Package: apache2
Version: 2.2.16-6+squeeze14
CVE ID : CVE-2013-5704 CVE-2014-3581
This update fixes two security issues with apache2.
CVE-2013-5704
Disable the possibility to replace HTTP headers with HTTP trailers
as this could be used to circumvent earlier
Package: getmail4
Version: 4.46.0-1~deb6u1
CVE ID : CVE-2014-7273 CVE-2014-7274 CVE-2014-7275
Debian Bug : 766670
Several vulnerabilities have been discovered in getmail4, a mail retriever
with support for POP3, IMAP4 and SDPS, that could allow man-in-the-middle
Package: bsd-mailx
Version: 8.1.2-0.20100314cvs-1+deb6u1
CVE ID : CVE-2014-7844
It was discovered that bsd-mailx, an implementation of the mail
command, had an undocumented feature which treats syntactically valid
email addresses as shell commands to execute.
Users who
Package: heirloom-mailx
Version: 12.4-2+deb6u1
CVE ID : CVE-2004-2771 CVE-2014-7844
Two security vulnerabilities were discovered in Heirloom mailx, an
implementation of the mail command:
CVE-2004-2771
mailx interprets interprets shell meta-characters in certain email
On Mon, 26 May 2014, Moritz Muehlenhoff wrote:
Details are probably best discussed privately but I would like something
Please CC t...@security.debian.org for the initial discussion.
OK.
There should be specific benefits to companies involved, e.g.
companies participating should be able
On Mon, 26 May 2014, Raphael Hertzog wrote:
That's difficult to judge. If someone compiles of list of all DSAs in 2014
for squeeze (minus the ones which are unsupported in squeeze-lts) we can
make a rough estimation based on that.
I'll see if I can come up with something.
BTW, did you
Hi,
On Tue, 27 May 2014, Guido Günther wrote:
On Mon, May 26, 2014 at 09:09:17PM +0200, Raphael Hertzog wrote:
[..snip..]
That said, the number of DSA is interesting but maybe there are DSA that
have been skipped that we should have done. And if we get more workforce,
maybe we can further
On Tue, 27 May 2014, Moritz Muehlenhoff wrote:
On Mon, May 26, 2014 at 10:54:42PM +0200, Raphael Hertzog wrote:
On Mon, 26 May 2014, Raphael Hertzog wrote:
That's difficult to judge. If someone compiles of list of all DSAs in
2014
for squeeze (minus the ones which are unsupported
Hello,
On Tue, 22 Apr 2014, Ansgar Burchardt wrote:
On 2014-04-11 13:49, Philipp Kern wrote:
* Suite in Release should be set to squeeze-lts, not to oldstable-lts. Such
a suite should not be tied to the progression of releases, as it's
explicitly living separately. Any new release that
Hello,
as you probably know Freexian has been paying some Debian contributors to work
on Debian LTS (thanks to the support of multiple sponsors). As part of
the transparency rules we setup, there's a requirement to report back
regularly of how the money has been spent. The first report got
Hi,
some updates:
On Wed, 10 Sep 2014, Raphael Hertzog wrote:
* Holger Levsen: [48]July / [49]August
49. http://layer-acht.org/thinking/blog/20140819-lts-august-2014/
This moved to
http://layer-acht.org/thinking/blog/20140909-lts-august-2014/ since I
posted the article...
To have
Hello,
while triaging CVE affecting Debian Squeeze I came on glassfish:
https://security-tracker.debian.org/tracker/source-package/glassfish
From what I gathered, Oracle doesn't provide any useful information to
apply a targeted fix on the current package. The 2.1.x branch is also
no longer
Hi Emmanuel,
On Mon, 22 Sep 2014, Emmanuel Bourg wrote:
Glasshfish is an important package for the Java ecosystem as it provides
JavaEE specification APIs used to build many other packages.
The CVEs reported are most likely related to the complete application
server which is almost unused
On Mon, 13 Oct 2014, Steven McDonald wrote:
Thanks. For future reference, should I contact the person who prepared
the buggy release directly? The reason I posted to this list was based
on the instructions on the wiki:
https://wiki.debian.org/LTS/Development#Report_Bugs
If there's a
On Tue, 14 Oct 2014, Thijs Kinkhorst wrote:
I`m missing the announcement on d-l-announce. Just in case anybody
want to verify why there is an update of apt, but no announce mail
available.
For the record, this announcement should be numbered DLA 58-2.
I'll take care of it.
Cheers,
--
) which has no reverse
dependencies in squeeze. So you might want to mark that one
as not supported as well.
Thank you!
On Mon, 22 Sep 2014, Holger Levsen wrote:
Hi,
adding the security team to the loop :)
On Montag, 22. September 2014, Raphael Hertzog wrote:
while going through the list
Hello,
I have prepared a new upload of apache2 to fix CVE-2014-3581 and
CVE-2013-5704 in squeeze-lts. The debdiff is attached and I have put amd64
package for test online. Grab them with dget
https://people.debian.org/~hertzog/packages/apache2_2.2.16-6+squeeze14_amd64.changes
(contains arch amd64
Hello Paul,
On Mon, 20 Oct 2014, Paul Allen wrote:
Right, but what about the patch for adding TLS_FALLBACK_SCSV? And the
other vulnerabilities that were patched in 0.9.8zc?
I believe that Kurt Roeckx k...@roeckx.be (one of the openssl
maintainers in Debian) intends to upload a package with
Hi,
On Fri, 17 Oct 2014, Cedric Knight wrote:
For wheezy, security updates appear the Security Updates section of
the main view of the aptitude package manager. However, on servers
using deb http://ftp.uk.debian.org/debian/ squeeze-lts main contrib,
security updates are not distinguished
Hello Michael,
On Mon, 27 Oct 2014, Michael Vogt wrote:
Thanks a lot for testing the update. I uploaded the fixed version into
the squeeze-lts queue now and I hope it will get accpted as a
update. I am not entirely sure how cases like this are handled as its
not a security update and not
[ Courtesy repost of
http://raphaelhertzog.com/2014/11/12/freexians-third-report-about-debian-long-term-support/
]
Like [44]last month, here comes a report about the work of [45]paid
contributors to [46]Debian LTS.
Individual reports
In October 2014, we affected 13.75h works hours to
Hello,
I have a prepared a new version of dbus for squeeze-lts that fixes 3 CVE:
dbus (1.2.24-4+squeeze3) squeeze-lts; urgency=medium
.
* Security upload by the Debian LTS team.
* CVE-2014-3477: Backport patch from upstream to fix a denial of service
(failure to obtain bus name) in
[ Courtesy repost of
http://raphaelhertzog.com/2014/12/11/freexians-fourth-report-about-debian-long-term-support/
]
Like [44]each month, here comes a report about the work of [45]paid
contributors to [46]Debian LTS.
Individual reports
In November 42.5 work hours have been equally
Hello dear maintainer(s),
the Debian LTS team recently reviewed the security issue(s) affecting your
package in Squeeze:
https://security-tracker.debian.org/tracker/source-package/dokuwiki
We decided that we would not prepare a squeeze security update (usually
because the security impact is low
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of your package:
https://security-tracker.debian.org/tracker/CVE-2014-3596
https://security-tracker.debian.org/tracker/CVE-2012-5784
Would you like to take care of
Hi,
On Thu, 19 Feb 2015, Paul Gevers wrote:
On 19-02-15 08:38, Christoph Biedl wrote:
Thanks for that, given the past experiences with regressions
introduced in file updates I'd really like to keep an eye on it.
Just an idea, couldn't we track somewhere which maintainers have
expressed
, 28 Jan 2015, Raphael Hertzog wrote:
On Wed, 28 Jan 2015, Thijs Kinkhorst wrote:
It seems at least from my perspective that the LTS team is a loosely
defined consortium of individuals which makes sharing the embargoed
information problematic. If I have an embargoed issue I think there's
Hello,
On Tue, 27 Jan 2015, Matus UHLAR - fantomas wrote:
- Try to backport fixes based on the 5.5.x interdiffs (since Oracle
publishes no detailed bug details). Complicated, but could be done
in collaboration with Red Hat, RHEL 6 is also based on MySQL 5.1.
* Raphael Hertzog:
Do we
Hello Sébastien,
On Tue, 27 Jan 2015, Sebastien Dupas wrote:
Due to the announce of the GHOST security flaw, we need to update our
systems using Debian squeeze.
Do you plan to release the security update of the eglibc and related
packages?
Of course we do! That said the current LTS team
Package: python-django
Version: 1.2.3-3+squeeze12
CVE ID : CVE-2015-0219 CVE-2015-0220 CVE-2015-0221
Multiple security issues have been found in Django:
https://www.djangoproject.com/weblog/2015/jan/13/security/
For Debian 6 Squeeeze, they have been fixed in version
[ CC Florian due to his relationship with RedHat ]
Hi Moritz,
On Wed, 21 Jan 2015, Moritz Muehlenhoff wrote:
Possible solutions:
- End of life for mysql in Debian LTS (but massive reverse deps)
This is not something acceptable. mysql is one of those key packages
that a majority of companies
Hi,
On Thu, 15 Jan 2015, Nguyen Cong wrote:
Could any one please review it and give me some comments.
I include my comments below but for your next contributions, I would like
you to also prepare the small paragraph of explanation that we need to put
in the announce that we send to
Hi,
On Mon, 02 Feb 2015, Matt Palmer wrote:
On Sun, Feb 01, 2015 at 09:49:15AM -0800, Noah Meyerhans wrote:
Let me know if I should go ahead with this upload, or if anything else
is needed.
You should not go ahead with this upload.
diff -Nru spamassassin-3.3.1/debian/changelog
Hello Christoph,
On Sun, 15 Feb 2015, Christoph Biedl wrote:
Nguyen Cong wrote...
I would like to send the debdiff file for file package.
Could any one please review it and give me some comments.
NACK. This does not fix the issue or introduces a new one.
Can we please avoid NACK and
Hello,
I'm going to attend Debconf this year and it would be nice if we could
make use of this opportunity to strengthen the LTS team/project.
In particular, it would be nice if we could get face to face with
the stable security team to see how we can get closer in term of workflow
so that
Hello Gerrit,
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of checkpw:
https://security-tracker.debian.org/tracker/CVE-2015-0885
Would you like to take care of this yourself? We are still understaffed so
any help is always highly
Hello,
Moritz Mühlenhoff told me that you did consider libhtp/suricata
unusable in wheezy and planned to ask for the removal of the package
in wheezy. Because of that, the security team ignores the currently
open CVE against those packages.
On Tue, 17 Mar 2015, Arturo Borrero Gonzalez wrote:
Are there non-backwards compatible change that will cause problems to
users if we pursue that path?
I don't know actually.
But I would say: that doesn't matter at this point. An outdated
suricata is like an outdated antivirus, users
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of tcpdump:
https://security-tracker.debian.org/tracker/CVE-2015-2155
https://security-tracker.debian.org/tracker/CVE-2015-2154
Hello Emmanuel,
On Tue, 24 Feb 2015, Emmanuel Bourg wrote:
CVE-2011-3923 seems to be a Struts vulnerability, why is it assigned to
Spring?
I asked Salvatore Bonaccorso car...@debian.org to review this since
he confirmed that assignation a while ago... he double checked and
it was a mistake
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of gnupg:
https://security-tracker.debian.org/tracker/source-package/gnupg
Additionnaly gnupg2 could also benefit from an update to fix some
issues that have been
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of gnutls26:
https://security-tracker.debian.org/tracker/CVE-2014-8155
https://security-tracker.debian.org/tracker/CVE-2015-0294
Would you like to take care of this
Hello Moritz,
I saw that you marked (in commit 32723[1]) libhtp and suricata as no-dsa
on the ground that they are unusable in wheezy and that they will be
removed.
However I don't have any details about how this assessment has been made
and I'm interested to know to have an idea whether it
Hello Abel,
On Tue, 10 Mar 2015, Abel Guzman wrote:
I have been trying to remove my self from this list for months. It just does
not work. Please help me.
Did you try the unsubscription form at
https://lists.debian.org/debian-lts/ ?
And/or the instructions at the bottom of each mail:
To
Hello dear maintainer(s),
the Debian LTS team recently reviewed the security issue(s) affecting your
package in Squeeze:
https://security-tracker.debian.org/tracker/CVE-2015-0886
We decided that we would not prepare a squeeze security update (usually
because the security impact is low and that
Hello dear maintainer(s),
the Debian LTS team recently reviewed the security issue(s) affecting your
package in Squeeze:
https://security-tracker.debian.org/tracker/source-package/macchanger
We decided that we would not prepare a squeeze security update (usually
because the security impact is
Hello dear maintainer(s),
the Debian LTS team recently reviewed the security issue(s) affecting your
package in Squeeze:
https://security-tracker.debian.org/tracker/CVE-2015-1545
We decided that we would not prepare a squeeze security update (usually
because the security impact is low and that
Hello Laszlo,
I'm wondering whether CVE-2015-1609 is affecting the squeeze version. The
code base is vastly different between 1.4.4 and the current supported
releases.
The upstream announces mentions that it affects all production releases
but 1.4.4 is not part of the current production releases
Hello dear maintainer(s),
the Debian LTS team recently reviewed the security issue(s) affecting your
package in Squeeze:
https://security-tracker.debian.org/tracker/source-package/tcllib
We decided that we would not prepare a squeeze security update (usually
because the security impact is low
On Thu, 12 Mar 2015, Olivier Bonvalet wrote:
Well they're mounted as ext4 filesystems, but affected systems seems to
be only old lenny which were upgraded to squeeze. So, it's probably
related to some format option.
In that case, you might want to compare the output of dumpe2fs between one
Hi,
On Mon, 30 Mar 2015, Markus Koschany wrote:
I have recently started to investigate whether I could fix some open LTS
issues and discovered the entry for libspring-2.5-java. According to
https://security-tracker.debian.org/tracker/source-package/libspring-2.5-java
there is no open
Hi,
On Wed, 01 Apr 2015, Jeremy Davis wrote:
My suspicion is that gaining further support may be easier if you do a
bit of a rally call now (rather than waiting until Wheezy EOL). I think
it's worth letting people know that Wheezy-LTS is a realistic
possibility but needs more support
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of libxfont:
https://security-tracker.debian.org/tracker/CVE-2015-1802
https://security-tracker.debian.org/tracker/CVE-2015-1803
Hello dear maintainer(s),
the Debian LTS team recently reviewed the security issue(s) affecting your
package in Squeeze:
https://security-tracker.debian.org/tracker/CVE-2014-9687
https://security-tracker.debian.org/tracker/CVE-2011-1833 (an old one)
We decided that we would not prepare a squeeze
Hello dear maintainer(s),
the Debian LTS team recently reviewed the security issue(s) affecting your
package in Squeeze:
https://security-tracker.debian.org/tracker/source-package/redmine
We decided that we would not prepare a squeeze security update (usually
because the security impact is low
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of your package:
https://security-tracker.debian.org/tracker/source-package/eglibc
Would you like to take care of this yourself?
If yes, please follow the workflow
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of your package:
https://security-tracker.debian.org/tracker/source-package/freetype
Would you like to take care of this yourself?
If yes, please follow the
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of your package:
https://security-tracker.debian.org/tracker/CVE-2014-9680
https://security-tracker.debian.org/tracker/CVE-2014-0106
(the latter has been ignored
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of your package:
https://security-tracker.debian.org/tracker/CVE-2014-9679
Would you like to take care of this yourself?
If yes, please follow the workflow we have
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of your package:
https://security-tracker.debian.org/tracker/source-package/icu
Would you like to take care of this yourself?
If yes, please follow the workflow we
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of your commons-httpclient:
https://security-tracker.debian.org/tracker/CVE-2012-6153
It would be nice if you could take care of this update as
the package is not
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of mod-gnutls:
https://security-tracker.debian.org/tracker/source-package/mod-gnutls
Would you like to take care of this yourself? We are still understaffed so
any
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of p7zip:
https://security-tracker.debian.org/tracker/CVE-2015-1038
Would you like to take care of this yourself? We are still understaffed so
any help is always
Hi,
On Thu, 26 Feb 2015, Nguyen Cong wrote:
So if you want to help with CVE triaging, you're welcome!
How can I join this work as well. I already member of Alioth project.
Is there anything else I have to do like register or something like that?
Since you already have write access to the
Hi,
On Fri, 30 Jan 2015, Laura Arjona Reina wrote:
Perhaps, clarifiication as to what exactly is the purpose of the list,
could be helpful, so that users of Debian 6 LTS, would know that the
mailing lists is not for the benefit of users of Debian 6 LTS; for
discussion and resolution of
On Thu, 29 Jan 2015, Moritz Mühlenhoff wrote:
Also, patches should be signed off with your real name instead
of iesdebian.
And it's better to give patches a descriptive name instead of keeping
the default name generated by dpkg-source. It might be easier to achieve
if you use quilt directly
Hello,
I prepared an update of gnutls26 for squeeze:
$ dget
https://people.debian.org/~hertzog/packages/gnutls26_2.8.6-1+squeeze5_amd64.changes
This version seems to work for me. I was able to verify that CVE-2015-0294
is fixed with the test case at
Hello everybody,
I just wanted to let you know that the slides of the LTS talk I gave on
Sunday are available:
https://wiki.debian.org/DebianEvents/fr/2015/Minidebconf?action=AttachFiledo=gettarget=debian-lts-presentation.pdf
You can also watch the full presentation here:
Hi,
On Tue, 21 Apr 2015, James McCoy wrote:
I'm still going through build and test, but I should have something
ready in the next day or two.
Debdiff attached. Can someone handle the upload and DLA announcement?
Yes, doing it now. The DLA is ready and the package is building.
Thank you
Hello Alessandro,
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of curl:
https://security-tracker.debian.org/tracker/CVE-2015-3143
https://security-tracker.debian.org/tracker/CVE-2015-3148
Would you like to take care of this yourself?
On Tue, 21 Apr 2015, Bálint Réczey wrote:
FTR the package has been accepted on the same day. However I have not seen
DLA-198-1 on debian-lts-announce@l.d.o (did your forget to sign it?).
I tried sending it several times even after subscirbing the list but
they did not go throught.
I have
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of libxml2:
https://security-tracker.debian.org/tracker/source-package/libxml2
Would you like to take care of this yourself? We are still understaffed so
any help
Hello Antonio,
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of ruby1.8:
https://security-tracker.debian.org/tracker/CVE-2015-1855
Would you like to take care of this yourself? We are still understaffed so
any help is always highly
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of libxml-libxml-perl:
https://security-tracker.debian.org/tracker/source-package/libxml-libxml-perl
Would you like to take care of this yourself? We are still
Package: qt4-x11
Version: 4:4.6.3-4+squeeze3
CVE ID : CVE-2013-0254 CVE-2015-0295 CVE-2015-1858 CVE-2015-1859
CVE-2015-1860
Debian Bug : 779550 783133
This update fixes multiple security issues in the Qt library.
CVE-2013-0254
The QSharedMemory
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of mercurial:
https://security-tracker.debian.org/tracker/CVE-2014-9462
https://security-tracker.debian.org/tracker/CVE-2014-9390 (optional, is
tagged no-dsa)
Would
On Thu, 07 May 2015, Thorsten Alteholz wrote:
On Thu, 7 May 2015, Raphael Hertzog wrote:
Altering the orig source might be OK but the upstream version should
reflect that it has been altered by Debian. The convention we tend to use
is to append +ds (debian specific) and not inventing a fake .1
Hello David,
the Debian LTS team recently reviewed the security issue(s) affecting your
package in Squeeze:
https://security-tracker.debian.org/tracker/CVE-2015-3880
We decided that we would not prepare a squeeze security update (usually
because the security impact is low and that we concentrate
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of hostapd:
https://security-tracker.debian.org/tracker/source-package/hostapd
Would you like to take care of this yourself? We are still understaffed so
any help
Hello Simon,
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of dnsmasq:
https://security-tracker.debian.org/tracker/CVE-2015-3294
(but there are other lower severities issues also open see
Hello Wouter,
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of nbd:
https://security-tracker.debian.org/tracker/CVE-2015-0847
Would you like to take care of this yourself? We are still understaffed so
any help is always highly
Hello Nguyen,
Sorry for the delay, this update fell through the cracks. Don't hesitate
to ping us when we don't respond in a timely fashion.
On Mon, 19 Jan 2015, Nguyen Cong wrote:
I would like to send debdiff of libvncserver package for reviewing.
Could any one please review it and give me
Hello Marco Emanuele,
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of ppp:
https://security-tracker.debian.org/tracker/source-package/ppp
Would you like to take care of this yourself? We are still understaffed so
any help is always
Hello Christoph,
On Tue, 17 Feb 2015, Raphael Hertzog wrote:
I indeed forgot about that this time. So go ahead.
Nguyent already replied to you[1] to inform you that you can go ahead
and the he discarded his work. I updated dla-needed.txt to put your name.
You're still listed as taking care
[ Moving it to -lts to continue the discussion ]
Hi,
On Thu, 16 Apr 2015, Stuart Prescott wrote:
cf http://wiki.debian.org/LTS
There is an on-going confusion in the wider Debian community about whether
squeeze is still supported or EOL.
Where did you notice any confusion?
The
On Wed, 15 Apr 2015, Nguyen Cong wrote:
Thank you very much for uploading my work.
Did you base your work on the patches that have been released in the
wheezy update?
In fact, most of my work is based on information from this:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762745
Ok.
Hi,
On Tue, 14 Apr 2015, Neil McGovern wrote:
Diff attached! There's not a particular problem, I was trying to work
out the audience. We can me more blunt with developers than in an
official announcement from the project.
Thanks, merged into https://titanpad.com/x9keVJLExl
The only part that
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of inspircd:
https://security-tracker.debian.org/tracker/source-package/inspircd
Would you like to take care of this yourself? We are still understaffed so
any help
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of libtasn1-3:
https://security-tracker.debian.org/tracker/CVE-2015-2806
Would you like to take care of this yourself? We are still understaffed so
any help is
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of ntp:
https://security-tracker.debian.org/tracker/CVE-2015-1798
https://security-tracker.debian.org/tracker/CVE-2015-1799
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of subversion:
https://security-tracker.debian.org/tracker/CVE-2015-0248
https://security-tracker.debian.org/tracker/CVE-2015-0251
(there are other lower severity
Hi,
On Fri, 10 Apr 2015, Kurt Roeckx wrote:
On Fri, Apr 10, 2015 at 11:05:47PM +0200, Raphael Hertzog wrote:
Would you like to take care of this yourself? We are still understaffed so
any help is always highly appreciated.
You really don't have patience do you?
I do, but contacting
On Fri, 10 Apr 2015, Kurt Roeckx wrote:
On Fri, Apr 10, 2015 at 11:33:22PM +0200, Raphael Hertzog wrote:
I do, but contacting maintainers is just part of the workflow of CVE
triage we defined for Debian LTS. Sorry if this mail bothered you. Is
there a way to do it that would have been
Hello Balint,
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of wireshark:
https://security-tracker.debian.org/tracker/CVE-2015-3811
I see it's already fixed in wheezy in 1.8.2-5wheezy16, do you plan to
upload 1.8.2-5wheezy16~deb6u1 in
Package: libapache-mod-jk
Version: 1:1.2.30-1squeeze2
CVE ID : CVE-2014-8111
Debian Bug : 783233
An information disclosure flaw due to incorrect JkMount/JkUnmount
directives processing was found in the Apache 2 module mod_jk to forward
requests from the Apache web
On Tue, 09 Jun 2015, Markus Koschany wrote:
I see that you requested sponsorship. Shall I go ahead and upload it and
send the DLA? Or do you prefer to handle the DLA yourself?
please go ahead. Thank you.
Uploaded and DLA sent.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian
Hi,
On Wed, 10 Jun 2015, Vincent Fourmond wrote:
I have sent it to the mailing list, but for some reason, I'm unsure
it actually made it there (doesn't show up in the archive, but the
archive doesn't seem to get updated either). Did you get it ?
I did not get it. Was it PGP signed?
If yes,
Hi Sven,
On Tue, 26 May 2015, Sven Eckelmann wrote:
I'd like to upload the attached patch to squeeze-lts to fix #786785
(CVE-2015-3885). The security team marked this one as no-dsa (therefore also
no DLA).
Actually, it's the LTS team who marked it that way, but we follow the
decision of the
Hi,
On Wed, 27 May 2015, Sven Eckelmann wrote:
In any case, I reviewed your debdiff and it looks good. Feel free to
proceed with the upload and the release of the DLA to
debian-backports-annou...@lists.debian.org.
If you need sponsorship, please let us know.
Thanks for all the
On Tue, 26 May 2015, László Böszörményi (GCS) wrote:
I can do it myself, I've the build system for Squeeze as well. My
only question if it should be an NMU or am I allowed to change the
maintainer? At least the former would be a bit strange for me as I'm
the actual maintainer, why should I
1 - 100 of 421 matches
Mail list logo