a domain name in the subject's Common Name
+(CN) or subjectAltName field of the X.509 certificate, which allows
+man-in-the-middle attackers to spoof SSL servers via a certificate with a
+subject that specifies a common name in a field that is not the CN field.
+
+ -- Markus Koschany
On 16.04.2015 11:31, Markus Koschany wrote:
On 16.04.2015 09:00, Thijs Kinkhorst wrote:
[...]
I can take care of this, but did you also prepare a package for wheezy? If
so, I missed it.
Hi Thijs,
I already filed a bug report for wheezy against release.debian.org. [1]
The security team
On 16.04.2015 09:00, Thijs Kinkhorst wrote:
[...]
I can take care of this, but did you also prepare a package for wheezy? If
so, I missed it.
Hi Thijs,
I already filed a bug report for wheezy against release.debian.org. [1]
The security team has marked this CVE as no-dsa. The debdiff for
is
+now completely resolved by applying this patch and the
+06_fix_CVE-2012-5783.patch.
+ * Change java.source and java.target ant properties to 1.5, otherwise
+commons-httpclient will not compile with this patch.
+
+ -- Markus Koschany a...@gambaru.de Wed, 15 Apr 2015 22:18:19 +0200
On 09.04.2015 12:42, Thorsten Alteholz wrote:
Hi Markus,
thanks for preparing the patch. I uploaded the package now.
On Mon, 30 Mar 2015, Markus Koschany wrote:
Please find attached a debdiff for review to this e-mail.
I have only two remarks. The package should go to squeeze-lts
On 09.06.2015 18:22, Raphael Hertzog wrote:
Hi,
On Sat, 30 May 2015, Markus Koschany wrote:
please find attached the debdiff and fix for libapache-mod-jk in
squeeze. Feedback and testing are appreciated.
I did a quick review and it looks good. It builds fine in my chroot.
But I don't
On 26.05.2015 19:21, Markus Koschany wrote:
On 26.05.2015 17:23, Raphael Hertzog wrote:
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of libapache-mod-jk:
https://security-tracker.debian.org/tracker/CVE
On 26.05.2015 17:23, Raphael Hertzog wrote:
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of libapache-mod-jk:
https://security-tracker.debian.org/tracker/CVE-2014-8111
Would you like to take care of
Am 19.11.2015 um 21:45 schrieb Moritz Mühlenhoff:
[...]
> Another package which needs to be sorted out is the support for
> Java. wheezy has both openjdk-6 and openjdk-7 (jessie has only
> -7 and stretch will also only have one version).
>
> Currently the maintenance heavily relies on the
On 02.06.2016 22:03, Moritz Muehlenhoff wrote:
> On Thu, Jun 02, 2016 at 09:32:27PM +0200, Markus Koschany wrote:
>> On 02.06.2016 11:35, Emmanuel Bourg wrote:
>>> Le 2/06/2016 à 11:19, Markus Koschany a écrit :
>>>
>>>> I saw that you have claimed libxs
On 02.06.2016 11:35, Emmanuel Bourg wrote:
> Le 2/06/2016 à 11:19, Markus Koschany a écrit :
>
>> I saw that you have claimed libxstream-java in dla-needed.txt. It's been
>> a while since the security update for Jessie has been released. Is there
>> a reason why lib
On 06.06.2016 00:52, Ansgar Burchardt wrote:
> Hi,
>
> Markus Koschany <a...@debian.org> writes:
>> Am 04.05.2016 um 13:43 schrieb Markus Koschany:
>>> Hi Ansgar,
>>>
>>> In preparation for the default Java switch I have uploaded more packages
&
On 08.06.2016 10:26, Ansgar Burchardt wrote:
> Markus Koschany <a...@debian.org> writes:
>> thanks for looking into these issues. Yesterday I tried to upload
>> libxstream-java and libpdfbox-java. Dak doesn't seem to like them too. I
>> guess I'm very lucky in find
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: libpdfbox-java
Version: 1:1.7.0+dfsg-4+deb7u1
CVE ID : CVE-2016-2175
Apache PDFBox did not properly initialize the XML parsers, which
allows context-dependent attackers to conduct XML External Entity
(XXE) attacks
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: libxstream-java
Version: 1.4.2-1+deb7u1
CVE ID : CVE-2016-3674
Debian Bug : 819455
It was discovered that XStream, a Java library to serialize objects to
XML and back again, was susceptible to XML External
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: expat
Version: 2.1.0-1+deb7u4
CVE ID : CVE-2012-6702 CVE-2016-5300
Two related issues have been discovered in Expat, a C library for
parsing XML.
CVE-2012-6702
This issue was introduced when CVE-2012-0876 was
Hi all,
I haven't seen our Wheezy LTS post on bits.debian.org yet. Is there
anything we can do?
Regards,
Markus
signature.asc
Description: OpenPGP digital signature
Am 04.05.2016 um 13:43 schrieb Markus Koschany:
> Hi Ansgar,
>
> In preparation for the default Java switch I have uploaded more packages
> to wheezy-security yesterday and most of them are available in the
> archive now. However some of them never showed up there, although I made
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: gdk-pixbuf
Version: 2.26.1-1+deb7u5
CVE ID : CVE-2015-7552
It was discovered that the original fix for CVE-2015-7552 (DLA-450-1)
was incomplete.
A heap-based buffer overflow in gdk-pixbuf, a library for image
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Debian Long Term Support (LTS) is a project created to extend the life
of all Debian stable releases to (at least) 5 years.
Thanks to the LTS sponsors, Debian's buildd maintainers and the Debian
FTP Team are excited to announce that two new
Hello,
I saw that you have claimed libxstream-java in dla-needed.txt. It's been
a while since the security update for Jessie has been released. Is there
a reason why libxstream-java hasn't been updated in Wheezy yet?
Regards,
Markus
signature.asc
Description: OpenPGP digital signature
On 29.05.2016 22:21, Santiago Ruano Rincón wrote:
> El 29/05/16 a las 19:53, Thorsten Alteholz escribió:
>> Hello dear maintainer(s),
>>
>> the Debian LTS team would like to fix the security issues which are
>> currently open in the Wheezy version of vlc:
>>
Am 26.05.2016 um 09:21 schrieb Ola Lundqvist:
> Hi Markus
>
> I realized (too late) that I had not checked the dak mail before I sent
> the mail. Sorry about that.
>
> Thanks for the note about sa option. I'll fix this as soon as possible.
> Do you think I need to step the revision or is a
Hi Ola,
you have sent the security announcement for ruby-mail yesterday but the
package hasn't been uploaded yet. One reason for that might be that it
is the first upload to security-master thus ruby-mail must be built with
-sa. You can follow all changes at
On 31.05.2016 22:41, Ana Guerrero Lopez wrote:
[...]
>
> In bits and annoucements we prefer to be more verbose, so the message is
> complete and understandable for the wider audience, even the ones not
> familiarized with the topic.
>
> Given that this is a short news/update on former news, we
Hello Roberto,
On 17.06.2016 18:48, Roberto C. Sánchez wrote:
> (This message is directed to Antoine as he gave me the initial feedback,
> but I welcome comments and suggestions from anyone).
>
> Hi Antoine,
>
> Thanks for the feedback on this a few weeks ago. I've been quite busy
> but I
let us know whether you would
like to review and/or test the updated package before it gets released.
Thank you very much.
Markus Koschany,
on behalf of the Debian LTS team.
PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: openjdk-6
Version: 6b38-1.13.10-1~deb6u1
CVE ID : CVE-2015-7575 CVE-2015-8126 CVE-2015-8472
CVE-2016-0402 CVE-2016-0448 CVE-2016-0466
CVE-2016-0483 CVE-2016-0494
Several
[ I am subscribed to debian-lts. No need to CC me ]
Am 11.02.2016 um 20:36 schrieb Moritz Mühlenhoff:
> On Thu, Feb 11, 2016 at 08:19:02PM +0100, Markus Koschany wrote:
>> Am 11.02.2016 um 19:09 schrieb Miroslav Skoric:
>>> On 02/10/2016 10:17 AM, Matus UHLAR - fantomas wrote
Am 12.02.2016 um 01:08 schrieb Holger Levsen:
> Hi,
>
> On Donnerstag, 11. Februar 2016, Markus Koschany wrote:
>>> In the light of the recent confusion about what "February 2016" means
>>> you should really communicate a fixed date upfront.
>> Si
Hi,
Am 13.02.2016 um 09:23 schrieb Holger Levsen:
> Hi,
>
> On Freitag, 12. Februar 2016, Markus Koschany wrote:
[...]
>> For now it should be clear that Wheezy LTS will be supported
>> until the end of May 2018.
>
> Sadly, if you only read the "Debian 6.
Am 28.01.2016 um 20:05 schrieb Moritz Mühlenhoff:
> On Thu, Jan 28, 2016 at 08:02:47PM +0100, Markus Koschany wrote:
>> In my opinion OpenJDK 7 should be an adequate replacement for OpenJDK 6
>> and I can't think of any serious regressions since all Java packages
>> have pro
Hi all,
I have updated https://wiki.debian.org/LTS/Using to prepare for the
switch to Wheezy LTS. What do you think about sending an EOL
announcement to debian-lts-announce on March 1st? We could simply reuse
the official NEWS post [1] and would probably reach those people who
normally don't read
Am 28.02.2016 um 18:12 schrieb Holger Levsen:
> Hi Markus,
>
> On Sonntag, 28. Februar 2016, Markus Koschany wrote:
>> I have updated https://wiki.debian.org/LTS/Using to prepare for the
>> switch to Wheezy LTS. What do you think about sending an EOL
>> announce
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: pcre3
Version: 8.02-1.1+deb6u1
Debian Bug : 815921
HP's Zero Day Initiative has identified a vulnerability affecting the
pcre3 package. It was assigned ZDI id ZDI-CAN-3542. A CVE identifier has
not been assigned yet.
ain...@lists.alioth.debian.org>
Changed-By: Markus Koschany <a...@debian.org>
Description:
bsh- Java scripting environment (BeanShell) Version 2
bsh-doc- Documentation for bsh
bsh-gcj- Java scripting environment (BeanShell) Version 2 (native code)
bsh-src- Ja
Am 29.02.2016 um 15:17 schrieb Raphael Hertzog:
> On Thu, 19 Nov 2015, Moritz Mühlenhoff wrote:
>> Another package which needs to be sorted out is the support for
>> Java. wheezy has both openjdk-6 and openjdk-7 (jessie has only
>> -7 and stretch will also only have one version).
>
> I asked our
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: bsh
Version: 2.0b4-12+deb6u1
CVE ID : CVE-2016-2510
A remote code execution vulnerability was found in BeanShell, an
embeddable Java source interpreter with object scripting language
features.
CVE-2016-2510:
Am 29.02.2016 um 20:27 schrieb Paul Gevers:
> Hi Markus,
>
> On 29-02-16 20:25, Matus UHLAR - fantomas wrote:
>> you only can upgrade to wheezy directly. upgrade accross versions is not
>> supported.
>
> I know, but that is not what I meant. I meant (and wrote), upgrade via
> wheezy.
Hi Paul,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: tomcat6
Version: 6.0.45-1~deb6u1
CVE ID : CVE-2015-5174 CVE-2015-5345 CVE-2015-5351
CVE-2016-0706 CVE-2016-0714 CVE-2016-0763
Tomcat 6, an implementation of the Java Servlet and the JavaServer
Pages
Am 19.01.2016 um 04:36 schrieb Jonas Smedegaard:
> Hi Markus and other Debian LTS maintainers,
>
> Quoting Markus Koschany (2016-01-19 00:50:04)
>> the Debian LTS team would like to fix the security issues which are
>> currently open in the Squeeze version of radicale:
Am 26.01.2016 um 22:08 schrieb Guido Günther:
> Hi,
> I see many packages marked:
>
> [squeeze] - foo (not supported in Squeeze LTS)
>
> shouldn't that be
>
> [squeeze] - foo (not supported in Squeeze LTS)
>
> since no-dsa implies that the bug migh be fixed eventually in
hanged-By: Markus Koschany <a...@debian.org>
Description:
python-radicale - simple calendar server - module
radicale - simple calendar server - daemon
Changes:
radicale (0.3-2+deb6u1) squeeze-lts; urgency=high
.
* Non-maintainer upload by the Debian LTS Team.
* CVE-2015-8748:
P
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: python-imaging
Version: 1.1.7-2+deb6u2
CVE ID : CVE-2016-0775
Debian Bug : 813909
Two buffer overflows were discovered in python-imaging, a Python
library for loading and manipulating image files, which may
org>
Changed-By: Markus Koschany <a...@debian.org>
Description:
wordpress - weblog manager
wordpress-l10n - weblog manager - language files
Closes: 813697
Changes:
wordpress (3.6.1+dfsg-1~deb6u9) squeeze-lts; urgency=high
.
* Non-maintainer upload by the Debian LTS Team.
* Fix open
Version: 1.1.7-2+deb6u2
Distribution: squeeze-lts
Urgency: high
Maintainer: Matthias Klose <d...@debian.org>
Changed-By: Markus Koschany <a...@debian.org>
Description:
python-imaging - Python Imaging Library
python-imaging-dbg - Python Imaging Library (debug extension)
python
Am 13.03.2016 um 04:32 schrieb Brian May:
> Brian May writes:
>
>>> 2. Spend some time on investigating what it takes to backport
>>> libav from jessie to wheezy. 11.x is still supported by
>>> libav upstream and we could share triage work for jessie/wheezy
>>> going forwards.
Am 24.03.2016 um 18:59 schrieb Johnathon Tinsley:
>>>
>>> I'm seeing this when trying to fetch lts packages from
>>> archive.debian.org at the moment. Anyone know a good contact for them?
>>>
>>> E: Release file expired, ignoring
>>> http://archive.debian.org/debian/dists/squeeze-lts/Release
Am 21.03.2016 um 00:38 schrieb Santiago Ruano Rincón:
> Package: debian-security-support
> Severity: wishlist
> Tags: -1 + patch
>
> Hi,
>
> Packages such as tomcat6 will get support until the end of 2016, at the
> same time than Ubuntu LTS. To consider this kind of cases and warn the
> user
Hi,
Am 25.03.2016 um 00:26 schrieb Holger Levsen:
> Hi,
>
> On Thu, Mar 24, 2016 at 07:26:22PM +0100, Markus Koschany wrote:
>> squeeze-lts has been archived on archive.debian.org. The warning is
>> valid and it reminds people that the support for Squeeze has ended.
>&g
Am 01.03.2016 um 13:16 schrieb Bonno Bloksma (list account):
> Hi,
>
> On 2016-02-29 20:27, Paul Gevers wrote:
>>> I know, but that is not what I meant. I meant (and wrote), upgrade via
>>> wheezy.
>>
>> I think that (what you wrote ealier) would be a sensible recommendation to
>> make.
>>
>>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
The Debian Long Term Support (LTS) Team hereby announces that Debian 6
("Squeeze") support has reached its end-of-life on February 29, 2016,
five years after its initial release on February 6, 2011.
There will be no further security support for
Am 29.02.2016 um 18:04 schrieb Raphael Hertzog:
> On Mon, 29 Feb 2016, Markus Koschany wrote:
>> Matthias Klose, the OpenJDK maintainer, stated that he intends to
>> support OpenJDK 6 until Ubuntu 12.04 reaches EOL in April 2017 [1] and I
>> think it should be feasible to
Am 01.03.2016 um 15:45 schrieb Scott Kitterman:
> I understand that the plan is not to create a separate package suite for
> Wheezy as was done for Squeeze and to upload to wheezy-security instead.
> How
> are uploads that aren't strictly security uploads going to be handled?
>
> Specifically,
Hi Guido,
Am 01.04.2016 um 12:32 schrieb Guido Günther:
[...]
> This all sound reasonable to me. I wonder if we should prepare a update
> repository before that to make testing simpler (or maybe do this via
> backports)?
I think the situation looks like that:
1. Changing the runtime
Am 29.03.2016 um 23:17 schrieb Santiago Ruano Rincón:
> El 21/03/16 a las 18:00, Markus Koschany escribió:
>> Am 21.03.2016 um 00:38 schrieb Santiago Ruano Rincón:
> ...
>>> Also, would it be better to have a separate list file for earlyend?
>>
>> Hi,
>>
Hi all,
here is a summary about the current status of making OpenJDK 7 the
default Java JRE / JDK in Wheezy-LTS.
Intended changes
===
1. Making OpenJDK 7 the default by updating src:java-common, so that
default-jre and default-jdk will install OpenJDK 7 instead of
OpenJDK
Hello Publicity Team, hello translation teams
the Debian Long Term Support Team would like to announce the start of
Wheezy LTS on 26 April 2016. I have committed our draft to
https://anonscm.debian.org/cgit/publicity/announcements.git/commit/?id=d816ef401c55297904868a4b8d0b7f18d5bc9154
Justin B
Am 21.04.2016 um 16:33 schrieb Antoine Beaupré:
> On 2016-04-21 04:48:26, Raphael Hertzog wrote:
[...]
>> So I suggest you to go ahead and do assignations. If you want to let
>> people pick weeks by themselves, just do it for a few days and then
>> arbitrarily assign the remaining weeks.
>
> I
Hi,
Am 27.04.2016 um 17:26 schrieb Adam Borowski:
> Hi guys!
> It looks like a vital piece of information is missing from Monday's news on
> debian-announce: the list of architectures. If I'm reading this list's
> archives right, it is amd64 i386 armhf armel. Yet what the public thinks
> is
Am 25.04.2016 um 11:41 schrieb Rene Engelhard:
> Hi,
>
> On Wed, Apr 20, 2016 at 06:22:51PM +0200, Markus Koschany wrote:
>> I would like to ask everyone who uses Java in server or desktop
>> environments to test their applications with OpenJDK 7 and to prepare
>&g
Am 25.04.2016 um 12:23 schrieb Holger Levsen:
> On Mon, Apr 25, 2016 at 12:17:52PM +0200, Markus Koschany wrote:
>> I think in those cases it is reasonable to recommend to manually change
>> build dependencies back to OpenJDK 6 because rebuilding a package does
>> not
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: botan1.10
Version: 1.10.5-1+deb7u1
CVE ID : CVE-2014-9742 CVE-2015-5726 CVE-2015-5727
CVE-2015-7827 CVE-2016-2194 CVE-2016-2195
CVE-2016-2849
Several security vulnerabilities were
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: gdk-pixbuf
Version: 2.26.1-1+deb7u4
CVE ID : CVE-2015-7552 CVE-2015-7674
A heap-based buffer overflow has been discovered in gdk-pixbuf, a
library for image loading and saving facilities, fast scaling and
Am 18.05.2016 um 21:01 schrieb Jeroen Dekkers:
> Hi Markus,
>
> Sorry for the late reply. This bug also isn't fixed in jessie, the
> reason for this is that upstream isn't going to fix this for SOGo 2
> and earlier. The security bug is about the complete lack of CSRF
> protection and implementing
Am 21.05.2016 um 16:31 schrieb Balint Reczey:
> Dear LTS Team,
>
> I would like to suggest (and volunteer for) back-porting
> jessie-security's wireshark version to wheezy-lts.
Hi Balint,
FYI, Steffen Moeller is also currently working on a security update for
wireshark (dla-needed.txt). Maybe
package before it gets released.
Thank you very much.
Markus Koschany,
on behalf of the Debian LTS team.
PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc
Hello Roberto, welcome on board!
Am 08.05.2016 um 05:34 schrieb Roberto C. Sánchez:
> Hi All,
>
> I'm still "in-training" and I thought I would attempt to prepare an
> upload of the icu package for wheezy.
>
> The package is here: https://people.debian.org/~roberto/
> dsc -
Am 08.05.2016 um 23:58 schrieb Simon McVittie:
[...]
> Note that I haven't done any real-world testing on this version, because
> I haven't run wheezy since around the time jessie was released, and my
> production ikiwiki instances use the latest upstream release from
> jessie-backports. t/img.t
Am 09.05.2016 um 19:50 schrieb Simon McVittie:
[...]
>> This used to work with the current version in Wheezy. Is this
>> intentional or a regression?
>
> There was no option of that name in the current version in Wheezy. All
> versions prior to last Friday effectively had the same behaviour as if
Am 12.05.2016 um 15:16 schrieb Santiago Ruano Rincón:
[...]
qemu
qemu-kvm
xen
> xen will be supported.
libvirt
>
> qemu and qemu-kvm were triaged as unsupported for CVE-2016-3712, but I
> think Guido is studying how to support virtualisation related packages,
> and maybe we
Am 17.05.2016 um 16:59 schrieb Antoine Beaupré:
> Reducing CCs.
>
> On 2016-05-14 04:19:50, Brian May wrote:
>> Antoine Beaupré writes:
>>
>>> I reviewed the patch quickly, nothing strikes me as completely wrong,
>>> but I am not currently in a position to test the patchset.
Am 17.05.2016 um 16:49 schrieb Antoine Beaupré:
> On 2016-05-17 07:42:52, Santiago Ruano Rincón wrote:
>> Thanks for triaging this. But, don't forget to update
>> https://anonscm.debian.org/cgit/collab-maint/debian-security-support.git/tree/security-support-ended.deb7
>> when needed.
>
>
Hi all,
since armel and armhf are de facto supported in Wheezy LTS now, I have
drafted a short announcement for bits.debian.org in markdown. What do
you think about the text?
Title: Wheezy LTS with armel and armhf support
Date: 2016-05-15 22:13
Author: Markus Koschany
Tags: Wheezy, LTS
Status
Hello Christoph,
thanks for your Icedove security update. We usually send an e-mail to
debian-lts-announce to make users aware of the changes. Do you want to
take care of this yourself? Then please follow our workflow that we have
outlined at
Am 18.05.2016 um 12:33 schrieb Raphael Hertzog:
> On Wed, 18 May 2016, Holger Levsen wrote:
>> I just wondered whether we should also include the info that openjdk6
>> will very soon be deprecated and users should update to openjdk7? As
>> evident from this list, even LTS contributors missed this
:51
Author: Markus Koschany
Tags: Wheezy, LTS
Status: draft
Wheezy's [LTS](https://wiki.debian.org/LTS) period started a few weeks
ago and more than thirty updates [have been
announced](https://lists.debian.org/debian-lts-announce/) so far.
Thanks to our sponsors and to the help from Debian's
Am 18.05.2016 um 16:18 schrieb Ana Guerrero Lopez:
> On Wed, May 18, 2016 at 03:56:00PM +0200, Markus Koschany wrote:
>> Hi folks,
>>
>> the LTS team would like to make a short announcement on bits.debian.org.
>> We think it is worth mentioning that armel and armhf are
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: openjdk-7
Version: 7u101-2.6.6-2~deb7u1
CVE ID : CVE-2016-0636 CVE-2016-0686 CVE-2016-0687
CVE-2016-0695 CVE-2016-3425 CVE-2016-3426 CVE-2016-3427
Several vulnerabilities have been discovered in
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: smarty3
Version: 3.1.10-2+deb7u1
CVE ID : CVE-2014-8350
Debian Bug : 765920
Smarty3, a template engine for PHP, allowed remote attackers to bypass
the secure mode restrictions and execute arbitrary PHP code as
Hi Ansgar,
In preparation for the default Java switch I have uploaded more packages
to wheezy-security yesterday and most of them are available in the
archive now. However some of them never showed up there, although I made
sure to build with -sa. I guess there is an issue with dak again.
The
Am 01.05.2016 um 10:38 schrieb Peter Palfrader:
[...]
> The security mirror is current.
Hi,
I was informed that LTS updates are currently only pushed to the mirrors
when the Security Team has issued a new DSA for it. Of course this is
less than optimal but the ftp team is already aware of it. We
Hi Ansgar,
thank you for fixing the mirror bug. Moritz Mühlenhoff informed us on
IRC that accepted mails for LTS uploads are still sent to dak AT
security.debian.org. Can you filter those mails so that they are sent to
debian-lts-changes instead and if possible also to
dispatch _AT_
not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.
Thank you very much.
Markus Koschany,
on behalf of the Debian LTS team.
PS: A member of the LTS team might start working on this update
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: java-common
Version: 0.47+deb7u1
In preparation for the upcoming default-java switch to OpenJDK 7 on 26
June 2016, the java-common package was updated to inform users about
the intended change. The news will be
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: botan1.10
Version: 1.10.5-1+deb7u1
Debian Bug : 823297
The security update for botan1.10 caused a regression in monotone due
to a ABI change. In order to fix this issue all reverse-dependencies
of botan1.10 have been
let us know whether you would
like to review and/or test the updated package before it gets released.
Thank you very much.
Markus Koschany,
on behalf of the Debian LTS team.
PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone
Am 04.05.2016 um 21:07 schrieb Raphael Hertzog:
[...]
>> 2. Should it be uploaded to wheezy-security even if it doesn't fix any
>>security fix? Or does the wheezy queue in ftp-master still works
>>(with ftp-masters' participation)?
>
> We were aware that we would have some non-security
Am 03.05.2016 um 17:49 schrieb Guilhem Moulin:
> On Tue, 03 May 2016 at 10:47:31 -0400, Antoine Beaupré wrote:
>> I agree, however I suspect most people using roundcube in production are
>> probably using the backport... There's even a dangling backport in
>> wheezy right now (0.9)... a little
Hello Tom,
Am 03.05.2016 um 18:23 schrieb Tom Turelinckx:
> Hello Markus,
>
> Jessie is not available for sparc.
True. sparc64 is the only non-official release architecture that comes
somewhat close.
>
> My /etc/apt/sources.list looks like this:
>
> deb http://ftp.be.debian.org/debian wheezy
Am 03.05.2016 um 18:37 schrieb Moritz Muehlenhoff:
> On Tue, May 03, 2016 at 06:28:03PM +0200, Markus Koschany wrote:
>> The second best solution would be to backport either the 1.0.x branch or
>> your jessie-backport packages to Wheezy. Since you actively maintain
>> them, w
Am 19.04.2016 um 21:27 schrieb Moritz Mühlenhoff:
> On Tue, Apr 19, 2016 at 09:00:17PM +0200, Markus Koschany wrote:
>> For Debian 7 "Wheezy" LTS there will be no requirement to add a separate
>> wheezy-lts suite to your sources.list any more and your current setup
>>
Hi security team,
only one week to go and I thought it would be a good idea to draft an
announcement for next Tuesday that should be send to
debian-security-announce and debian-lts-announce. I suggest that we
coordinate the content of the last / first security announcement for
Wheezy / Wheezy
Hello ftp team,
as you already know Wheezy LTS is going to start on 26 April. Is there
anything that we can do to assist you in the process of enabling us to
work with the current wheezy-security distribution?
Our last information was that the switch would be "easy" [1] but in case
there is
Am 21.04.2016 um 08:18 schrieb Santiago Ruano Rincón:
> Hi all,
>
> We need to schedule the next cycles of Frontdesk duties. I don't know if
> Raphaël want to do it (with his Freexian's hat on?), but we could also
> take the slots by ourselves. I am up to be on Frontdesk next week (25-04
> to
the updated package before it gets released.
Thank you very much.
Markus Koschany,
on behalf of the Debian LTS team.
PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https
Am 07.05.2016 um 22:38 schrieb Simon McVittie:
> On Sat, 07 May 2016 at 20:52:16 +0200, Markus Koschany wrote:
>> the Debian LTS team would like to fix the security issues which are
>> currently open in the Wheezy version of ikiwiki:
>> https://security-tracker.debian.org/
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: python-django
Version: 1.4.5-1+deb7u17
CVE ID : CVE-2016-6186
Debian Bug : 831799
It was discovered that Django, a high-level Python web development
framework, is prone to a cross-site scripting vulnerability in
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: uclibc
Version: 0.9.32-1+deb7u1
CVE ID : CVE-2016-2224 CVE-2016-2225 CVE-2016-6264
Several vulnerabilities have been discovered in uClibc, an
implementation of the standard C library that is much smaller than
glibc,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: gosa
Version: 2.7.4-4.3~deb7u3
CVE ID : CVE-2015-8771
GOsa² is a combination of system-administrator and end-user web
interface, designed to handle LDAP based setups.
A code injection vulnerability in the Samba
1 - 100 of 1031 matches
Mail list logo