Hello,
On Fri, 24 May 2019, PICCORO McKAY Lenz wrote:
> well seems the ExLTS don ask for money .. the packages are free
> available and sources. so merged in debian archive are not problem!
The reason why Wheezy Extended LTS packages are not in the Debian
repositories is because Debian was not i
Hi,
On Tue, 09 Jul 2019, Jonas Meurer wrote:
> 1. Upload packages targeted at LTS suites to some dedicated place for
>automated testing
> 2. Run automatic tests (piuparts, autopkgtests, lintian?, ...)
> 3. If tests passed, publish the packages somewhere to do manual
>testing (and reviews)
Hi,
On Sun, 14 Jul 2019, Roberto C. Sánchez wrote:
> My inclination is to add the 3.26.2 patch to the nss in jessie.
> However, I wanted to ask before making that change in the event that
> there is a reason the change should not be made.
>
> Do you have any insight you can add here?
I don't rem
Hi,
On Thu, 29 Aug 2019, Moritz Mühlenhoff wrote:
> The upstream link makes it sound as if they are one of those upstreams
> which reject the idea of distributions shipping an older release to
> a stable distro. For a tool like radare2 that seems fair enough, so
> how about simply excluding it fro
(Note: pkg-security@tracker.d.o is not a valid email, dropped)
Hi,
On Thu, 29 Aug 2019, Holger Levsen wrote:
> > In general, we (Debian) don't have a good answer to this problem and
> > virtualbox is clearly a bad precedent. We really need to find a solution
> > to this in concertation with the r
Hi,
On Fri, 30 Aug 2019, Pirate Praveen wrote:
> Fast Track repo works exactly like current backports except the packages
> are added from unstable (or experimental during transitions and freeze)
> as they cannot go to testing and hence to current backports.
>
> As Paul noted earlier, backports t
On Fri, 30 Aug 2019, Alexander Wirt wrote:
> There were several discussions over the last years. And yes, our vision of
> backports does not match the vision of those fastpace/not ready for
> stable/whatever you call them repos. In our vision debian-backports consists
> of new (tested, as in "is in
Hi,
On Fri, 30 Aug 2019, Alexander Wirt wrote:
> > We're not speaking of crap software, we're just speaking of software that
> > can't be maintained multiple years by backports of security patches, where
> > we get fixes only with new upstream versions (mixed with new features).
> I don't want to
Hi,
On Mon, 30 Sep 2019, Sylvain Beucler wrote:
> From what I understand there was a training during July and August,
> resulting in active status this month.
> I saw zero traces of this training&review besides a passing anonymous
> mention in Raphael's reports.
> Possibly we can clarify this a li
Hi,
On Sun, 06 Oct 2019, Markus Koschany wrote:
> Yes, there is a (DNS) problem with the server right now. We are aware of
> it and hope it will be fixed within the next 24 hours. Apologies for any
> inconveniences caused.
Server is back online. It had a problem with its network filesystem.
Chee
Hi,
(Sylvain, please cc me if you want me to read something in any timely fashion)
On Thu, 07 Nov 2019, Sylvain Beucler wrote:
> Raphael, given that this package is low popcon and the vulnerability is
> fuzzy, do you know if the sponsor for this package would be willing to
> test fixes?
The spon
Hi,
On Wed, 20 May 2020, Holger Levsen wrote:
> > Is the "Find upstream developers who are willing to work on LTS support"
> > still relevant? It lists packages such as Xen, which I thought were
> > already dealt with.
>
> yes and yes, xen is being taken care of atm. I've updated the TODO page.
Hello,
On Mon, 19 Oct 2020, Antoine Cervoise wrote:
> I'm not familiar with how to report security issues regarding packages
> under LTS/Extended LTS support.
LTS and ELTS have very different organizations. LTS has a public contact
point (here on this list) but ELTS doesn't have any since it's (o
Hi,
On Wed, 25 Nov 2020, Utkarsh Gupta wrote:
> Sensing there's an agreement by others here, let's drop and announce
> this as EOL'ed then?
For LTS, definitely, yes. For ELTS, it's a bit more complicated since each
customer pays for their package list and as you noted, mongodb is among
those. I'l
Hello,
On Wed, 25 Nov 2020, Sylvain Beucler wrote:
> Consequently I believe we're not in a position to offer MongoDB security
> support in LTS nor ELTS, and we need to drop it from our supported packages.
>
> What do you think?
I think that you are right if you believe that we have no influence
Hi,
On Tue, 19 Jan 2021, Robert Edmonds wrote:
> There is an unfixed issue in Unbound 1.9.0 (#962459 / #973052) that
> affects some users (I have not been able to reproduce it). Upstream has
> invested some time in helping the Debian maintainers track down
> potential combinations of commits from
Hi,
On Fri, 12 Feb 2021, Carles Pina i Estany wrote:
> When I was discussing this with a friend I had thought if Debian could
> make available and visible for the users some metrics, contextualised in
> similar (per functionality) packages:
That would certainly be useful to expose, yes!
But many
Hello Moritz,
On Fri, 16 Apr 2021, Moritz Mühlenhoff wrote:
> > These source package sets comes to mind:
> > - node-*
>
> That would be super-noisy and will potentially clash with a lot of local
> package state.
Do you consider it noisy due to the possible clash with local packages?
Or are both
On Mon, 17 May 2021, Utkarsh Gupta wrote:
> > Where do you think I should include this tool and what should I name it to?
>
> Hm, nice question :P
> Probably here: https://salsa.debian.org/freexian-team?
I would say https://salsa.debian.org/lts-team/ rather...
Cheers,
--
⢀⣴⠾⠻⢶⣦⠀ Raphaël Her
Hi,
On Mon, 23 Aug 2021, Lucas Nussbaum wrote:
> Is there a rsync mirror that could be used to sync dists/?
Not currently, no. I could look into adding it but I might not want
to make it publicly accessible. I don't really want to make it easy
to have public mirrors while ELTS has a very limited
[ Ccing debian-release in case they have some advice / concerns to express ]
Hello LTS team,
it would be nice if we could get an update of debian-archive-keyring
in stretch to add the bullseye key just like it has been done in buster a
while ago:
https://tracker.debian.org/news/1236764/accepted-d
Hi Utkarsh,
On Tue, 14 Sep 2021, Utkarsh Gupta wrote:
> On Thu, Aug 26, 2021 at 12:33 AM Utkarsh Gupta wrote:
> > > The missing key creates problems for example with simple-cdd:
> > > https://bugs.debian.org/992966
> >
> > Okay, I'll be happy to do the update. Though I wonder if it'd rather
> > b
Hello,
On Wed, 03 Aug 2022, Sylvain Beucler wrote:
> OpenStack: we tend not to support openstack beyond upstream's support, but
> I'm having a hard time associating the components version with OpenStack's
> major version; possibly other openstack packages (horizon, manila,
> neutron...) are concer
Hello Abhijith and the LTS team,
in Kali we have applied the last ruby-active* security updates and this
broke the web API part of autopkgtest.kali.org.
Specifically line 51 in
/usr/share/rubygems-integration/all/gems/activerecord-5.2.2.1/lib/active_record/coders/yaml_column.rb
makes a call to YA
Hello,
On Thu, 08 Sep 2022, Abhijith PA wrote:
> On 07/09/22 11:10 AM, Raphael Hertzog wrote:
> > Hello Abhijith and the LTS team,
> >
> > in Kali we have applied the last ruby-active* security updates and this
> > broke the web API part of autopkgtest.kali.org.
&g
Hi,
On Tue, 13 Sep 2022, Abhijith PA wrote:
> > Yes, that'd make sense. I'll start a separate thread for
> > CVE-2022-32224. Roll back for now so there's no regression at least.
>
> I've disabled patch for CVE-2022-32224. Also tested against redmine.
> Looks good for me. Can you give a smoke tes
Hello Chris,
thanks for the report. Everything should be fixed now.
Cheers,
On Mon, 10 Oct 2022, Chris Lamb wrote:
> Hi friends,
>
> I noticed that some of the URLs on the ELTS instructions page are now
> outdated:
>
> https://www.freexian.com/lts/extended/docs/how-to-use-extended-lts/
>
>
Hi,
On Thu, 16 Mar 2023, Emilio Pozuelo Monfort wrote:
> The result is an improved pipeline with better support for both LTS and
> ELTS. [1]
Great work Emilio!
It would be nice to have all this properly documented in
https://lts-team.pages.debian.net
I'm also curious to know if you think that
Hello Roberto,
On Thu, 14 Mar 2024, Roberto C. Sánchez wrote:
> Santiago and I are in agreement that at the moment the best available
> option is to use dla-needed.txt even for tracking work that needs to
> happen after the DLA is released, specifically working toward an upload
> to (old)stable.
Hi,
On Sat, 23 Mar 2024, Roberto C. Sánchez wrote:
> In any event, I am happy to work towards reinitializing the Salsa issues
> experiment to start again in April and then see how it goes from there.
>
> What do you think?
It's a pity that nobody else responded... I'm no longer involved in
day-t
Hello,
On Tue, 09 Apr 2024, Ola Lundqvist wrote:
> Let me use some data from CVEs for last year 2023.
> I used the following method to extract the data
> grep -B 5 '\[buster\]' list | grep -A 5 "^CVE-2023-" | grep '\[buster\]'
> and then grepped for the end-of-life, not-affected (and so on to coun
Hi,
On Wed, 10 Apr 2024, Ola Lundqvist wrote:
> > Some package maintainers will typically decide to fix it via a point
> > release. But they rarely update the triaging to document "postponed" or
> > "ignored". So that's why it's up to the LTS team to make that call
> > when we are (alone) in charg
Hello Ola,
On Fri, 12 Apr 2024, Ola Lundqvist wrote:
> I see three:
> 1) copy secteam decision and move on to the next package (I guess
> remove from dla-needed)
> 2) copy secteam decision for most of them, but fix the ones with fedora
> patches
> 3) dive in and start developing (that will take q
Hi,
On Mon, 22 Apr 2024, Yadd wrote:
> Let's upload 2.4.59-1~deb10u1 ?
You might want to hold off until Thursday. Santiago requested help for a
review and Bastien Roucaries said that he would do it tomorrow
(Wednesday).
Santiago also sent your updated package through our buster ELTS staging
infr
Hello Julien,
have a look at https://lists.debian.org/debian-lts-announce/
There's an unsubscription from.
Cheers,
On Tue, 16 Jul 2024, Julien dif wrote:
> Hello,
>
> How could I unsubscribe from this list ?
>
> Thank you !
> Regards,
> Julien
>
> Le lun. 1 juil. 2024 à 03:25, Daniel Leidert
Hi,
On Tue, 09 Aug 2016, Holger Levsen wrote:
> so I need to read the upstream changelog between 1.4.5 and 1.4.22 to
> find out why?
This update does fix bugs but not security bugs that would have warranted
a DLA on their own... it's just easier for us to work on the latest 1.4.x
release and make
Hi Markus,
On Wed, 20 Jul 2016, Markus Koschany wrote:
> Feel free to work on everything you like. Fixing CVE-2014-9587 together
> with CVE-2016-4069 isn't strictly required but you could probably reuse
> some of your work if you try to tackle these issue. In any case the
> whole CSRF complex requ
On Thu, 08 Sep 2016, Moritz Muehlenhoff wrote:
> And please add that to the checklist/onboarding process of new people working
> on Freexian/LTS.
I have put myself a note to review the internal documentation to ensure we
have something about this. It would be good to have something in the wiki
as
Hi Ivan,
On Thu, 08 Sep 2016, Ivan Kohler wrote:
> We should make arrangements to have PostgreSQL internals expertise
> available, in the contingency that we need to do our own backport of any
> critical security problems during this 1.5yr period. We might also
> consider collaberating with ot
Hello Marc,
On Fri, 09 Sep 2016, Marc SCHAEFER wrote:
> RT 4.0 will also reach EOL on February 15, 2017.
> http://lists.bestpractical.com/pipermail/rt-announce/2016-September/000293.html
> Will the LTS team support it, provide an upgrade path, or drop it?
By default, when we don't do any explicit
Hi,
On Sun, 11 Sep 2016, Brian May wrote:
> > I have put myself a note to review the internal documentation to ensure we
> > have something about this. It would be good to have something in the wiki
> > as well.
> >
> > Anyone should feel free to do it before I find the time to do it.
>
> I had a
Hi,
On Wed, 14 Sep 2016, Brian May wrote:
> CVE-2015-7554 / http://bugzilla.maptools.org/show_bug.cgi?id=2564
>
> Duplicate:
>
> CVE-2016-5318 / http://bugzilla.maptools.org/show_bug.cgi?id=2561
>
> What would be considered an acceptable fix here? It looks like a proper
> fix is not available w
On Thu, 15 Sep 2016, Brian May wrote:
> Salvatore Bonaccorso writes:
>
> > Minor comment: if you are sure that those are duplicates you might try
> > to contact MITRE to made them aware.
>
> I was just going based on what others have said, e.g. in the linked
> reports. Would hope that one of the
On Thu, 15 Sep 2016, Brian May wrote:
> What does the TIFFReadDirectoryFindFieldInfo function do? What
> situations is TIFFReadDirectoryFindFieldInfo unsuccessful?
I don't know.
> You could perhaps mitigate by requiring an extra parameter that declares
> the number of options you are parsing, how
Hi,
On Mon, 03 Oct 2016, Adrian Bunk wrote:
> > I'd suggest to use 6:0.8.18-1+deb7u3 because it's the third update of
> > that package within Debian 7.
>
> The version number should not depend on whether 0.8.18 was ever
> in unstable.
Where do you get that rule from?
There's lots of bikesheddin
On Thu, 06 Oct 2016, Adrian Bunk wrote:
> I gave the a rationale in the following paragraph:
>
> In the general case it is even possible that the package was removed
> from unstable, but later someone ITPs 6:0.8.18-1 into unstable. At that
> point the version in oldstable would be higher tha
Hi,
On Thu, 06 Oct 2016, Adrian Bunk wrote:
> On Thu, Oct 06, 2016 at 06:16:37PM +0200, Raphael Hertzog wrote:
> > On Thu, 06 Oct 2016, Adrian Bunk wrote:
> >...
> > > Do you have any rationale why you think -1~deb7u1 would be better
> > > than -0+deb7u1?
&g
On Fri, 07 Oct 2016, Adrian Bunk wrote:
> > So while it has been used it's not the only one in use in the context
> > of the security team.
>
> It is a different version numbering than the MySQL 5.5 case because it
> is a different situation.
>
> This OpenJDK DSA is not a packaging of a new vers
Hi,
On Thu, 27 Oct 2016, Santiago Vila wrote:
> On Wed, Oct 26, 2016 at 01:43:00PM -0400, Antoine Beaupré wrote:
>
> > I am not sure how to perform tests against tre, [...]
>
> Well, the package included a test suite, but I had it disabled since a
> long time because (I think) there was a test w
Hi,
On Thu, 27 Oct 2016, Roberto C. Sánchez wrote:
> https://security-tracker.debian.org/tracker/TEMP-0836171-53B142
> https://bugs.debian.org/836171
>
> The diff that addresses this issue is here:
> https://github.com/ImageMagick/ImageMagick/commit/10b3823a7619ed22d42764733eb052c4159bc8c1
This
Hello,
I just finished preparing new version of tiff/tiff3 packages.
One of the patch has not been officially acked by upstream yet
(cf http://bugzilla.maptools.org/show_bug.cgi?id=2580 )
and thus I would like some user testing before I release
the DLA to make sure that my changes do not have unex
Hi,
On Mon, 31 Oct 2016, Antoine Beaupré wrote:
> First, I have found the patch to be a bit noisy... There seems to be
> gratuitous changes to already existing patches that I can't
> explain.
It's just due to "gbp pq" usage. Looks like the last set of patches
have been added without using it whil
On Fri, 04 Nov 2016, Chris Lamb wrote:
> Guido Günther wrote:
>
> > Isn't this also affected by a rebinding attack since we allow any host
> > in debug mode?
>
> If it helps, speaking as a regular Django developer, if you've got
> ``settings.DEBUG`` enabled in production you have much bigger prob
On Wed, 23 Nov 2016, Brian May wrote:
> I noticed that Asterisk was marked EOL for Debian squeeze; just wondered
> what the reasons were, and if these reasons apply to wheezy?
The reasons were just that it's a non-trivial package to support. It
tends to have regular security issues and upstream su
Hi,
On Tue, 22 Nov 2016, Ola Lundqvist wrote:
> All of them are related to heap overflow that "can potentially cause
> arbitrary code exection".
> This is a security problem, but the question is how important it is.
>
> The crash is a DoS problem, but my guess that from that perspective the
> wor
Hi,
On Sun, 20 Nov 2016, Markus Koschany wrote:
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of libgc:
> https://security-tracker.debian.org/tracker/CVE-2016-9427
I have prepared an updated package (it required lots of manual
backpor
Hi Ola,
On Thu, 24 Nov 2016, Ola Lundqvist wrote:
> The Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of w3m:
> https://security-tracker.debian.org/tracker/CVE-2016-9621
> https://security-tracker.debian.org/tracker/CVE-2016-9625
> https://s
Hi Hugo,
how far are you with the triaging?
On Fri, 04 Nov 2016, Guido Günther wrote:
> > I wasn't aware that Xen was embedding QEMU (what a weird idea !?).
>
> I triaged the current ones (thankfully we don't have 9pfs in that
> version) up to CVE-2016-8669 and will check with the xen guys on ho
Hello,
On Sat, 24 Sep 2016, Chris Lamb wrote:
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of irssi:
> https://security-tracker.debian.org/tracker/CVE-2016-7553
After futher review, I opted to tag this no-dsa meaning that we will
not
On Fri, 25 Nov 2016, Rhonda D'Vine wrote:
> > After futher review, I opted to tag this no-dsa meaning that we will
> > not handle the issue by ourselves. This information leak is only
> > problematic when you run irssi on a multi-user machine and
> > when you use /upgrade.
>
> That's correct.
Th
On Fri, 25 Nov 2016, Ola Lundqvist wrote:
> I did not want to tag then no-dsa (without further analysis) due to the
> following:
And you expected that further analysis to be done by whoever would pick
the package? In that case, you could have left a comment along the lines
of "security team tagged
Hi,
On Fri, 25 Nov 2016, Ola Lundqvist wrote:
> Thank you for the information that it is glibc that "protect". Do we know
> that glibc in wheezy do this or is this a more recent thing?
AFAIK glibc does not "protect", it adds canaries to detect when it happens,
but it cannot avoid them. And it det
Hi,
On Mon, 28 Nov 2016, Roberto C. Sánchez wrote:
> Quite right:
> http://people.debian.org/~roberto/imagemagick_6.7.7.10-5+deb7u7_6.7.7.10-5+deb7u8.diff
Somme comments:
- since we have no git history, it's nice to indicate in each patch what
CVE it fixes (I like to name the patch according to
On Tue, 29 Nov 2016, Roberto C. Sánchez wrote:
> Hi Raphael,
>
> On Tue, Nov 29, 2016 at 12:14:10PM +0100, Raphael Hertzog wrote:
> > Hi,
> >
> > On Mon, 28 Nov 2016, Roberto C. Sánchez wrote:
> > > Quite right:
> > > http://people.debian.org/~rob
On Thu, 01 Dec 2016, Ben Hutchings wrote:
> Would it make sense to add a Bug header field to patches, e.g.:
> Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE--
> or:
> Bug-Debian-Security:
> https://security-tracker.debian.org/tracker/CVE--
> ?
I don't have any
On Tue, 29 Nov 2016, Antoine Beaupré wrote:
> I wonder if we should standardize something about this.
>
> I usually name security patches with the following scheme:
> debian/patches/CVE--(-commithash)?.patch
I use CVE--(-patchnumber)?.patch as some issues require multiple
patches
Hi Roberto,
On Thu, 15 Dec 2016, Roberto C. Sánchez wrote:
> @@ -1704,7 +1704,7 @@
> char path[256];
> char* myPath = path;
> const char* resPath = resB->fResPath;
> -int32_t len = resB->fResPathLen;
> +int32_t len = uprv_min(resB->fRe
Hello,
I started to work on fixing jbig2dec/wheezy for
https://security-tracker.debian.org/tracker/CVE-2016-9601 but
the patch that allegedly fixes the current issue is rather invasive
and while looking at the git history you will quickly see
that allmost all the changes since the version that we
Hello Matthias,
On Thu, 26 Jan 2017, Matthias Geerdsen wrote:
> we noticed a possible regression in an update to libtiff4 which leads to
> corrupted image files when using ImageMagick/GraphicsMagick mogrify
> command to apply jpeg compression to a tiff image. I have shortly
> described the problem
On Thu, 26 Jan 2017, Raphael Hertzog wrote:
> But I have currently no idea of what the problem really is. And upstream
> has not yet merge any similar change to what we have done. At least
> https://github.com/vadz/libtiff/blob/master/libtiff/tif_dirinfo.c shows
> neither PREDICTOR nor
On Thu, 26 Jan 2017, Raphael Hertzog wrote:
> This code thus assumes that the list ok known tags only contains a single
> tag per unique fip->field_bit and this is no no longer the case with
> the patches we added:
> - CVE-2014-8128-5-fixed.patch
> - CVE-2016-5318_CVE-2015-7554.
On Fri, 27 Jan 2017, Matthias Geerdsen wrote:
> > The full upload is available:
> > $ dget
> > https://people.debian.org/~hertzog/packages/tiff3_3.9.6-11+deb7u3_amd64.changes
>
> I took your patched libtiff4 and tested several images and compression
> schemes using ImageMagick and GraphicsMagick
Hello,
for various reasons, I did not manage to spend all my work hours on
February. I only worked for 3h40 during which I finalized
DLA 693-2 fixing a regression in libtiff (the upload was tiff 4.0.2-6+deb7u10).
This time also includes some "over-hours" that I spent at the end of
January to act
Hello,
sorry for the delay...
On Tue, 31 Jan 2017, Luciano Bello wrote:
> On Thursday, 26 January 2017 21:05:46 EST Ola Lundqvist wrote:
> > > I started to work on fixing jbig2dec/wheezy for
> > > https://security-tracker.debian.org/tracker/CVE-2016-9601 but
> > > the patch that allegedly fixes t
Hello Moritz,
On Sun, 12 Mar 2017, Moritz Mühlenhoff wrote:
> > So as long as we ensure that we don't break Ghostscript and MuPDF I think
> > we are good enough.
> >
> > Shall I go ahead and prepare some test packages?
>
> Please do.
Please find packages for Jessie here:
https://people.debian.o
Hello Chris,
On Mon, 20 Mar 2017, Chris Lamb wrote:
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of git:
> https://security-tracker.debian.org/tracker/source-package/git
>
> Would you like to take care of this yourself?
Did you chec
On Tue, 21 Mar 2017, Ola Lundqvist wrote:
> What default shell was used?
No change on the default shell, so bash.
> The default shell have impacted this kind of things before.
Sometimes I wonder from where you get your ideas. This speculation
doesn't seem to be backed by anything.
Cheers,
--
R
Hello Moritz,
On Thu, 23 Mar 2017, Moritz Mühlenhoff wrote:
> > Please find packages for Jessie here:
> > https://people.debian.org/~hertzog/packages/jbig2dec_0.13-4~deb8u1_amd64.changes
[...]
> > Can I upload the jessie packages to security-master?
>
> Thanks, please upload.
Done.
Uploading to
Hi,
On Tue, 21 Mar 2017, Raphael Hertzog wrote:
> I tried to checkout https://github.com/njhartwell/pw3nage while having
> bash-completion loaded and with a PS1 containing $(__git_ps1 2>/dev/null)
> or $(__git_ps1 " (%s)") and was unable to get any code execution.
>
Hello,
I recently assigned myself "tiff" and noticed that the CVE were
not properly tracked against "tiff3" (older version of the same codebase,
available only in wheezy). I asked the security team if there was a reason
to this and got this answer (on IRC):
we don't actively triage versions only
On Tue, 28 Mar 2017, Moritz Muehlenhoff wrote:
> I'd suggest a cron job running once or twice per day, which keeps
> a table of (current source package name / old source package name(s))
> and adds SOURCEPACKAGE for the older source package.
> These can then be set to or after manual
> triage.
Hello,
during February I worked 15 hours on LTS (spending my 10 allocated hours
and catching up roughly 5 of the 7 hours remaining from February). During
this time I did the following:
- released DLA-866-1 on libxslt 1.1.26-14.1+deb7u3 fixing CVE-2017-5029
- prepared the jbig2dec update for jessi
Hi Jörg,
On Sat, 25 Feb 2017, Jörg Frings-Fürst wrote:
> > the Debian LTS team would like to fix the security issues which are
> > currently open in the Wheezy version of sane-backends:
> > https://security-tracker.debian.org/tracker/CVE-2017-6318
> >
> > Would you like to take care of this yours
Hello,
I prepared an updated version of slurm-llnl to fix CVE-2016-10030 which
is a rather severe issue even if only applies to some rare cases (when there's
a prolog script and when the attacker can make it fail).
While I'm relatively confident that I have correctly backported the patch,
I have
Hello,
On Mon, 27 Mar 2017, Michael Shuler wrote:
> On 03/25/2017 03:32 AM, Paul Wise wrote:
> > Hi all,
> >
> > I note that there have been some CA removals and additions that would
> > be nice to have in wheezy, in particular the ISRG Root for LE, thoughts?
>
> I need to fix up the jessie PU
Hi,
On Fri, 12 May 2017, Chris Lamb wrote:
> The Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of openvpn:
> https://security-tracker.debian.org/tracker/source-package/openvpn
I have just prepared an update based on the upstream patches pos
On Fri, 12 May 2017, Alberto Gonzalez Iniesta wrote:
> From a quick review, the patches you applied are basically the ones in my
> package, so I guess they must be OK. I only have one OpenVPN server
> running Wheezy these days but I cannot test this until tomorrow (under
> heavy use right now). If
On Sun, 14 May 2017, Alberto Gonzalez Iniesta wrote:
> Just tested Raphael's package on my Wheezy server and it works for
> me (tm).
Thanks, I uploaded the package and will send the DLA as soon as the package
is accepted.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: https:/
Dear maintainer(s),
The Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of lrzip:
https://security-tracker.debian.org/tracker/CVE-2017-8844
Would you like to take care of this yourself?
If yes, please follow the workflow we have defined here:
Hello Christian,
The Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of swftools:
https://security-tracker.debian.org/tracker/CVE-2017-8400
https://security-tracker.debian.org/tracker/CVE-2017-8401
Would you like to take care of this yourself?
Dear maintainer(s),
The Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of libsndfile:
https://security-tracker.debian.org/tracker/source-package/libsndfile
Would you like to take care of this yourself?
If yes, please follow the workflow we ha
Hello Kevin,
The Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of tnef:
https://security-tracker.debian.org/tracker/CVE-2017-8911
Would you like to take care of this yourself?
If yes, please follow the workflow we have defined here:
https://
Hello Maximiliano and other KDE maintainer(s),
The Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of kde4libs:
https://security-tracker.debian.org/tracker/source-package/kde4libs
Would you like to take care of this yourself?
If yes, please fo
Hi,
On Mon, 22 May 2017, Kevin Coyner wrote:
> logistics of the move, having to sell furniture, etc. If it is OK, I'd
> like to impose on the LTS team to take care of this update. Please let me
> know if this is OK and I'll be up for the task next time around.
Yes, it's fine. The package might
Hello Andreas and other libtasn maintainers,
The Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of libtasn1-3:
https://security-tracker.debian.org/tracker/CVE-2017-6891
Would you like to take care of this yourself?
If yes, please follow the w
Hello Jörg,
The Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of libonig:
https://security-tracker.debian.org/tracker/source-package/libonig
Would you like to take care of this yourself?
If yes, please follow the workflow we have defined her
Dear maintainer(s),
The Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of pngquant:
https://security-tracker.debian.org/tracker/CVE-2016-5735
Would you like to take care of this yourself?
If yes, please follow the workflow we have defined her
Hi,
On Thu, 25 May 2017, Jörg Frings-Fürst wrote:
> I have the "wheezy-security" update ready, upload it this evening to
> mentors and mail it to my mentor.
You can just give us the URL here and someone will take care of the
upload and of drafting/sending the DLA.
It will likely not be me as I'm
Hello,
we have a very large number of CVE on autotrace which has been dropped
from all Debian releases except wheezy. The package is not used by any
LTS sponsor and its popcon is rather low (~400 but with 35 active users
only).
It's in Suggests of imagemagick and fontforge, and in a non-default O
On Mon, 29 May 2017, Guido Günther wrote:
> > https://security-tracker.debian.org/tracker/source-package/autotrace
>
> Agreed.
I updated the git repository of debian-security-support. Shall we release
an update of that package?
Do we want to send a DLA to announce this?
Cheers,
--
Raphaël Hert
1 - 100 of 553 matches
Mail list logo