola Lundqvist writes:
>
>> I have ideas on how we can reduce the attack possibilities but I cannot
>> find any perfect solution to this.
>
> What about setting samesite=Lax in the session Cookie?
Wouldn't you need Strict rather than Lax? Otherwise if basi
On 17/03/2020 03:58, Ben Hutchings wrote:
> On Fri, 2020-03-13 at 16:29 +0100, Piviul wrote:
>> Sylvain Beucler ha scritto il 06/03/20 alle 13:14:
>>> [...]
>>> Good question :)
>>>
>>> Snapshot saved the deb7u16 update as part of wheezy-security in 2018:
>>> https://snapshot.debian.org/package/sam
Hi,
On 19/03/2020 13:01, Simon McVittie wrote:
> On Thu, 19 Mar 2020 at 12:33:09 +0100, Etienne Allovon wrote:
>> Subject: python-twisted: twisted version 14.0.2-3+deb8u1 in jessie
>> (security) is broken
>
> Debian 8 'jessie' is no longer supported by the mainstream Debian
> security team
Etien
Hi Rob,
On 16/12/2019 02:33, Rob Browning wrote:
> Thomas Sanders writes:
>
>> Package: emacs25-common
>> Version: 25.1+1-4+deb9u1
>> Severity: normal
>> File: /usr/share/emacs/25.1/etc/package-keyring.gpg
>>
>> Dear Maintainer (Rob Browning?),
>>
>> This problem in emacs 25 (in Debian old-stabl
On 28/12/2017 11:48, Emilio Pozuelo Monfort wrote:
> On 04/12/17 13:31, Peter Palfrader wrote:
>> Upstream is no longer maintaining the 0.2.4.x tree. Maybe it's time to
>> terminate support for Tor in wheezy/oldoldstable?
>
> I think so. I have marked it as unsupported
Hi,
During the last month I spent 19.5 hours on LTS working on the following:
- CVE triaging
- firefox-esr security update
- qemu security update
- thunderbird security update
- started to look at dak built-using problem
- icu security update
- started to backport bluez security issue to older ve
On 20/06/2020 22:39, Ola Lundqvist wrote:
> Thanks for the clarification. Would that really be an issue if they
> got it? They will get the newer version later.
> But I get the point. In any case it is not an urgent thing so we can
> wait. I'll add notes about this too.
Yes, it can be a problem, f
Hi,
During April I spent 5h on LTS working on
- firefox security update
- thunderbird security update
- triaging
And 1.5h on ELTS on frontdesk duties.
During May I didn't spend any time on LTS, and I spent 1h on ELTS on frontdesk.
Cheers,
Emilio
On 22/06/2020 08:37, Salvatore Bonaccorso wrote:
> Hi security team, LTS team members,
>
> On Mon, Jun 15, 2020 at 05:44:54PM +0100, Adam D. Barratt wrote:
>> stretch transitions from oldstable-with-security-support to LTS support
>> on Saturday July 4th. As usual, we should aim for the final poin
Hi Ansgar,
On 01/07/2020 11:27, Ansgar wrote:
> Hi,
>
> since LTS for Jessie has ended according to [1], can we disable uploads
> and prepare for archiving the release?
Yes, let's do this.
>
> I want to:
>
> 1. Stop accepting anything.
> 2. Have one Release with no Valid-Until for archive.d.o
Hi,
During the month of June I spent 4h on LTS working on:
- reviewed stretch-lts MR
- prepared batik update
- CVE triaging
- started working on a lts no-dsa review script
As for ELTS I spent 9h working on:
- final changes to distro-config branch improvements, and deployment
- prepared batik up
On 01/07/2020 12:40, Emilio Pozuelo Monfort wrote:
> On 01/07/2020 11:27, Ansgar wrote:
>> 5. Import to archive.d.o
>> 6. Remove from security.d.o
>>
>> I can do (1), (2), (4) fairly quickly; the buildd team would need to
>> look at (3). Not sure when (5) and (6
On 01/07/2020 19:26, Markus Koschany wrote:
>
> Am 01.07.20 um 19:14 schrieb Ansgar:
>> On Wed, 2020-07-01 at 18:38 +0200, Markus Koschany wrote:
>>> Am 01.07.20 um 11:27 schrieb Ansgar:
since LTS for Jessie has ended according to [1], can we disable uploads
and prepare for archiving the
On 06/07/2020 12:01, Ansgar wrote:
> Hi,
>
> the archive side of switching Debian 9 (Stretch) to LTS should be done
> now. The architectures amd64, arm64, armel, armhf and i386 remain.
Thanks! The tracker has also been updated and the wanna-build config for
stretch-security has been changed as w
Hi Markus,
On 02/07/2020 17:42, Markus Koschany wrote:
> I have drafted a new announcement, "Debian 8 Long Term Support reaching
> end-of-life". I would like you to review the draft and the i18n teams to
> translate the content when it is approved by you. You can find the text
> here:
>
> https:/
On 06/07/2020 15:30, Markus Koschany wrote:
> Hi,
>
> Am 06.07.20 um 15:25 schrieb Emilio Pozuelo Monfort:
>> Hi Markus,
>>
>> On 02/07/2020 17:42, Markus Koschany wrote:
>>> I have drafted a new announcement, "Debian 8 Long Term Support reaching
>>
Hi,
Now that we're starting stretch LTS, I thought it was a good time to review and
improve the DLA template. I made a couple of minor changes to it, but there's
two bigger ones that the DSA template has and we could add:
- The header. It looks like a bit too much for the DLA to me, so I'm
unconv
Hi Chris,
On 07/07/2020 13:37, Chris Lamb wrote:
> CVE-2020-12692 (An issue was discovered in OpenStack Keystone before 15.0.1,
> and 16.0. ...)
> {DSA-4679-1}
> - keystone 2:17.0.0~rc2-1 (bug #959900)
> + [stretch] - keystone (Not supported in stretch LTS)
While I see keystone
Hi,
During an IRC meeting, Thorsten mentioned that he had noticed some packages that
had been fixed in stretch and wheezy-elts, but not in jessie (this was before
the
jessie EOL), and that had been marked as no-dsa in jessie. Since the package had
been fixed in the previous and next releases, it
On 07/07/2020 17:00, Roberto C. Sánchez wrote:
> On Tue, Jul 07, 2020 at 04:37:30PM +0200, Emilio Pozuelo Monfort wrote:
>>
>> I've worked on a script to find these cases so they can be reviewed. It
>> doesn't
>> consider packages that have been fixed
On 07/07/2020 18:58, Chris Lamb wrote:
> Hi Abhijith,
>
>>> Not quite sure what you mean by this. I am assuming you mean something
>>> along the lines of it being "too intense for a DLA" but if so I don't
>>> understand what the concern is here. Isn't each of these a potentially-
>>> important sec
On 07/07/2020 19:05, Emilio Pozuelo Monfort wrote:
> On 07/07/2020 18:58, Chris Lamb wrote:
>> Hi Abhijith,
>>
>>>> Not quite sure what you mean by this. I am assuming you mean something
>>>> along the lines of it being "too intense for a DLA" but
Hi Chris,
On 09/07/2020 11:54, Chris Lamb wrote:
> Commits:
> 389b61df by Chris Lamb at 2020-07-09T10:54:19+01:00
> data/dla-needed.txt: Claim gosa.
Please note that there's a gosa package in opu for the upcoming point release.
So it'd be good to wait with this until after the point release to av
On 10/07/2020 19:49, Utkarsh Gupta wrote:
> Hi,
>
> On Mon, Jul 6, 2020 at 1:40 PM Holger Levsen wrote:
>> Three DLAs have been reserved but not yet been published on www.debian.org:
>> LTS:
>>
>> - DLA 2269-1 (reserved by Utkarsh Gupta)
>> - DLA 2270-1 (reserved by Utkarsh Gupta)
>> - DLA 2271-1
On 13/07/2020 11:24, Sylvain Beucler wrote:
> Hi,
>
> On 07/07/2020 12:01, Emilio Pozuelo Monfort wrote:
>> - it was brought up that some DLAs include personal signatures at the end
>
> In what context did you receive this feedback?
It was mentioned in #debian-lts when I br
On 19/07/2020 11:52, Thorsten Alteholz wrote:
> Hi Emilio,
>
> thanks a lot for working on this.
>
> On Tue, 7 Jul 2020, Emilio Pozuelo Monfort wrote:
>> CVE-2019-11187/gosa fixed in jessie and buster but no-dsa in stretch (Minor
>> issue)
>
> This seems to h
Hi,
On 20/07/2020 12:04, Holger Levsen wrote:
> today there were two packages unclaimed for LTS:
> and four for ELTS:
I often notice that after each round of these unclaims, people tend to reclaim
their packages without adding a note on the progress or status. Could I ask that
when you reclaim a
Hi,
On 21/08/2019 07:45, Salvatore Bonaccorso wrote:
> Hi Holger, hi Emilio,
>
> [dropping debian-devel list]
>
> On Mon, Aug 19, 2019 at 11:01:13PM +0200, Moritz Mühlenhoff wrote:
>> On Tue, Jul 02, 2019 at 10:45:20PM +0200, Moritz Mühlenhoff wrote:
>>> Hi,
>>> Firefox 68 will be the next ESR r
Hi,
On 21/08/2019 07:45, Salvatore Bonaccorso wrote:
> Hi Holger, hi Emilio,
>
> [dropping debian-devel list]
>
> On Mon, Aug 19, 2019 at 11:01:13PM +0200, Moritz Mühlenhoff wrote:
>> On Tue, Jul 02, 2019 at 10:45:20PM +0200, Moritz Mühlenhoff wrote:
>>> Hi,
>>> Firefox 68 will be the next ESR r
Hi,
During this month I spent 60h on LTS working on:
- coordinating stretch-lts handover with various teams
- sent jessie EOL DLA, updated LTS/Using wiki page for stretch, improvements to
DLA template
- lts no-dsa script
- glib-networking update via opu, checked if balsa/stretch needed a
compat
Hi,
I was wondering if we could make old stretch-security build logs public. I
suppose there's nothing private there anymore (no more embargoed updates in
stretch) and it can help in debugging issues with updates (e.g. I just uploaded
a new thunderbird version there and I've noticed that the previ
On 12/08/2020 01:04, Roberto C. Sánchez wrote:
> On Wed, Aug 12, 2020 at 08:55:43AM +1000, Brian May wrote:
>> I am seriously thinking that slirp from unstable should be ported as is
>> from sid to buster and stretch. This is not a new upstream version, it
>> has bug fixes and security updates only
On 21/08/2020 14:08, Sylvain Beucler wrote:
> Hello,
>
> ghostscript failed to build on armhf for stretch-security:
> https://buildd.debian.org/status/fetch.php?pkg=ghostscript&arch=armhf&ver=9.26a%7Edfsg-0%2Bdeb9u7&stamp=1597941103&raw=0
> "./soobj/dxmainc.o: file not recognized: File truncated"
On 27/08/2020 09:17, Salvatore Bonaccorso wrote:
> Hi Emilio,
>
> On Tue, Aug 25, 2020 at 10:35:08PM +0200, Aurelien Jarno wrote:
>> Hi,
>>
>> On 2020-08-02 23:54, Emilio Pozuelo Monfort wrote:
>>> Hi,
>>>
>>> I was wondering if we could make
Hi,
During the month of August, I have spent 21.75h working on:
- clamav security update
- thunderbird 68.11 update
- libx11 security update
- gupnp security update, including finding a UAF (use-after-free) issue that led
to a server crash
- security-tracker improvements in the python3 work
- fir
Hi Chris,
On 01/09/2020 13:12, Chris Lamb wrote:
> Commits:
> 346825dd by Chris Lamb at 2020-09-01T12:12:17+01:00
> data/dla-needed.txt: Triage python-django for stretch LTS.
>
> - - - - -
> 08bd2296 by Chris Lamb at 2020-09-01T12:12:23+01:00
> data/dla-needed.txt: Claim python-django.
Don't the
On 01/09/2020 14:05, Christoph Martin wrote:
> Hi,
>
> I am not shure if I can help, but I can try and have a look at it.
>
> Yes please upload your LLVM9 and wasi-libc backports.
fwiw I started to look at this and have an LLVM 10 backport ready. Should we go
with that instead? It may be more fu
On 02/09/2020 12:46, Chris Lamb wrote:
> Chris Lamb wrote:
>>
>>> Don't the new Django vulnerabilities only apply when running with Python
>>> 3.7 or
>>> newer?
>>
>> Replying quickly — possibly, have not looked into the (E)LTS angle yet.
>>
>> I was just ensuring that there was no duplicated effo
On 01/09/2020 19:17, Moritz Muehlenhoff wrote:
> On Tue, Sep 01, 2020 at 04:35:42PM +0200, Emilio Pozuelo Monfort wrote:
>> On 01/09/2020 14:05, Christoph Martin wrote:
>>> Hi,
>>>
>>> I am not shure if I can help, but I can try and have a look at it.
>>&
On 20/09/2020 11:33, Félix Sipma wrote:
> Hello Emilio and others,
>
> On 2020-09-10 19:32+0200, Emilio Pozuelo Monfort wrote:
>> I'm currently attempting a build of Firefox 78.2.0 ESR for buster. If that
>> goes
>> well I'll start uploading things
Hi Sylvain,
On 28/09/2020 15:38, Sylvain Beucler wrote:
> -
> Debian LTS Advisory DLA-2386-1debian-lts@lists.debian.org
> https://www.debian.org/lts/security/
> September 28, 2020htt
Hi,
During the month of September I have spent 19.75h on the following tasks:
- security-tracker MRs
- thunderbird regression update
- libx11 security update
- Lots of work to get ready for the Firefox & Thunderbird ESR 78 updates, with
the ESR 68 branch going end-of-life on September 22nd with
Hi,
On 06/10/2020 23:42, Brian May wrote:
Utkarsh Gupta writes:
Ah, great. It'd nice to include this then! :)
Done. See attached patch. I had to apply it manually, because patch was
misapplying one of the hunks in the wrong place. There were several
hunks that apply to SKEd25519 public key
On 08/10/2020 01:50, Brian May wrote:
I have no idea what is wrong here, or why it is fixated on a commit that
is 2 commits behind master...
There's some corruption on the git checkout on soriano. I'm looking at it.
Emilio
On 08/10/2020 10:08, Brian May wrote:
Emilio Pozuelo Monfort writes:
Have you checked if any rdeps need to be rebuilt?
No. I imagine there might be some. How do I check? I can't remember
right now how to check reverse build depends.
root@andromeda:/# grep-dctrl -FBuild-Depends &#
On 08/10/2020 10:30, Brian May wrote:
Emilio Pozuelo Monfort writes:
Note that many of those are golang modules which only ship go code on the -dev
package, and thus don't need a rebuild. OTOH, compiled binaries may need a
rebuild if they use the affected code (directly or indirectly).
On 08/10/2020 09:52, Emilio Pozuelo Monfort wrote:
On 08/10/2020 01:50, Brian May wrote:
I have no idea what is wrong here, or why it is fixated on a commit that
is 2 commits behind master...
There's some corruption on the git checkout on soriano. I'm looking at it.
Should be fixed now.
On 09/10/2020 00:23, Brian May wrote:
We probably need someway of keeping track of what packages have already
been looked at and their status with respect to this rebuild. Not really
convinced data/dla-needed.txt is up to this task.
I would look for an automated way to do this. E.g. by download
On 03/11/2020 20:02, Holger Levsen wrote:
Hi Otto,
On Mon, Nov 02, 2020 at 09:15:32PM +0200, Otto Kekäläinen wrote:
I don't have any particular plans. I'll keep updating the package for
as long as upstream provides updates. For 10.1 the updates are indeed
officially over now: https://mariadb.or
Hi,
During the month of October, I spent 20.75h on LTS:
- investigated and addressed security-tracker corruption
- golang-go.crypto analysis and advice
- thunderbird 78 ESR update
- investigated and fixed thunderbird armhf build failure
- investigated thunderbird l10n bug report
- mariadb-10.1 a
Hi,
On 16/11/2020 11:31, Holger Levsen wrote:
There are three DLAs which have been reserved but not yet been published:
- (15 Nov 2020) (libvncserver)
- (10 Nov 2020) (moin)
- (04 Nov 2020) (jupyter-notebook)
These used to include the DLA number. Maybe those could be back?
fwiw the jupyter-no
On 17/11/2020 10:31, Utkarsh Gupta wrote:
Hi LTS team,
On Tue, Nov 17, 2020 at 1:27 AM Utkarsh Gupta wrote:
On Tue, Nov 17, 2020 at 1:01 AM Matus UHLAR - fantomas
wrote:
I have submitted a bug, containing fix for this issue:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=974926
I'm not s
Hi Thorsten,
On 02/12/2020 10:06, Thorsten Glaser wrote:
Hi (E)LTS-people,
I’ve just uploaded an OpenJDK 8 regression update to sid,
sponsored by my employer (as below). (I’m also building locally
for buster, wheezy and various *buntu releases, so all possible
systems I may encounter are covere
On 02/12/2020 11:21, Thorsten Glaser wrote:
Hi Emilio,
If you can send a debdiff I'd be happy to take a look.
the debdiff between sid and stretch would be trivial, just
changelog and the regenerated debian/control file (attached).
I’m building it at the moment so I can test it first.
Do you
On 15/12/2020 02:16, Roberto C. Sánchez wrote:
I am curious if there is a policy or best practice for how to handle a
package update containing both a regression fix and also a fix for a new
vulnerability.
If such a thing is not advisable or permissible, then is it best to
handle the regression
Hi,
During the last month I have spent 22.75h on LTS working on:
- thunderbird security updates
- libproxy security update
- security-tracker improvements
- firefox-esr security update
- drupal7 announcements
- lts meeting
- postgresql-9.6 announcement
- xorg-server security update
- preparation
Hi,
There's a regression in both buster and stretch in the last update of lxml when
running under Python 2:
>>> import lxml.html.clean
Traceback (most recent call last):
File "", line 1, in
File "/usr/lib/python2.7/dist-packages/lxml/html/clean.py", line 73, in
r'>>
The fix is [1].
On 18/12/2020 00:05, Roberto C. Sánchez wrote:
Uggh. If only I had waited a few more hours to upload. I have the
advisory text ready but have not yet published the DLA. Your changes
for deb9u3 look good. Would you go ahead and upload deb9u3 and I will
publish the advisory once it is built.
Hi Thorsten,
On 02/12/2020 20:39, Thorsten Glaser wrote:
On Wed, 2 Dec 2020, Emilio Pozuelo Monfort wrote:
Let me know how those tests go and we can proceed from there.
It builds, with the usual “most tests pass”, and the test
program I threw at it also works.
I have released this to
On 03/02/2021 07:45, Utkarsh Gupta wrote:
Hello,
On several occasions, I've seen that fixing commits of CVEs have some
sort of binaries (either an image or some compressed file or whatever)
added as a test to ensure that the fix is indeed working as expected.
And whilst trying to backport, the
On 25/02/2021 10:09, Chris Lamb wrote:
Morning Ola,
Today I looked at CVE-2020-36193 since we have php-pear in dla-needed.
Ths thing is that this CVE tells that drupal7 is also vulnerable but
drupal7 is not in dla-needed.txt.
It may be that drupal7 was not marked as being vulnerable to
CVE-20
Hi,
On 15/03/2021 12:36, Salvatore Bonaccorso wrote:
Hi Brian, LTS team,
This was reported by the Ubuntu security team: The DLA 2550-1 update
was aiming to fix CVE-2020-27844 as well, but it looks that whilst a
patch is included in debian/patches the series files does not apply
it.
To be on sa
1 - 100 of 404 matches
Mail list logo
