Re: squeeze update of axis?

a domain name in the subject's Common Name +(CN) or subjectAltName field of the X.509 certificate, which allows +man-in-the-middle attackers to spoof SSL servers via a certificate with a +subject that specifies a common name in a field that is not the CN field. + + -- Markus Koschany

Re: squeeze update of commons-httpclient

On 16.04.2015 11:31, Markus Koschany wrote: On 16.04.2015 09:00, Thijs Kinkhorst wrote: [...] I can take care of this, but did you also prepare a package for wheezy? If so, I missed it. Hi Thijs, I already filed a bug report for wheezy against release.debian.org. [1] The security team

Re: squeeze update of commons-httpclient

On 16.04.2015 09:00, Thijs Kinkhorst wrote: [...] I can take care of this, but did you also prepare a package for wheezy? If so, I missed it. Hi Thijs, I already filed a bug report for wheezy against release.debian.org. [1] The security team has marked this CVE as no-dsa. The debdiff for

squeeze update of commons-httpclient

is +now completely resolved by applying this patch and the +06_fix_CVE-2012-5783.patch. + * Change java.source and java.target ant properties to 1.5, otherwise +commons-httpclient will not compile with this patch. + + -- Markus Koschany a...@gambaru.de Wed, 15 Apr 2015 22:18:19 +0200

Re: squeeze update of checkpw?

On 09.04.2015 12:42, Thorsten Alteholz wrote: Hi Markus, thanks for preparing the patch. I uploaded the package now. On Mon, 30 Mar 2015, Markus Koschany wrote: Please find attached a debdiff for review to this e-mail. I have only two remarks. The package should go to squeeze-lts

Re: squeeze update of libapache-mod-jk?

On 09.06.2015 18:22, Raphael Hertzog wrote: Hi, On Sat, 30 May 2015, Markus Koschany wrote: please find attached the debdiff and fix for libapache-mod-jk in squeeze. Feedback and testing are appreciated. I did a quick review and it looks good. It builds fine in my chroot. But I don't

Re: squeeze update of libapache-mod-jk?

On 26.05.2015 19:21, Markus Koschany wrote: On 26.05.2015 17:23, Raphael Hertzog wrote: Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Squeeze version of libapache-mod-jk: https://security-tracker.debian.org/tracker/CVE

Re: squeeze update of libapache-mod-jk?

On 26.05.2015 17:23, Raphael Hertzog wrote: Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Squeeze version of libapache-mod-jk: https://security-tracker.debian.org/tracker/CVE-2014-8111 Would you like to take care of

Re: Unsupported packages for Wheezy LTS

Am 19.11.2015 um 21:45 schrieb Moritz Mühlenhoff: [...] > Another package which needs to be sorted out is the support for > Java. wheezy has both openjdk-6 and openjdk-7 (jessie has only > -7 and stretch will also only have one version). > > Currently the maintenance heavily relies on the

Re: Security update of libxstream-java

On 02.06.2016 22:03, Moritz Muehlenhoff wrote: > On Thu, Jun 02, 2016 at 09:32:27PM +0200, Markus Koschany wrote: >> On 02.06.2016 11:35, Emmanuel Bourg wrote: >>> Le 2/06/2016 à 11:19, Markus Koschany a écrit : >>> >>>> I saw that you have claimed libxs

Re: Security update of libxstream-java

On 02.06.2016 11:35, Emmanuel Bourg wrote: > Le 2/06/2016 à 11:19, Markus Koschany a écrit : > >> I saw that you have claimed libxstream-java in dla-needed.txt. It's been >> a while since the security update for Jessie has been released. Is there >> a reason why lib

Re: Debian LTS: uploaded packages to wheezy-security not available

On 06.06.2016 00:52, Ansgar Burchardt wrote: > Hi, > > Markus Koschany <a...@debian.org> writes: >> Am 04.05.2016 um 13:43 schrieb Markus Koschany: >>> Hi Ansgar, >>> >>> In preparation for the default Java switch I have uploaded more packages &

Re: Debian LTS: uploaded packages to wheezy-security not available

On 08.06.2016 10:26, Ansgar Burchardt wrote: > Markus Koschany <a...@debian.org> writes: >> thanks for looking into these issues. Yesterday I tried to upload >> libxstream-java and libpdfbox-java. Dak doesn't seem to like them too. I >> guess I'm very lucky in find

[SECURITY] [DLA 505-1] libpdfbox-java security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: libpdfbox-java Version: 1:1.7.0+dfsg-4+deb7u1 CVE ID : CVE-2016-2175 Apache PDFBox did not properly initialize the XML parsers, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks

[SECURITY] [DLA 504-1] libxstream-java security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: libxstream-java Version: 1.4.2-1+deb7u1 CVE ID : CVE-2016-3674 Debian Bug : 819455 It was discovered that XStream, a Java library to serialize objects to XML and back again, was susceptible to XML External

[SECURITY] [DLA 508-1] expat security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: expat Version: 2.1.0-1+deb7u4 CVE ID : CVE-2012-6702 CVE-2016-5300 Two related issues have been discovered in Expat, a C library for parsing XML. CVE-2012-6702 This issue was introduced when CVE-2012-0876 was

Re: bits.debian.org: Wheezy LTS post about armel and armhf support

Hi all, I haven't seen our Wheezy LTS post on bits.debian.org yet. Is there anything we can do? Regards, Markus signature.asc Description: OpenPGP digital signature

Re: Debian LTS: uploaded packages to wheezy-security not available

Am 04.05.2016 um 13:43 schrieb Markus Koschany: > Hi Ansgar, > > In preparation for the default Java switch I have uploaded more packages > to wheezy-security yesterday and most of them are available in the > archive now. However some of them never showed up there, although I made

[SECURITY] [DLA 501-1] gdk-pixbuf security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: gdk-pixbuf Version: 2.26.1-1+deb7u5 CVE ID : CVE-2015-7552 It was discovered that the original fix for CVE-2015-7552 (DLA-450-1) was incomplete. A heap-based buffer overflow in gdk-pixbuf, a library for image

[SECURITY] Debian 7 Wheezy LTS now supporting armel and armhf

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Debian Long Term Support (LTS) is a project created to extend the life of all Debian stable releases to (at least) 5 years. Thanks to the LTS sponsors, Debian's buildd maintainers and the Debian FTP Team are excited to announce that two new

Security update of libxstream-java

Hello, I saw that you have claimed libxstream-java in dla-needed.txt. It's been a while since the security update for Jessie has been released. Is there a reason why libxstream-java hasn't been updated in Wheezy yet? Regards, Markus signature.asc Description: OpenPGP digital signature

Re: Wheezy update of vlc?

On 29.05.2016 22:21, Santiago Ruano Rincón wrote: > El 29/05/16 a las 19:53, Thorsten Alteholz escribió: >> Hello dear maintainer(s), >> >> the Debian LTS team would like to fix the security issues which are >> currently open in the Wheezy version of vlc: >>

Re: Debian LTS Security update of ruby-mail (advice needed)

Am 26.05.2016 um 09:21 schrieb Ola Lundqvist: > Hi Markus > > I realized (too late) that I had not checked the dak mail before I sent > the mail. Sorry about that. > > Thanks for the note about sa option. I'll fix this as soon as possible. > Do you think I need to step the revision or is a

Re: Debian LTS Security update of ruby-mail (advice needed)

Hi Ola, you have sent the security announcement for ruby-mail yesterday but the package hasn't been uploaded yet. One reason for that might be that it is the first upload to security-master thus ruby-mail must be built with -sa. You can follow all changes at

Re: bits.debian.org: Wheezy LTS post about armel and armhf support

On 31.05.2016 22:41, Ana Guerrero Lopez wrote: [...] > > In bits and annoucements we prefer to be more verbose, so the message is > complete and understandable for the wider audience, even the ones not > familiarized with the topic. > > Given that this is a short news/update on former news, we

Re: icu package and debdiff [new contributor, first attempt]

Hello Roberto, On 17.06.2016 18:48, Roberto C. Sánchez wrote: > (This message is directed to Antoine as he gave me the initial feedback, > but I welcome comments and suggestions from anyone). > > Hi Antoine, > > Thanks for the feedback on this a few weeks ago. I've been quite busy > but I

squeeze update of radicale?

let us know whether you would like to review and/or test the updated package before it gets released. Thank you very much. Markus Koschany, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone

[SECURITY] [DLA 410-1] openjdk-6 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: openjdk-6 Version: 6b38-1.13.10-1~deb6u1 CVE ID : CVE-2015-7575 CVE-2015-8126 CVE-2015-8472 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494 Several

Re: Preparing to announce Squeeze LTS end-of-life

[ I am subscribed to debian-lts. No need to CC me ] Am 11.02.2016 um 20:36 schrieb Moritz Mühlenhoff: > On Thu, Feb 11, 2016 at 08:19:02PM +0100, Markus Koschany wrote: >> Am 11.02.2016 um 19:09 schrieb Miroslav Skoric: >>> On 02/10/2016 10:17 AM, Matus UHLAR - fantomas wrote

Re: Preparing to announce Squeeze LTS end-of-life

Am 12.02.2016 um 01:08 schrieb Holger Levsen: > Hi, > > On Donnerstag, 11. Februar 2016, Markus Koschany wrote: >>> In the light of the recent confusion about what "February 2016" means >>> you should really communicate a fixed date upfront. >> Si

Re: Preparing to announce Squeeze LTS end-of-life

Hi, Am 13.02.2016 um 09:23 schrieb Holger Levsen: > Hi, > > On Freitag, 12. Februar 2016, Markus Koschany wrote: [...] >> For now it should be clear that Wheezy LTS will be supported >> until the end of May 2018. > > Sadly, if you only read the "Debian 6.

Re: Summary of the LTS BoF held during DebConf

Am 28.01.2016 um 20:05 schrieb Moritz Mühlenhoff: > On Thu, Jan 28, 2016 at 08:02:47PM +0100, Markus Koschany wrote: >> In my opinion OpenJDK 7 should be an adequate replacement for OpenJDK 6 >> and I can't think of any serious regressions since all Java packages >> have pro

Wiki update LTS/Using and EOL announcement

Hi all, I have updated https://wiki.debian.org/LTS/Using to prepare for the switch to Wheezy LTS. What do you think about sending an EOL announcement to debian-lts-announce on March 1st? We could simply reuse the official NEWS post [1] and would probably reach those people who normally don't read

Re: Wiki update LTS/Using and EOL announcement

Am 28.02.2016 um 18:12 schrieb Holger Levsen: > Hi Markus, > > On Sonntag, 28. Februar 2016, Markus Koschany wrote: >> I have updated https://wiki.debian.org/LTS/Using to prepare for the >> switch to Wheezy LTS. What do you think about sending an EOL >> announce

[SECURITY] [DLA 441-1] pcre3 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: pcre3 Version: 8.02-1.1+deb6u1 Debian Bug : 815921 HP's Zero Day Initiative has identified a vulnerability affecting the pcre3 package. It was assigned ZDI id ZDI-CAN-3542. A CVE identifier has not been assigned yet.

Accepted bsh 2.0b4-12+deb6u1 (source all i386) into squeeze-lts

ain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: bsh- Java scripting environment (BeanShell) Version 2 bsh-doc- Documentation for bsh bsh-gcj- Java scripting environment (BeanShell) Version 2 (native code) bsh-src- Ja

Re: Unsupported packages for Wheezy LTS

Am 29.02.2016 um 15:17 schrieb Raphael Hertzog: > On Thu, 19 Nov 2015, Moritz Mühlenhoff wrote: >> Another package which needs to be sorted out is the support for >> Java. wheezy has both openjdk-6 and openjdk-7 (jessie has only >> -7 and stretch will also only have one version). > > I asked our

[SECURITY] [DLA 443-1] bsh security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: bsh Version: 2.0b4-12+deb6u1 CVE ID : CVE-2016-2510 A remote code execution vulnerability was found in BeanShell, an embeddable Java source interpreter with object scripting language features. CVE-2016-2510:

Re: Wiki update LTS/Using and EOL announcement

Am 29.02.2016 um 20:27 schrieb Paul Gevers: > Hi Markus, > > On 29-02-16 20:25, Matus UHLAR - fantomas wrote: >> you only can upgrade to wheezy directly. upgrade accross versions is not >> supported. > > I know, but that is not what I meant. I meant (and wrote), upgrade via > wheezy. Hi Paul,

[SECURITY] [DLA 435-1] tomcat6 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: tomcat6 Version: 6.0.45-1~deb6u1 CVE ID : CVE-2015-5174 CVE-2015-5345 CVE-2015-5351 CVE-2016-0706 CVE-2016-0714 CVE-2016-0763 Tomcat 6, an implementation of the Java Servlet and the JavaServer Pages

Re: squeeze update of radicale?

Am 19.01.2016 um 04:36 schrieb Jonas Smedegaard: > Hi Markus and other Debian LTS maintainers, > > Quoting Markus Koschany (2016-01-19 00:50:04) >> the Debian LTS team would like to fix the security issues which are >> currently open in the Squeeze version of radicale:

Re: no-dsa vs. end-of-life

Am 26.01.2016 um 22:08 schrieb Guido Günther: > Hi, > I see many packages marked: > > [squeeze] - foo (not supported in Squeeze LTS) > > shouldn't that be > > [squeeze] - foo (not supported in Squeeze LTS) > > since no-dsa implies that the bug migh be fixed eventually in

Accepted radicale 0.3-2+deb6u1 (source all) into squeeze-lts

hanged-By: Markus Koschany <a...@debian.org> Description: python-radicale - simple calendar server - module radicale - simple calendar server - daemon Changes: radicale (0.3-2+deb6u1) squeeze-lts; urgency=high . * Non-maintainer upload by the Debian LTS Team. * CVE-2015-8748: P

[SECURITY] [DLA 422-1] python-imaging security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: python-imaging Version: 1.1.7-2+deb6u2 CVE ID : CVE-2016-0775 Debian Bug : 813909 Two buffer overflows were discovered in python-imaging, a Python library for loading and manipulating image files, which may

Accepted wordpress 3.6.1+dfsg-1~deb6u9 (source all) into squeeze-lts

org> Changed-By: Markus Koschany <a...@debian.org> Description: wordpress - weblog manager wordpress-l10n - weblog manager - language files Closes: 813697 Changes: wordpress (3.6.1+dfsg-1~deb6u9) squeeze-lts; urgency=high . * Non-maintainer upload by the Debian LTS Team. * Fix open

Accepted python-imaging 1.1.7-2+deb6u2 (source all i386) into squeeze-lts

Version: 1.1.7-2+deb6u2 Distribution: squeeze-lts Urgency: high Maintainer: Matthias Klose <d...@debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: python-imaging - Python Imaging Library python-imaging-dbg - Python Imaging Library (debug extension) python

Re: working for wheezy-security until wheezy-lts starts

Am 13.03.2016 um 04:32 schrieb Brian May: > Brian May writes: > >>> 2. Spend some time on investigating what it takes to backport >>> libav from jessie to wheezy. 11.x is still supported by >>> libav upstream and we could share triage work for jessie/wheezy >>> going forwards.

Re: Archive of squeeze-lts ?

Am 24.03.2016 um 18:59 schrieb Johnathon Tinsley: >>> >>> I'm seeing this when trying to fetch lts packages from >>> archive.debian.org at the moment. Anyone know a good contact for them? >>> >>> E: Release file expired, ignoring >>> http://archive.debian.org/debian/dists/squeeze-lts/Release

Re: Bug#818843: debian-security-support: new earlyend type, consider future end of support

Am 21.03.2016 um 00:38 schrieb Santiago Ruano Rincón: > Package: debian-security-support > Severity: wishlist > Tags: -1 + patch > > Hi, > > Packages such as tomcat6 will get support until the end of 2016, at the > same time than Ubuntu LTS. To consider this kind of cases and warn the > user

Re: teaching people to ignore warnings is bad (Re: Archive of squeeze-lts ?)

Hi, Am 25.03.2016 um 00:26 schrieb Holger Levsen: > Hi, > > On Thu, Mar 24, 2016 at 07:26:22PM +0100, Markus Koschany wrote: >> squeeze-lts has been archived on archive.debian.org. The warning is >> valid and it reminds people that the support for Squeeze has ended. >&g

Re: Wiki update LTS/Using and EOL announcement

Am 01.03.2016 um 13:16 schrieb Bonno Bloksma (list account): > Hi, > > On 2016-02-29 20:27, Paul Gevers wrote: >>> I know, but that is not what I meant. I meant (and wrote), upgrade via >>> wheezy. >> >> I think that (what you wrote ealier) would be a sensible recommendation to >> make. >> >>

[SECURITY] Debian 6 Squeeze has reached end-of-life

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 The Debian Long Term Support (LTS) Team hereby announces that Debian 6 ("Squeeze") support has reached its end-of-life on February 29, 2016, five years after its initial release on February 6, 2011. There will be no further security support for

Re: Unsupported packages for Wheezy LTS

Am 29.02.2016 um 18:04 schrieb Raphael Hertzog: > On Mon, 29 Feb 2016, Markus Koschany wrote: >> Matthias Klose, the OpenJDK maintainer, stated that he intends to >> support OpenJDK 6 until Ubuntu 12.04 reaches EOL in April 2017 [1] and I >> think it should be feasible to

Re: Non-security uploads for wheezy-lts

Am 01.03.2016 um 15:45 schrieb Scott Kitterman: > I understand that the plan is not to create a separate package suite for > Wheezy as was done for Squeeze and to upload to wheezy-security instead. > How > are uploads that aren't strictly security uploads going to be handled? > > Specifically,

Re: Status report: Making OpenJDK 7 the default in Wheezy LTS

Hi Guido, Am 01.04.2016 um 12:32 schrieb Guido Günther: [...] > This all sound reasonable to me. I wonder if we should prepare a update > repository before that to make testing simpler (or maybe do this via > backports)? I think the situation looks like that: 1. Changing the runtime

Re: Bug#818843: debian-security-support: new earlyend type, consider future end of support

Am 29.03.2016 um 23:17 schrieb Santiago Ruano Rincón: > El 21/03/16 a las 18:00, Markus Koschany escribió: >> Am 21.03.2016 um 00:38 schrieb Santiago Ruano Rincón: > ... >>> Also, would it be better to have a separate list file for earlyend? >> >> Hi, >>

Status report: Making OpenJDK 7 the default in Wheezy LTS

Hi all, here is a summary about the current status of making OpenJDK 7 the default Java JRE / JDK in Wheezy-LTS. Intended changes === 1. Making OpenJDK 7 the default by updating src:java-common, so that default-jre and default-jdk will install OpenJDK 7 instead of OpenJDK

Announcing the start of Wheezy LTS

Hello Publicity Team, hello translation teams the Debian Long Term Support Team would like to announce the start of Wheezy LTS on 26 April 2016. I have committed our draft to https://anonscm.debian.org/cgit/publicity/announcements.git/commit/?id=d816ef401c55297904868a4b8d0b7f18d5bc9154 Justin B

Re: LTS Frontdesk duties

Am 21.04.2016 um 16:33 schrieb Antoine Beaupré: > On 2016-04-21 04:48:26, Raphael Hertzog wrote: [...] >> So I suggest you to go ahead and do assignations. If you want to let >> people pick weeks by themselves, just do it for a few days and then >> arbitrarily assign the remaining weeks. > > I

Re: please post an announcement wrt wheezy-lts architectures

Hi, Am 27.04.2016 um 17:26 schrieb Adam Borowski: > Hi guys! > It looks like a vital piece of information is missing from Monday's news on > debian-announce: the list of architectures. If I'm reading this list's > archives right, it is amd64 i386 armhf armel. Yet what the public thinks > is

Re: Call for tests: Making OpenJDK 7 the default in Wheezy LTS

Am 25.04.2016 um 11:41 schrieb Rene Engelhard: > Hi, > > On Wed, Apr 20, 2016 at 06:22:51PM +0200, Markus Koschany wrote: >> I would like to ask everyone who uses Java in server or desktop >> environments to test their applications with OpenJDK 7 and to prepare >&g

Re: Call for tests: Making OpenJDK 7 the default in Wheezy LTS

Am 25.04.2016 um 12:23 schrieb Holger Levsen: > On Mon, Apr 25, 2016 at 12:17:52PM +0200, Markus Koschany wrote: >> I think in those cases it is reasonable to recommend to manually change >> build dependencies back to OpenJDK 6 because rebuilding a package does >> not

[SECURITY] [DLA 449-1] botan1.10 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: botan1.10 Version: 1.10.5-1+deb7u1 CVE ID : CVE-2014-9742 CVE-2015-5726 CVE-2015-5727 CVE-2015-7827 CVE-2016-2194 CVE-2016-2195 CVE-2016-2849 Several security vulnerabilities were

[SECURITY] [DLA 450-1] gdk-pixbuf security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: gdk-pixbuf Version: 2.26.1-1+deb7u4 CVE ID : CVE-2015-7552 CVE-2015-7674 A heap-based buffer overflow has been discovered in gdk-pixbuf, a library for image loading and saving facilities, fast scaling and

Re: Wheezy update of sogo?

Am 18.05.2016 um 21:01 schrieb Jeroen Dekkers: > Hi Markus, > > Sorry for the late reply. This bug also isn't fixed in jessie, the > reason for this is that upstream isn't going to fix this for SOGo 2 > and earlier. The security bug is about the complete lack of CSRF > protection and implementing

Re: Wireshark in wheezy-lts

Am 21.05.2016 um 16:31 schrieb Balint Reczey: > Dear LTS Team, > > I would like to suggest (and volunteer for) back-porting > jessie-security's wireshark version to wheezy-lts. Hi Balint, FYI, Steffen Moeller is also currently working on a security update for wireshark (dla-needed.txt). Maybe

Wheezy update of sogo?

package before it gets released. Thank you very much. Markus Koschany, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc

Re: icu package and debdiff [new contributor, first attempt]

Hello Roberto, welcome on board! Am 08.05.2016 um 05:34 schrieb Roberto C. Sánchez: > Hi All, > > I'm still "in-training" and I thought I would attempt to prepare an > upload of the icu package for wheezy. > > The package is here: https://people.debian.org/~roberto/ > dsc -

Re: Wheezy update of ikiwiki?

Am 08.05.2016 um 23:58 schrieb Simon McVittie: [...] > Note that I haven't done any real-world testing on this version, because > I haven't run wheezy since around the time jessie was released, and my > production ikiwiki instances use the latest upstream release from > jessie-backports. t/img.t

Re: Wheezy update of ikiwiki?

Am 09.05.2016 um 19:50 schrieb Simon McVittie: [...] >> This used to work with the current version in Wheezy. Is this >> intentional or a regression? > > There was no option of that name in the current version in Wheezy. All > versions prior to last Friday effectively had the same behaviour as if

Re: Unsupported packages for Wheezy LTS

Am 12.05.2016 um 15:16 schrieb Santiago Ruano Rincón: [...] qemu qemu-kvm xen > xen will be supported. libvirt > > qemu and qemu-kvm were triaged as unsupported for CVE-2016-3712, but I > think Guido is studying how to support virtualisation related packages, > and maybe we

Re: libidn test packages [resent]

Am 17.05.2016 um 16:59 schrieb Antoine Beaupré: > Reducing CCs. > > On 2016-05-14 04:19:50, Brian May wrote: >> Antoine Beaupré writes: >> >>> I reviewed the patch quickly, nothing strikes me as completely wrong, >>> but I am not currently in a position to test the patchset.

Re: [Secure-testing-commits] r41743 - data/CVE

Am 17.05.2016 um 16:49 schrieb Antoine Beaupré: > On 2016-05-17 07:42:52, Santiago Ruano Rincón wrote: >> Thanks for triaging this. But, don't forget to update >> https://anonscm.debian.org/cgit/collab-maint/debian-security-support.git/tree/security-support-ended.deb7 >> when needed. > >

Draft for bits.debian.org regarding armel and armhf support

Hi all, since armel and armhf are de facto supported in Wheezy LTS now, I have drafted a short announcement for bits.debian.org in markdown. What do you think about the text? Title: Wheezy LTS with armel and armhf support Date: 2016-05-15 22:13 Author: Markus Koschany Tags: Wheezy, LTS Status

Icedove security update for Wheezy LTS

Hello Christoph, thanks for your Icedove security update. We usually send an e-mail to debian-lts-announce to make users aware of the changes. Do you want to take care of this yourself? Then please follow our workflow that we have outlined at

Re: Draft for bits.debian.org regarding armel and armhf support

Am 18.05.2016 um 12:33 schrieb Raphael Hertzog: > On Wed, 18 May 2016, Holger Levsen wrote: >> I just wondered whether we should also include the info that openjdk6 >> will very soon be deprecated and users should update to openjdk7? As >> evident from this list, even LTS contributors missed this

bits.debian.org: Wheezy LTS post about armel and armhf support

:51 Author: Markus Koschany Tags: Wheezy, LTS Status: draft Wheezy's [LTS](https://wiki.debian.org/LTS) period started a few weeks ago and more than thirty updates [have been announced](https://lists.debian.org/debian-lts-announce/) so far. Thanks to our sponsors and to the help from Debian's

Re: bits.debian.org: Wheezy LTS post about armel and armhf support

Am 18.05.2016 um 16:18 schrieb Ana Guerrero Lopez: > On Wed, May 18, 2016 at 03:56:00PM +0200, Markus Koschany wrote: >> Hi folks, >> >> the LTS team would like to make a short announcement on bits.debian.org. >> We think it is worth mentioning that armel and armhf are

[SECURITY] [DLA 451-1] openjdk-7 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: openjdk-7 Version: 7u101-2.6.6-2~deb7u1 CVE ID : CVE-2016-0636 CVE-2016-0686 CVE-2016-0687 CVE-2016-0695 CVE-2016-3425 CVE-2016-3426 CVE-2016-3427 Several vulnerabilities have been discovered in

[SECURITY] [DLA 452-1] smarty3 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: smarty3 Version: 3.1.10-2+deb7u1 CVE ID : CVE-2014-8350 Debian Bug : 765920 Smarty3, a template engine for PHP, allowed remote attackers to bypass the secure mode restrictions and execute arbitrary PHP code as

Debian LTS: uploaded packages to wheezy-security not available

Hi Ansgar, In preparation for the default Java switch I have uploaded more packages to wheezy-security yesterday and most of them are available in the archive now. However some of them never showed up there, although I made sure to build with -sa. I guess there is an issue with dak again. The

LTS updates not pushed to security mirrors

Am 01.05.2016 um 10:38 schrieb Peter Palfrader: [...] > The security mirror is current. Hi, I was informed that LTS updates are currently only pushed to the mirrors when the Security Team has issued a new DSA for it. Of course this is less than optimal but the ftp team is already aware of it. We

Sending LTS changes to debian-lts-changes

Hi Ansgar, thank you for fixing the mirror bug. Moritz Mühlenhoff informed us on IRC that accepted mails for LTS uploads are still sent to dak AT security.debian.org. Can you filter those mails so that they are sent to debian-lts-changes instead and if possible also to dispatch _AT_

Wheezy update of roundcube?

not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. Thank you very much. Markus Koschany, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update

[SECURITY] default-java switch to OpenJDK 7 and java-common update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: java-common Version: 0.47+deb7u1 In preparation for the upcoming default-java switch to OpenJDK 7 on 26 June 2016, the java-common package was updated to inform users about the intended change. The news will be

[SECURITY] [DLA 449-2] botan1.10 regression update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: botan1.10 Version: 1.10.5-1+deb7u1 Debian Bug : 823297 The security update for botan1.10 caused a regression in monotone due to a ABI change. In order to fix this issue all reverse-dependencies of botan1.10 have been

Wheezy update of librsvg?

let us know whether you would like to review and/or test the updated package before it gets released. Thank you very much. Markus Koschany, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone

Re: About debian-security-support

Am 04.05.2016 um 21:07 schrieb Raphael Hertzog: [...] >> 2. Should it be uploaded to wheezy-security even if it doesn't fix any >>security fix? Or does the wheezy queue in ftp-master still works >>(with ftp-masters' participation)? > > We were aware that we would have some non-security

Re: Wheezy update of roundcube?

Am 03.05.2016 um 17:49 schrieb Guilhem Moulin: > On Tue, 03 May 2016 at 10:47:31 -0400, Antoine Beaupré wrote: >> I agree, however I suspect most people using roundcube in production are >> probably using the backport... There's even a dangling backport in >> wheezy right now (0.9)... a little

Re: Please remove non-lts architectures from wheezy-security

Hello Tom, Am 03.05.2016 um 18:23 schrieb Tom Turelinckx: > Hello Markus, > > Jessie is not available for sparc. True. sparc64 is the only non-official release architecture that comes somewhat close. > > My /etc/apt/sources.list looks like this: > > deb http://ftp.be.debian.org/debian wheezy

Re: Wheezy update of roundcube?

Am 03.05.2016 um 18:37 schrieb Moritz Muehlenhoff: > On Tue, May 03, 2016 at 06:28:03PM +0200, Markus Koschany wrote: >> The second best solution would be to backport either the 1.0.x branch or >> your jessie-backport packages to Wheezy. Since you actively maintain >> them, w

Re: Announcing Wheezy LTS via debian-security-announce

Am 19.04.2016 um 21:27 schrieb Moritz Mühlenhoff: > On Tue, Apr 19, 2016 at 09:00:17PM +0200, Markus Koschany wrote: >> For Debian 7 "Wheezy" LTS there will be no requirement to add a separate >> wheezy-lts suite to your sources.list any more and your current setup >>

Announcing Wheezy LTS via debian-security-announce

Hi security team, only one week to go and I thought it would be a good idea to draft an announcement for next Tuesday that should be send to debian-security-announce and debian-lts-announce. I suggest that we coordinate the content of the last / first security announcement for Wheezy / Wheezy

wheezy-security to wheezy-lts transition

Hello ftp team, as you already know Wheezy LTS is going to start on 26 April. Is there anything that we can do to assist you in the process of enabling us to work with the current wheezy-security distribution? Our last information was that the switch would be "easy" [1] but in case there is

Re: LTS Frontdesk duties

Am 21.04.2016 um 08:18 schrieb Santiago Ruano Rincón: > Hi all, > > We need to schedule the next cycles of Frontdesk duties. I don't know if > Raphaël want to do it (with his Freexian's hat on?), but we could also > take the slots by ourselves. I am up to be on Frontdesk next week (25-04 > to

Wheezy update of ikiwiki?

the updated package before it gets released. Thank you very much. Markus Koschany, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https

Re: Wheezy update of ikiwiki?

Am 07.05.2016 um 22:38 schrieb Simon McVittie: > On Sat, 07 May 2016 at 20:52:16 +0200, Markus Koschany wrote: >> the Debian LTS team would like to fix the security issues which are >> currently open in the Wheezy version of ikiwiki: >> https://security-tracker.debian.org/

[SECURITY] [DLA 555-1] python-django security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: python-django Version: 1.4.5-1+deb7u17 CVE ID : CVE-2016-6186 Debian Bug : 831799 It was discovered that Django, a high-level Python web development framework, is prone to a cross-site scripting vulnerability in

[SECURITY] [DLA 561-1] uclibc security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: uclibc Version: 0.9.32-1+deb7u1 CVE ID : CVE-2016-2224 CVE-2016-2225 CVE-2016-6264 Several vulnerabilities have been discovered in uClibc, an implementation of the standard C library that is much smaller than glibc,

[SECURITY] [DLA 562-1] gosa security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: gosa Version: 2.7.4-4.3~deb7u3 CVE ID : CVE-2015-8771 GOsa² is a combination of system-administrator and end-user web interface, designed to handle LDAP based setups. A code injection vulnerability in the Samba

  1   2   3   4   5   6   7   8   9   10   >