Hi,
On Thu, Jul 11, 2019 at 11:15:34AM +, Mike Gabriel wrote:
[..snip..]
> Personally, I think that using Salsa for this, adds an extra layer of
> complexity to the uploading workflow, because we have to pump all packages
> that we want to fix in LTS through GitLab.
On the plus side of salsa/g
On Tue, Aug 09, 2016 at 01:13:23PM +0200, Ola Lundqvist wrote:
> Hi Chris
>
> After fiddling with this for a while I realize that there is a
> python-requests package but there is also a phyton3-requests package.
> After installing that it works just fine.
>
> I have now committed a change docume
On Tue, Aug 09, 2016 at 06:50:47PM +0100, Chris Lamb wrote:
> > try:
> > import requests
> > except ImportError:
> > sys.stderr.puts("You need to install python3-requests")
> > sys.exit(1)
>
> This seems unnecessary; ``requests`` was always required, it would make
> the behaviour incon
On Tue, Aug 09, 2016 at 06:24:40PM +1000, Brian May wrote:
> Salvatore Bonaccorso writes:
>
> > Hi,
> >
> > Just a quick comment on:
> >
> > On Mon, Aug 08, 2016 at 06:29:30PM +1000, Brian May wrote:
> >> I am inclined to say that no version of twisted, by itself, has this
> >> vulnerability. How
ur package. Just let us know whether you would
like to review and/or test the updated package before it gets released.
Thank you very much.
Guido Günther,
on behalf of the Debian LTS team.
PS: A member of the LTS team might start working on this update at
any point in time. You can verify wheth
On Thu, Aug 11, 2016 at 07:00:03PM +1000, Brian May wrote:
> Ola Lundqvist writes:
>
> > This is a very large commit but from
> > https://blog.fuzzing-project.org/51-Fun-with-Bignums-Crashing-MatrixSSL-and-more.html
> > it looks like it is the following files that were updated:
> > - crypto/math/
Hi Brian,
On Wed, Aug 17, 2016 at 05:49:46PM +1000, Brian May wrote:
> Guido Günther writes:
>
> > As I wrote in dla-needed.txt the bignum handling is in
> > crypto/peersec/mpi.c and it seems to use the same algorithms (and lacks
> > the same checks in e.g. mp_ex
Hi Brian,
On Thu, Aug 18, 2016 at 07:24:55AM +0200, Guido Günther wrote:
> Hi Brian,
> On Wed, Aug 17, 2016 at 05:49:46PM +1000, Brian May wrote:
> > Guido Günther writes:
> >
> > > As I wrote in dla-needed.txt the bignum handling is in
> > > crypto/peerse
On Mon, Aug 22, 2016 at 06:15:33PM +1000, Brian May wrote:
> Brian May writes:
>
> > I will have a look and see if I can hack^h^h^h^hpatch the Debian package
> > to include the above security fix; although I don't have any exploits
> > test it with.
>
> Ok, I have attached my proposed debdiff pa
r. I think we should test them
before releasing a DLA.
-- Guido
>
> Best regards
>
> // Ola
>
> On Tue, Aug 23, 2016 at 7:22 AM, Guido Günther wrote:
> > On Mon, Aug 22, 2016 at 06:15:33PM +1000, Brian May wrote:
> >> Brian May writes:
> >>
> &g
Hi Brian,
On Thu, Sep 01, 2016 at 05:41:19PM +1000, Brian May wrote:
> Guido Günther writes:
>
> > There are exploits mentioned in the paper. I think we should test them
> > before releasing a DLA.
>
> What paper are you referring to here?
>
> There is
On Fri, Sep 02, 2016 at 01:26:05AM +0200, Emilio Pozuelo Monfort wrote:
> On 08/08/16 10:20, Raphael Hertzog wrote:
> > On Mon, 08 Aug 2016, Emilio Pozuelo Monfort wrote:
> >>> Shall we mark gcc-4.8 as unsupported in wheezy, explaining that its only
> >>> purpose is to enable build of other package
On Fri, Sep 02, 2016 at 12:12:17PM +0200, Hugo Lefeuvre wrote:
> Hi,
>
> I've had a quick look at CVE-2016-7116[0] and would be interested by working
> on
> it. Upstream provided a patch[1], which looks 'relatively' simple and seems to
> apply well with some adaptations. However, the names of the
Hi Thorsten,
On Sun, Sep 04, 2016 at 05:23:40PM +0200, Thorsten Alteholz wrote:
> Hi Hugo,
>
> are you aware that this CVE is marked as in Jessie and soon will be
> in Wheezy as well.
>
> So unless you disagree with this , it would be better to avoid any
> potential regression and not upload qem
On Sun, Sep 04, 2016 at 08:06:11PM +0200, Thorsten Alteholz wrote:
> Hi Guido,
>
> On Sun, 4 Sep 2016, Guido Günther wrote:
> > no-dsa should be used very scarcely in LTS since we don't have a s-p-u
> > to fix minor issues and reading the RedHat entry[1]:
>
> y
Hi Bálint,
On Wed, Sep 07, 2016 at 12:21:28AM +0200, Bálint Réczey wrote:
> Hi Michael,
>
> 2016-09-04 17:51 GMT+02:00 Michael Stapelberg :
> > Thanks for your work on LTS.
> >
> > Time does not permit me to do any of this work myself.
> >
> > Please go ahead and make any changes as you see fit, t
Hi,
Thanks for having a look!
On Wed, Sep 07, 2016 at 01:23:49PM +0200, Bálint Réczey wrote:
> Hi,
>
> 2016-09-07 8:00 GMT+02:00 Guido Günther :
> > Hi Bálint,
> > On Wed, Sep 07, 2016 at 12:21:28AM +0200, Bálint Réczey wrote:
> >> Hi Michael,
> >>
On Wed, Sep 07, 2016 at 07:15:56PM -0400, Roberto C. Sánchez wrote:
> On Wed, Sep 07, 2016 at 09:10:16PM +0200, Moritz Muehlenhoff wrote:
> >
> > So, you've identified the upstream fix for CVE-2016-6293 and why does
> > that not get commited to the security tracker?
> >
> > That really sucks. LTS
On Thu, Sep 08, 2016 at 10:22:36PM +0200, Hugo Lefeuvre wrote:
> diff -Nru qemu-1.1.2+dfsg/debian/patches/series
> qemu-1.1.2+dfsg/debian/patches/series
> --- qemu-1.1.2+dfsg/debian/patches/series 2016-07-29 18:22:00.0
> +0200
> +++ qemu-1.1.2+dfsg/debian/patches/series 2016-09-07
Hi Hugo,
On Fri, Sep 23, 2016 at 11:08:20AM +0200, Hugo Lefeuvre wrote:
> Hi,
>
> I've had a look at the latest security issues for qemu, and it's quite
> unclear to me that qemu is affected by CVE-2016-7466 in wheezy. The affected
> source code seems to be absent, and the issue looks hard to repr
Hi Emilio,
On Sat, Sep 03, 2016 at 12:12:55PM +0200, Emilio Pozuelo Monfort wrote:
> On 02/09/16 08:39, Guido Günther wrote:
> > On Fri, Sep 02, 2016 at 01:26:05AM +0200, Emilio Pozuelo Monfort wrote:
> >> On 08/08/16 10:20, Raphael Hertzog wrote:
> >>> On Mon, 08 Au
Hi Balint,
(We had several mails mentioning "not enough" open issues, not picking
this one in particular)
On Mon, Sep 05, 2016 at 09:54:44PM +0200, Balint Reczey wrote:
> August 2016 was my third month as a debian-lts contributor. I was
> allocated 14.75 hours in addition to the 2 hours not used
On Fri, Oct 07, 2016 at 01:09:29PM +0200, Hugo Lefeuvre wrote:
> Hi,
>
> > I'll prepare a patch adding the usb_xhci_exit function and will
> > perform some more tests.
>
> Well, here is what I got after taking some hours to try to produce a
> patch for CVE-2016-7466[0]:
>
> * It is not possible
Hi,
On Mon, Oct 17, 2016 at 02:07:31PM +0100, Chris Lamb wrote:
> Hello dear maintainer(s),
>
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of icedove:
> https://security-tracker.debian.org/tracker/source-package/icedove
>
> Would you
Hi,
On Thu, Oct 20, 2016 at 04:52:07PM +0200, Markus Koschany wrote:
> On 20.10.2016 16:26, Holger Levsen wrote:
> > On Thu, Oct 20, 2016 at 03:59:53PM +0200, Santiago Vila wrote:
> >> But I'm a little bit surprised that the whole story begins in wheezy LTS.
> >> Should this not start in unstable w
Hi Ola,
On Thu, Oct 20, 2016 at 11:15:29PM +0200, Ola Lundqvist wrote:
> Hi LTS team, Mozilla maintainers, Mike and Florian
>
> I have been working on the security problem reported in nss (and nspr).
> https://security-tracker.debian.org/tracker/TEMP-000-583651
> It is about unprotected enviro
Hi Holger,
On Thu, Oct 20, 2016 at 11:43:06PM +, Holger Levsen wrote:
> On Thu, Oct 20, 2016 at 11:21:14PM +0200, Bálint Réczey wrote:
> > I think it would be a good approach to file bugs against unstable, offer
> > help in updating the version and if we don't get a response NMU the
> > affecte
On Fri, Oct 21, 2016 at 11:14:24AM +0100, Chris Lamb wrote:
> Guido Günther wrote:
>
> > > or at least amend LTS-policies to always file a bug if one fixes a bug
> > > in LTS which is still open in sid.
> >
> > I think the later part is already LTS policy sin
Hi,
openjdk-7 is unclaimed in dla-needed.txt but I wonder if you guys have
already a plans for fixing these. Cherry-picking patches or waiting for
a new Iced Tea release? Since Wheezy and Jessie currently ship the same
version I could prepare the update.
Cheers,
-- Guido
On Fri, Oct 21, 2016 at 03:02:26PM +0200, Markus Koschany wrote:
> On 21.10.2016 14:54, Guido Günther wrote:
> > Hi,
> > openjdk-7 is unclaimed in dla-needed.txt but I wonder if you guys have
> > already a plans for fixing these. Cherry-picking patches or waiting for
>
r/
IIRC I've used the abi-compliance-checker Debian package.
Cheers,
-- Guido
>
> Best regards
>
> // Ola
>
> On 20 October 2016 at 23:48, Guido Günther wrote:
>
> > Hi Ola,
> > On Thu, Oct 20, 2016 at 11:15:29PM +0200, Ola Lundqvist wrote:
> > > H
On Fri, Oct 21, 2016 at 11:30:04AM +0100, Chris Lamb wrote:
> Guido Günther wrote:
>
> > I'd just use bin/report-vuln ?
>
> … one of these days I'm going to look at everything in bin/* and actually
> remember what it does :)
>
> (Yay, for saving myself
Hi,
On Thu, Oct 27, 2016 at 02:36:33PM -0400, Antoine Beaupré wrote:
> On 2016-10-21 06:27:07, Guido Günther wrote:
> > On Fri, Oct 21, 2016 at 11:14:24AM +0100, Chris Lamb wrote:
>
> [... nice template ... although maybe not CC the list?]
>
> > I'd just use bin/rep
Hi,
While looking at recent Qemu CVEs I noticed that Xen's embedded qemu
does not show up on the list of affected packages for QEMU CVEs anymore
so I added:
- xen 4.4.0-1
NOTE: Xen switched to qemu-system in 4.4.0-1
to these entries. This shows wheezy as affected so we can triage them
(wh
Hi,
It would be great if somebody running Xen on wheezy could test the
packages at:
https://korte.credativ.com/~fge/xen/
including a fix for XSA-190:
https://github.com/credativ/xen-lts/commit/208130dbea90ccf39a889fc98dd45d8ad9e21ba4
Cheers,
-- Guido
k you very much.
Guido Günther,
on behalf of the Debian LTS team.
PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
k you very much.
Guido Günther,
on behalf of the Debian LTS team.
PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
k you very much.
Guido Günther,
on behalf of the Debian LTS team.
PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
es
for the LTS releases. (In case we don't get any answer for months,
we may also take it as an opt-out, too.)
Thank you very much.
Guido Günther,
on behalf of the Debian LTS team.
PS: A member of the LTS team might start working on this update at
any point in time. You can verify whe
k you very much.
Guido Günther,
on behalf of the Debian LTS team.
PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
Hi Chris,
On Sun, Oct 23, 2016 at 08:59:47AM +0100, Chris Lamb wrote:
> Hello dear maintainer(s),
>
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of sendmail:
> https://security-tracker.debian.org/tracker/source-package/sendmail
While
months,
we may also take it as an opt-out, too.)
Thank you very much.
Guido Günther,
on behalf of the Debian LTS team.
PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.de
On Tue, Nov 01, 2016 at 03:57:28PM +, Chris Lamb wrote:
> Guido Günther wrote:
>
>
> > While going through the CVEs to triage for wheezy I came across sendmail
> > but I also saw this mail from you to the list but there's no entry in
> > data/dla-need
Hi Jari,
On Tue, Nov 01, 2016 at 08:08:47PM +0200, Jari Aalto wrote:
> On 2016-11-01 15:12, Guido Günther wrote:
> | Hello dear maintainer(s),
> |
> | the Debian LTS team would like to fix the security issues which are
> | currently open in the Wheezy version of bsdiff:
>
Hi,
as far as I can tell XML::Simple does not resolve external entities, so
wheezy is not affected by:
https://security-tracker.debian.org/tracker/TEMP-0842891-6227B6
Can somebody more knowledgeable in Perl than I am confirm this?
https://github.com/eserte/image-info/commit/781625b643bc
Hi Nicholas,
I put python-django into dla-needed CVE-2016-9014 on 2016-11-02 . You
marked it as not-affected ("Vulnerable code intrduced in 1.7a1") on the
same day but the wheezy version has:
allowed_hosts = ['*'] if settings.DEBUG else settings.ALLOWED_HOSTS
if validate_host(host, allowed
On Fri, Nov 04, 2016 at 05:56:32PM +1100, Brian May wrote:
> Ben Hutchings writes:
>
> > I'm not convinced this even warrants a security advisory.
>
> Same here. So maybe I should just mark it no-dsa? Possibly confirming
> with the security-team first to see if I should also marke Jessie no-dsa
Hi Hugo,
On Sun, Oct 30, 2016 at 01:14:57PM +0100, Hugo Lefeuvre wrote:
> Hi Guido,
>
> > While looking at recent Qemu CVEs I noticed that Xen's embedded qemu
> > does not show up on the list of affected packages for QEMU CVEs anymore
> > so I added:
> >
> > - xen 4.4.0-1
> > NOTE: Xen sw
On Fri, Nov 04, 2016 at 10:32:43AM +, Chris Lamb wrote:
> Guido Günther wrote:
>
> > Isn't this also affected by a rebinding attack since we allow any host
> > in debug mode?
>
> If it helps, speaking as a regular Django developer, if you've got
> ``setti
Hi Ola,
On Fri, Nov 04, 2016 at 01:17:36PM +0100, Ola Lundqvist wrote:
[..snip analysis..]
> As I can see it there are the following options:
> 1) Do nothing. Let it be like this. We have a regression problem but only
> for software that fork and use nss in several threads.
> 2) Try to reverse the
Hi Roberto,
On Mon, Nov 28, 2016 at 01:02:38AM -0500, Roberto C. Sánchez wrote:
> Greetings all,
>
> I have prepared an update of ImageMagick that takes the work Ben
> Hutchings started and incorporates patches for all remaining security
> issues which have been fixed in jessie [0].
>
> The natur
Hi Antoine,
On Wed, Nov 30, 2016 at 11:03:39PM -0500, Antoine Beaupré wrote:
> On 2016-11-30 16:46:17, Ola Lundqvist wrote:
> > Hi
> >
> > There were no test suite before the update so I could not tell if it was a
> > regression or not.
>
> I just figured out how to hook up the test suite, and it
r test the updated package before it gets released.
You can also opt-out from receiving future similar emails in your
answer and then the LTS Team will take care of openafs updates
for the LTS releases.
Thank you very much.
Guido Günther,
on behalf of the Debian LTS team.
PS: A member of th
Hi,
looking at
https://security-tracker.debian.org/tracker/source-package/dwarfutils
it seems we don't running dwarfutils on untrusted code in wheezy. I
wonder if we should state things as such. If so I could safely mark
CVE-2016-9480 as no-dsa as well.
Cheers,
-- Guido
Hi Ben,
On Sat, Dec 03, 2016 at 08:36:49PM -0600, Benjamin Kaduk wrote:
> On Sat, Dec 03, 2016 at 12:22:38PM +0100, Guido Günther wrote:
> > Hello dear maintainer(s),
> >
> > the Debian LTS team would like to fix the security issues which are
> > currently open in th
On Sat, Dec 03, 2016 at 11:27:49PM +0100, Chris Lamb wrote:
> [Replying just to debian-lts]
>
> Guido Günther wrote:
>
> > Hello dear maintainer(s),
> >
> > the Debian LTS team would like to fix the security issues which are
> > currently open in the
On Sat, Dec 17, 2016 at 10:29:57AM +0100, Hugo Lefeuvre wrote:
> Hi,
>
> I'm currently finishing my upload for qemu, and a question is
> remaining concerning the fix of CVE-2016-99{14,15,16}[0,1,2].
>
> It is clear to me that the 9pfs proxy/handle backend drivers may
> issue a memory leakage when
On Sun, Dec 18, 2016 at 09:55:55PM +0100, Hugo Lefeuvre wrote:
> Hi Guido,
>
> > We don't have virtfs-proxy-helper in wheezy so I think we don't need
> > support the "proxy" case.
> >
> > As for "handle" did you check that it works in Wheezy including unplug?
> > If so please let me know and we c
Hi Hugo,
sorry for the delay.
On Tue, Dec 20, 2016 at 10:49:31AM +0100, Hugo Lefeuvre wrote:
> Hi,
>
> > Could you paste the commands / libvirt configs you used to test this?
>
> for handle:
> qemu -hda debian_wheezy_amd64_standard.qcow2 -fsdev
> handle,id=ninepfstest,path=/home/user/ -device
Hi Ola,
On Fri, Dec 23, 2016 at 11:54:11PM +0100, Ola Lundqvist wrote:
> Hi
>
> I have looked into CVE-2016-9586 affecting curl.
> What I'm trying to figure out is whether it is worth the effort to fix
> it or not.
>
> More info here:
> https://curl.haxx.se/docs/adv_20161221A.html
>
> 1) There a
Hi Stefan,
On Wed, Dec 28, 2016 at 03:44:25PM +0100, Stefan Fritsch wrote:
> Hi Ola,
>
> On Friday, 23 December 2016 23:56:45 CET Ola Lundqvist wrote:
> > the Debian LTS team would like to fix the security issues which are
> > currently open in the Wheezy version of apache2:
> > https://security-t
Hi Hugo,
On Wed, Dec 28, 2016 at 12:03:48AM +0100, Hugo Lefeuvre wrote:
> Hi,
>
> Last month I've gone through most of the CVEs affecting qemu in the
> past years and investigated whether they were likely to affect the
> wheezy version of Xen. For that I have considered that any
> vulnerability af
Hi,
On Mon, Jan 02, 2017 at 08:44:14PM +, Chris Lamb wrote:
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of icedove:
> https://security-tracker.debian.org/tracker/source-package/icedove
>
> Would you like to take care of this your
Hi,
credativ put updated xen packages to fix XSA-202 and XSA-204 here:
https://korte.credativ.com/~fge/xen/
If you run xen it would be great to see if it works for you too.
Cheers,
-- Guido
Hi Hugo,
On Wed, Jan 04, 2017 at 10:12:44AM +0100, Hugo Lefeuvre wrote:
> Hi Guido,
>
> > See https://wiki.xenproject.org/wiki/QEMU_Upstream . It's only used for
> > device emulation so bugs in e.g. TCG or KVM are not affecting XEN. Also
> > all devices not available on i386 / amd64 can be ignored
On Mon, Jan 09, 2017 at 05:02:06PM +, Chris Lamb wrote:
> Hi Thomas,
>
> > Still no update available for [python-crypto] versions 2.6-4+deb7u6 also
> > (for others archs than amd64).
> >
> > I tried to build 2.6-4+deb7u6 on i386 and it worked so maybe
> > autobuilders doesn't know that there
On Mon, Jan 09, 2017 at 07:52:58PM +, Chris Lamb wrote:
> Guido Günther wrote:
>
> > I had the same problem with flake8 in gbp and used
> >
> > flake8 -j1
> >
> > to work around this. I think we can only skip the patch if hitting a
> > EPERM.
&g
On Mon, Jan 09, 2017 at 08:40:31PM +, Chris Lamb wrote:
> Guido Günther wrote:
>
> > Flake8 does the same internally what the test does (using the
> > multiprocess module):
>
> Getcha, okay. So, yet another python-crypto upload will be needed? *grin*
>
&g
On Mon, Jan 23, 2017 at 02:01:41PM -0500, Antoine Beaupré wrote:
> On 2017-01-23 18:41:25, Bálint Réczey wrote:
> [ratt: cool! though i am not sure when i should use that...?]
>
> > The other tool I would love to use for LTS work is a private
> > https://ci.debian.net/ installation for running aut
On Mon, Jan 23, 2017 at 06:41:25PM +0100, Bálint Réczey wrote:
> Hi,
>
> I have just patched ratt to allow automatic rebuilding of reverse
> build dependencies in distributions other than unstable:
> https://github.com/Debian/ratt/pull/8
>
> Sbuild running on jessie (building for wheezy) still em
On Mon, Jan 23, 2017 at 07:22:30PM +, Holger Levsen wrote:
> On Mon, Jan 23, 2017 at 02:01:41PM -0500, Antoine Beaupré wrote:
> > regarding ci... i am not sure how useful that would be for me. right
> > now, i just run a wheezy VM inside qemu and install stuff by hand in
> > there. since i need
On Mon, Jan 23, 2017 at 03:06:31PM -0500, Antoine Beaupré wrote:
> On 2017-01-23 20:46:28, Guido Günther wrote:
> > On Mon, Jan 23, 2017 at 07:22:30PM +, Holger Levsen wrote:
> >> On Mon, Jan 23, 2017 at 02:01:41PM -0500, Antoine Beaupré wrote:
> >> > regarding
On Tue, Jan 24, 2017 at 10:57:11AM +0300, Michael Tokarev wrote:
> 24.01.2017 10:42, Ola Lundqvist wrote:
> > CVE-2016-9602
>
> this is about 9pfs. In wheezy, this is hardly used by anyone,
> as it is very slow and quite unstable. But yes, it migth be a
> real security issue.
Just as a datapoint:
Hi Thorsten,
On Wed, Jan 25, 2017 at 10:19:36PM +0100, Thorsten Alteholz wrote:
> Hi everybody,
>
> I uploaded version 9.8.4.dfsg.P1-6+nmu2+deb7u14 of bind9 to:
>
> https://people.debian.org/~alteholz/packages/wheezy-lts/bind9/amd64/
>
> Please give it a try and tell me about any problems you me
677-Memory-allocate-failure-in-AcquireQuantumPixels.patch:
++ Add complete fix for CVE-2016-8677.
+
+ [ Guido Günther ]
+ * Fix recent security issues.
+CVE-2016-10144 CVE-2016-10145 CVE-2016-10146 CVE-2017-5506 CVE-2017-5507
+CVE-2017-5508 CVE-2017-5510 CVE-2017-5511
+(Closes: #85148
On Mon, Jan 30, 2017 at 07:34:59PM +0100, Romain Francoise wrote:
> On Sun, Jan 29, 2017 at 05:14:33PM +0100, Romain Francoise wrote:
> > Ok, I will prepare the package and upload it next week.
>
> Done! I didn't include the upstream tarball as I already uploaded it to
> jessie-security and IIUC i
On Tue, Jan 31, 2017 at 04:07:19PM -0500, Antoine Beaupré wrote:
> On 2017-01-31 21:42:41, Emilio Pozuelo Monfort wrote:
> > I'd say it makes sense to release a regression update.
> >
> > BTW I'm not sure about this change, which is not mentioned in your
> > changelog entry:
> >
> > --- graphicsma
On Wed, Feb 01, 2017 at 10:53:57PM +0100, Ola Lundqvist wrote:
> Hi
>
> This is a very good question that I do not have a good answer to.
>
> It depends on:
> - Whether there are good regression test suites or not. If it exists
> and it pass then we are on a safer side.
> - What the changes are a
you would
like to review and/or test the updated package before it gets released.
You can also opt-out from receiving future similar emails in your
answer and then the LTS Team will take care of libphp-phpmailer updates
for the LTS releases.
Thank you very much.
Guido Günther,
on behalf of the
Hi,
while looking at the recent changes in data/CVE/list I noticed a bunch
of gstreamer issues being added but not showing up in the output
produced by lts-cve-triage. Reason was that they're marked as
undetermined. The attached patch adds undetermined issues to the output
by default. O.k. to apply
On Fri, Feb 03, 2017 at 10:07:55AM +0100, Sebastiaan Couwenberg wrote:
> Dear LTS Team,
>
> Vincent Privat of the JOSM development team have provided a fix for
> CVE-2017-5617 (#853134).
>
> I've included a patch with his changes in the Debian package, and
> uploaded it to unstable, and backporte
Hi Moritz,
On Fri, Feb 03, 2017 at 11:48:43AM +0100, Moritz Muehlenhoff wrote:
> On Fri, Feb 03, 2017 at 10:58:35AM +0100, Guido Günther wrote:
> > Hi,
> > while looking at the recent changes in data/CVE/list I noticed a bunch
> > of gstreamer issues being added but not sho
On Fri, Feb 03, 2017 at 12:25:19PM +0100, Emilio Pozuelo Monfort wrote:
> On 03/02/17 10:58, Guido Günther wrote:
> > Hi,
> > while looking at the recent changes in data/CVE/list I noticed a bunch
> > of gstreamer issues being added but not showing up in the output
> >
to review and/or test the updated package before it gets released.
You can also opt-out from receiving future similar emails in your
answer and then the LTS Team will take care of libpodofo updates
for the LTS releases.
Thank you very much.
Guido Günther,
on behalf of the Debian LTS team.
PS: A
On Tue, Jan 31, 2017 at 10:14:18PM +0100, Emilio Pozuelo Monfort wrote:
> Hi Balint,
>
> On 31/01/17 21:46, Balint Reczey wrote:
> > Log:
> > wavpack's issues don't affect wheezy
> >
> > The first part of the upstream patch is not needed since the
> > code is very different and not vulnerable.
>
This avoids listing packages with limited support which clobber the output.
---
Do we want to enable this by default?
bin/lts-cve-triage.py | 7 ++-
bin/unsupported_packages.py | 43 +--
2 files changed, 35 insertions(+), 15 deletions(-)
diff -
kfreebsd-* builds packages for amd64 but we don't actually support the
architecture so add it as unsupported in Wheezy LTS.
---
This makes sure we don't have this in the list of bugs to triage.
security-support-ended.deb7 | 5 +
1 file changed, 5 insertions(+)
diff --git a/security-support-en
On Sat, Feb 04, 2017 at 12:00:21PM -0500, Antoine Beaupré wrote:
> On 2017-02-04 13:19:12, Guido Günther wrote:
> > This avoids listing packages with limited support which clobber the output.
>
> that's great!
>
> > Do we want to enable this by default?
>
>
Hi,
zoneminder has multiple CVEs open and it does not look pretty:
http://seclists.org/bugtraq/2017/Feb/5
I think we have no choice but to end security support (or mark the
issues as no-dsa and move the package ot limited security support like
only run in trusted environments).
Cheers,
-- Gu
On Mon, Feb 06, 2017 at 10:10:22AM +, Holger Levsen wrote:
> On Sat, Feb 04, 2017 at 01:29:21PM +0100, Guido Günther wrote:
> > kfreebsd-* builds packages for amd64 but we don't actually support the
> > architecture so add it as unsupported in Wheezy LTS.
>
On Mon, Feb 06, 2017 at 06:40:43PM +0100, Guido Günther wrote:
> On Mon, Feb 06, 2017 at 10:10:22AM +, Holger Levsen wrote:
> > On Sat, Feb 04, 2017 at 01:29:21PM +0100, Guido Günther wrote:
> > > kfreebsd-* builds packages for amd64 but we don't actually support the
&g
On Mon, Feb 13, 2017 at 12:13:19AM +0100, Emilio Pozuelo Monfort wrote:
> On 03/02/17 16:37, Guido Günther wrote:
> > On Fri, Feb 03, 2017 at 12:25:19PM +0100, Emilio Pozuelo Monfort wrote:
> >> On 03/02/17 10:58, Guido Günther wrote:
> >>> Hi,
> >>> while
Hi Jonas,
On Wed, Feb 22, 2017 at 05:28:46PM +0100, Jonas Meurer wrote:
> This time with the debdiff between Antoine's version and mine.
Are there packages available for testing? I could give it another whirl.
-- Guido
On Wed, Feb 22, 2017 at 06:54:46PM +0100, Jonas Meurer wrote:
> Am 22.02.2017 um 18:46 schrieb Guido Günther:
> > Hi Jonas,
> > On Wed, Feb 22, 2017 at 05:28:46PM +0100, Jonas Meurer wrote:
> >> This time with the debdiff between Antoine's version and mine.
> &g
h value as needed in blit_is_unsafe
+This is an update for CVE-2016-9921
+ * CVE-2017-2615: cirrus: fix oob access issue
+ * CVE-2017-5973: xhci: apply limits to loops
+ * CVE-2017-5898: usb: ccid: check ccid apdu length
+
+ -- Guido Günther Thu, 23 Feb 2017 17:57:04 +0100
+
qemu-kvm (1.1.2+dfsg-6+deb7
Hi Torsten,
On Fri, Feb 24, 2017 at 11:07:05PM +0100, Thorsten Alteholz wrote:
> Hi everybody,
>
> I uploaded version 9.8.4.dfsg.P1-6+nmu2+deb7u15 of bind9 to:
>
> https://people.debian.org/~alteholz/packages/wheezy-lts/bind9/amd64/
>
> Please give it a try and tell me about any problems you met
On Tue, Feb 28, 2017 at 09:17:38PM +0100, Ola Lundqvist wrote:
> Hi LTS Team, Guido and Christoph
>
> In the dla-needed.txt file I found the following lines:
>
> "icedove
> NOTE: maintainer currenlty planx to rename to thunderbird with the next
> NOTE: upstream version (#851989). Jessie / Whe
Hi Roberto,
On Fri, Mar 24, 2017 at 10:45:44AM -0400, Roberto C. Sánchez wrote:
> On Fri, Mar 24, 2017 at 03:16:28PM +0100, Mathieu Parent wrote:
> > Please wait a bit before uploading.
> >
> > There is a regression in jessie when "follow symlinks = no" #858564,
> > and a segfault with vfs_shadow2
On Fri, Mar 24, 2017 at 04:04:08PM +0100, Moritz Muehlenhoff wrote:
> On Fri, Mar 24, 2017 at 03:55:23PM +0100, Guido Günther wrote:
> > Hi Roberto,
> > On Fri, Mar 24, 2017 at 10:45:44AM -0400, Roberto C. Sánchez wrote:
> > > On Fri, Mar 24, 2017 at 03:16:28PM +01
Hi Philipp,
On Wed, Mar 29, 2017 at 10:57:03AM +0200, Emilio Pozuelo Monfort wrote:
> On 29/03/17 10:12, Philipp Huebner wrote:
> > Package: release.debian.org
> > Severity: normal
> > Tags: wheezy
> > User: release.debian@packages.debian.org
> > Usertags: pu
> >
> > Hi,
> >
> > I'm not sure
1 - 100 of 398 matches
Mail list logo
