Re: icu package and debdiff [new contributor, first attempt]

2016-06-20 Thread Roberto C . Sánchez
this case. In the unlikely case that they are > totally hostile, you have to use your own judgment but I don't expect > that to happen. > Thanks very much for the feedback. I will do as you suggest and request that upstream review the patches. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com

Re: icu package and debdiff [new contributor, first attempt]

2016-05-09 Thread Roberto C . Sánchez
Hi Markus, On Mon, May 09, 2016 at 05:09:30PM +0200, Markus Koschany wrote: > Hello Roberto, welcome on board! > Thanks! > Am 08.05.2016 um 05:34 schrieb Roberto C. Sánchez: > > Hi All, > > > > I'm still "in-training" and I thought I would attempt to pre

Re: icu package and debdiff [new contributor, first attempt]

2016-05-12 Thread Roberto C . Sánchez
Hi Antoine, On Mon, May 09, 2016 at 05:09:30PM +0200, Markus Koschany wrote: > Hello Roberto, welcome on board! > > Am 08.05.2016 um 05:34 schrieb Roberto C. Sánchez: > > > I pulled the patch for CVE-2015-4844 from the upstream jdk8u project > > (based on the commit

Re: icu package and debdiff [new contributor, first attempt]

2016-05-13 Thread Roberto C . Sánchez
ything just yet. ;) > That works for me. I'm busy enough that I won't be offended if you don't get back to me for a few days :-) Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature

icu package and debdiff [new contributor, first attempt]

2016-05-07 Thread Roberto C . Sánchez
repository, but it appears to not have been fixed upstream yet. I built the package in a wheezy chroot, signed the resulting package, and uploaded it (along with the debdiff between the prior version and my updated package) to the above location. Regards, -Roberto -- Roberto C. Sá

Re: Icedtea plugin

2016-07-31 Thread Roberto C . Sánchez
he control file is autogenerated). > > Thoughts? > > If no-one objects, I will upload that soon. > It looks good to me. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature

Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling

2016-08-02 Thread Roberto C . Sánchez
here is likely a reasonable difference between files like .bash_history (which are meant to be used/accessed only by the creating user) and files which are possibly or likely to be shared amongst a group of users. This case seems to be of the latter form. Regards, -Roberto -- Roberto C. Sánchez

[SECURITY] [DLA 543-1] sqlite3 security update

2016-07-05 Thread Roberto C . Sánchez
Package: sqlite3 Version: 3.7.13-1+deb7u3 CVE ID : CVE-2016-6153 It was discovered that sqlite3, a C library that implements a SQL database engine, would reject a temporary directory (e.g., as specified by the TMPDIR environment variable) to which the executing user did

[SECURITY] [DLA 545-1] icu security update

2016-07-07 Thread Roberto C . Sánchez
Package: icu Version: 4.8.1.1-12+deb7u4 CVE ID : CVE-2015-2632 CVE-2015-4844 CVE-2016-0494 Several security issues have been identified and corrected in ICU, the International Components for Unicode C and C++ library, in Debian Wheezy. CVE-2015-2632 Buffer overflow

Re: icu package and debdiff [new contributor, first attempt]

2016-07-07 Thread Roberto C . Sánchez
On Mon, Jun 20, 2016 at 06:57:22AM -0400, Roberto C. Sánchez wrote: > Hi Markus, > > Thanks very much for the feedback. I will do as you suggest and request > that upstream review the patches. > I received a favorable response from upstream, so I have uploaded the ICU packag

Should bind9 be marked no-dla?

2016-07-08 Thread Roberto C . Sánchez
://security-tracker.debian.org/tracker/CVE-2016-6170 -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature

Re: Should bind9 be marked no-dla?

2016-07-09 Thread Roberto C . Sánchez
eone else has claimed it first. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature

Re: find-work script no longer working on stable

2016-08-09 Thread Roberto C . Sánchez
'`. > : :' : Chris Lamb > `. `'` la...@debian.org / chris-lamb.co.uk >`- > -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature

Re: Wheezy LTS - apt error with recent apache2 update - monit issue?

2016-07-22 Thread Roberto C . Sánchez
ckages cause the problems you are seeing. You could look at the packages in the list and decide if you need to back up the configurations and then purge them completely. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Descript

sqlite3 package and debdiff [new-ish contributor, second attempt]

2016-07-02 Thread Roberto C . Sánchez
ad. I would appreciate it if someone could review my work and confirm that I have the next steps correct. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com diff -Nru sqlite3-3.7.13/debian/changelog sqlite3-3.7.13/debian/changelog --- sqlite3-3.7.13/debi

Re: Wheezy update of icu?

2016-08-17 Thread Roberto C . Sánchez
On Sun, Jul 24, 2016 at 04:26:20PM -0400, Roberto C. Sánchez wrote: > FYI, I did the last LTS update of ICU earlier this month, so I think I > will be able to easily prepare another update. I went ahead and claimed > it in dla-needed.txt, but if the maintainer or someone else would like

RFC - pleast test php5 (5.4.45-0+deb7u7), ready for upload

2017-02-03 Thread Roberto C . Sánchez
AFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT* ** -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature

Wheezy update of libevent?

2017-02-03 Thread Roberto C . Sánchez
the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of libevent updates for the LTS releases. Thank you very much. Roberto C. Sánchez, on behalf of the Debian LTS team. PS: I have already registered

Re: RFC - pleast test php5 (5.4.45-0+deb7u7), ready for upload

2017-02-06 Thread Roberto C . Sánchez
As I've not received any feedback on the below RFC, I intend to make the upload in ~12 hours. Regards, -Roberto On Fri, Feb 03, 2017 at 06:57:13PM -0500, Roberto C. Sánchez wrote: > Greetings all, > > I have finished preparing an LTS upload of php5 (5.4.45-0+deb7u7) and > you

LTS Report for January 2017

2017-02-02 Thread Roberto C . Sánchez
an additional patch, verified fix, and ensured unit test passed - CVE-2016-3142, CVE-2016-4342, CVE-2016-9934, CVE-2016-9935, CVE-2016-10158: integrated/backported upstream fixes, verified fixes, and ensured unit tests passed Regards, -Roberto -- Roberto C. Sánchez

Re: Wheezy update of libevent?

2017-02-10 Thread Roberto C . Sánchez
take it over in dla-needed.txt as well. Best of luck. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature

Re: Security update of PHP 5.4?

2016-08-23 Thread Roberto C . Sánchez
vant, possibly others: > > https://bugs.php.net/bug.php?id=70436 > > https://bugs.php.net/bug.php?id=72681 > > Has anyone™ had a chance to look at these? I can commit to taking a look a these in the next day or so. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com

LTS Report for August 2016

2016-09-05 Thread Roberto C . Sánchez
to explain with a bit of detail. Regards, -Roberto -- Roberto C. Sánchez

Re: Wheezy update of icu?

2016-09-06 Thread Roberto C . Sánchez
I actually sent my August report yesterday where I mentioned that this is nearly complete :-) I just have to build the package, sign it, and then publish the DLA. I should be able to get to it in the next day or so. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com

Re: Wheezy update of icu?

2016-09-07 Thread Roberto C . Sánchez
Good point. I have attached the patch to this email. I intend to upload tonight or tomorrow (the last few days have been quite busy and I am playing catch up). Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com Description: fix

Re: Wheezy update of icu?

2016-09-08 Thread Roberto C . Sánchez
com/show_bug.cgi?id=1373462 > NOTE: http://www.openwall.com/lists/oss-security/2016/09/06/2 > Thanks for the explanation. It looks like someone already annotated icu, so I will keep this in mind for next time. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com

Re: Wheezy update of icu?

2016-09-07 Thread Roberto C . Sánchez
ill. Regards, -Roberto [0] https://wiki.debian.org/LTS/Development [1] https://security-tracker.debian.org/tracker/ -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com

Re: Questions regarding MySQL update

2016-09-14 Thread Roberto C . Sánchez
ed in a very detailed and methodical way in the advisory. Later on today I will work on replicating the exploit using the latest 5.5.52 packages from Ubuntu to confirm that this version in fact does fix the vulnerability. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto

Re: Questions regarding MySQL update

2016-09-13 Thread Roberto C . Sánchez
Does anyone have any thoughts on the matter? Regards, -Roberto [0] http://seclists.org/oss-sec/2016/q3/481 [1] http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.

Re: Wheezy update of icu?

2016-09-12 Thread Roberto C . Sánchez
> Brian, I have read over what you wrote and I have made some refinements and added a couple of additional notes based on what I think would have been helpful to me given my specific experience. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature

Questions regarding MySQL update

2016-09-12 Thread Roberto C . Sánchez
there any special coordination required for the stable security update? Regards, -Roberto [0] http://metadata.ftp-master.debian.org/changelogs//main/m/mysql-5.5/mysql-5.5_5.5.50-0+deb8u1_changelog -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com sig

Re: Questions regarding MySQL update

2016-09-15 Thread Roberto C . Sánchez
On Wed, Sep 14, 2016 at 09:07:32AM -0400, Roberto C. Sánchez wrote: > > That is not to say that they couldn't have addressed the vulnerabilities > without contacting David to tell him that they had done say. That said, > the exploit is explained in a very detailed and me

MySQL 5.5.52 update for Debian wheezy?

2016-09-15 Thread Roberto C . Sánchez
the package as well? I don't want to duplicate effort, so I will wait to hear back from you before doing anything else. Regards, -Roberto -- Roberto C. Sánchez signature.asc Description: Digital signature

Re: Wheezy update of icu?

2016-09-19 Thread Roberto C . Sánchez
omeone is registered > on this update in this file: > https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup > > > Regards, > > -- > ,''`. > : :' : Chris Lamb > `. `'` la...@debian.org / chris-lamb.co.uk >`- > -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature

[SECURITY] [DLA 624-1] mysql-5.5 security update

2016-09-16 Thread Roberto C . Sánchez
Package: mysql-5.5 Version: 5.5.52-0+deb7u1 CVE ID : CVE-2016-6662 Dawid Golunski discovered that the mysqld_safe wrapper provided by the MySQL database server insufficiently restricted the load path for custom malloc implementations, which could result in privilege

Re: version number when packaging a new upstream release

2016-10-03 Thread Roberto C . Sánchez
6:0.8.18-1+deb7u1 would be considered higher than 6:0.8.18-1, the correct version number to use would be 6:0.8.18-0+deb7u1. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com

LTS Report for September 2016

2016-09-30 Thread Roberto C . Sánchez
Regards, -Roberto -- Roberto C. Sánchez signature.asc Description: Digital signature

Re: ghostscript and evince/libspectre problem

2016-10-26 Thread Roberto C . Sánchez
ent correctly I believe that the short answer to your question is, "yes the same issue occurs in wheezy." Do you plan to address this issue, or is there something that I can to do help speed the process along? Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com

Re: Bug#840691: ghostscript and evince/libspectre problem

2016-10-27 Thread Roberto C . Sánchez
On Thu, Oct 27, 2016 at 12:35:16PM +0200, Moritz Muehlenhoff wrote: > On Thu, Oct 27, 2016 at 06:31:43AM -0400, Roberto C. Sánchez wrote: > > On Thu, Oct 27, 2016 at 08:54:39AM +0200, Moritz Muehlenhoff wrote: > > > > > > Salvatore mentioned that the same b

Re: Bug#840691: ghostscript and evince/libspectre problem

2016-10-27 Thread Roberto C . Sánchez
upstream? I guess that with seeing the evince problem in Jessie with both ghostscript 9.06~dfsg-2+deb8u2 and 9.06~dfsg-2+deb8u3 I wasn't certain that the fault is completely with ghostscript. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com

Re: Bug#840691: ghostscript and evince/libspectre problem

2016-10-27 Thread Roberto C . Sánchez
know if you need help with the regression test. > @Roberto: note, +deb8u1 -> +deb8u3 to see the regression, not the > intermittent +deb8u2. > Of course, I was able to confirm it between +deb8u1 and +deb8u3 on Jessie. Regards, -Roberto -- Roberto C. Sánchez http://people.co

[SECURITY] [DLA 674-2] ghostscript regression update

2016-10-28 Thread Roberto C . Sánchez
Package: ghostscript Version: 9.05~dfsg-6.3+deb7u4 Debian Bug : 840691 The update for ghostscript issued as DLA-674-1 caused regressions for certain Postscript document viewers (evince, zathura). Updated packages are now available to address this problem. For reference, the

Re: Bug#840691: ghostscript and evince/libspectre problem

2016-10-27 Thread Roberto C . Sánchez
On Thu, Oct 27, 2016 at 11:43:01PM +0200, Francesco Poli wrote: > On Thu, 27 Oct 2016 18:17:20 +0200 Salvatore Bonaccorso wrote: > > [...] > > On Thu, Oct 27, 2016 at 09:50:02AM -0400, Roberto C. Sánchez wrote: > > > Is your plan to release this as a -2 regression update t

Re: New DLA or resend with updated information. Advice needed.

2016-10-28 Thread Roberto C . Sánchez
e original advisory text for the sake of completeness. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com

[SECURITY] [DLA 674-1] ghostscript security update

2016-10-24 Thread Roberto C . Sánchez
Package: ghostscript Version: 9.05~dfsg-6.3+deb7u3 CVE ID : CVE-2013-5653 CVE-2016-7976 CVE-2016-7977 CVE-2016-7978 CVE-2016-7979 CVE-2016-8602 Debian Bug : 839118 839260 839841 839845 839846 840451 Several vulnerabilities were discovered in

Re: Bug#838694: icu: CVE-2016-7415: Stack based buffer overflow in locid.cpp

2016-10-25 Thread Roberto C . Sánchez
e to contact upstream regarding this issue? Can I help in any way? -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature

Re: openjdk-7 CVEs

2016-10-21 Thread Roberto C . Sánchez
ackport the proper fixes. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com

Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID

2016-11-28 Thread Roberto C . Sánchez
Hi Guido, Thanks for the feedback. On Mon, Nov 28, 2016 at 08:13:26AM +0100, Guido Günther wrote: > Hi Roberto, > On Mon, Nov 28, 2016 at 01:02:38AM -0500, Roberto C. Sánchez wrote: > > Greetings all, > > > > I have prepared an update of ImageMagick that takes the work B

Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID

2016-11-28 Thread Roberto C . Sánchez
On Mon, Nov 28, 2016 at 01:57:16PM +, Holger Levsen wrote: > On Mon, Nov 28, 2016 at 06:44:07AM -0500, Roberto C. Sánchez wrote: > > > If you're asking for code review posting a debdiff to the list might > > > help people to pick it up. > > Quite right: > &

RFC - ImageMagick, proper testing, and handling issues without a CVE ID

2016-11-27 Thread Roberto C . Sánchez
://security-tracker.debian.org/tracker/source-package/imagemagick [1] http://people.debian.org/~roberto/imagemagick_6.7.7.10-5+deb7u8.dsc [2] http://people.debian.org/~roberto/imagemagick_6.7.7.10-5+deb7u8_amd64.changes -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com

LTS Report for October 2016

2016-11-01 Thread Roberto C . Sánchez
, -Roberto -- Roberto C. Sánchez

Re: Bug#840691: ghostscript and evince/libspectre problem

2016-10-27 Thread Roberto C . Sánchez
-2 regression update to the previous DSA? I assume that is what you plan to do, but I wanted to confirm to be certain. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com

ImageMagick - marking issue as not affecting wheezy?

2016-10-27 Thread Roberto C . Sánchez
oduced after 6.7.7.10) The feedback I am seeking here is: 1. Is my interperation of the applicability of the patch correct? 2. Is what I am proposing the correct way to resolve the issue so that it no longer appears as vulnerable in the security tracker? Regards, -Roberto -- Roberto C. Sánche

Re: ImageMagick - marking issue as not affecting wheezy?

2016-10-28 Thread Roberto C . Sánchez
On Fri, Oct 28, 2016 at 09:41:42AM -0400, Antoine Beaupré wrote: > On 2016-10-28 07:53:39, Roberto C. Sánchez wrote: > > It appears to me that the upstream diff is ensuring that the allocated > > memory area is not too small, hence the change of "number_planes_fille

Re: ImageMagick - marking issue as not affecting wheezy?

2016-10-28 Thread Roberto C . Sánchez
Hi Raphael, Thanks for the feedback. On Fri, Oct 28, 2016 at 10:32:06AM +0200, Raphael Hertzog wrote: > Hi, > > On Thu, 27 Oct 2016, Roberto C. Sánchez wrote: > > https://security-tracker.debian.org/tracker/TEMP-0836171-53B142 > > https://bugs.debian.org/836171 > >

Re: Bug#840691: ghostscript and evince/libspectre problem

2016-10-28 Thread Roberto C . Sánchez
he wheezy packages using the same debdiff, save for an appropriately tweaked changelog entry, to security-master. Once your regression announcement is out for the DSA, I will follow-up with one for the DLA. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com

Re: RFC: Handling CVE-2014-9911 in ICU

2016-12-16 Thread Roberto C . Sánchez
Hi Raphael, On Fri, Dec 16, 2016 at 11:29:00AM +0100, Raphael Hertzog wrote: > Hi Roberto, > > On Thu, 15 Dec 2016, Roberto C. Sánchez wrote: > > @@ -1704,7 +1704,7 @@ > > char path[256]; > > char* myPath = path; > > con

RFC: Handling CVE-2014-9911 in ICU

2016-12-15 Thread Roberto C . Sánchez
ttp://bugs.icu-project.org/trac/changeset/35699 -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature

[SECURITY] [DLA 744-1] icu security update

2016-12-16 Thread Roberto C . Sánchez
Package: icu Version: 4.8.1.1-12+deb7u6 CVE ID : CVE-2014-9911 CVE-2016-7415 Debian Bug : 838694 Brief introduction CVE-2014-9911 Michele Spagnuolo discovered a buffer overflow vulnerability which might allow remote attackers to cause a denial of service or

LTS Report for November 2016

2016-12-01 Thread Roberto C . Sánchez
; an upload is forthcoming Regards, -Roberto -- Roberto C. Sánchez

Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID

2016-12-01 Thread Roberto C . Sánchez
ed positive feedback on the testing, I will then upload that version of the package and release the DLA. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com

Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID

2016-11-29 Thread Roberto C . Sánchez
Hi Raphael, On Tue, Nov 29, 2016 at 12:14:10PM +0100, Raphael Hertzog wrote: > Hi, > > On Mon, 28 Nov 2016, Roberto C. Sánchez wrote: > > Quite right: > > http://people.debian.org/~roberto/imagemagick_6.7.7.10-5+deb7u7_6.7.7.10-5+deb7u8.diff > > Somme comments: >

Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID

2016-11-29 Thread Roberto C . Sánchez
On Tue, Nov 29, 2016 at 01:33:54PM +0100, Raphael Hertzog wrote: > On Tue, 29 Nov 2016, Roberto C. Sánchez wrote: > > Hi Raphael, > > > > On Tue, Nov 29, 2016 at 12:14:10PM +0100, Raphael Hertzog wrote: > > > Hi, > > > > > > On Mon, 28 Nov 201

[SECURITY] [DLA 731-1] imagemagick security update

2016-12-01 Thread Roberto C . Sánchez
Package: imagemagick Version: 8:6.7.7.10-5+deb7u8 CVE ID : CVE-2014-9805 CVE-2014-9806 CVE-2014-9807 CVE-2014-9808 CVE-2014-9809 CVE-2014-9810 CVE-2014-9811 CVE-2014-9812 CVE-2014-9813 CVE-2014-9814 CVE-2014-9815 CVE-2014-9816

LTS Report for December 2016

2017-01-02 Thread Roberto C . Sánchez
* php5: multiple issues Regards, -Roberto -- Roberto C. Sánchez

Re: Wheezy update of imagemagick?

2016-12-28 Thread Roberto C . Sánchez
gt; >> https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup > > > > > > -- > > Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté. > > > > -- > --- Inguza Technology AB --- MSc in Information Technology > / o...@inguza.comFolkebogatan 26\ > | o...@debian.org 654 68 KARLSTAD| > | http://inguza.com/Mobile: +46 (0)70-332 1551 | > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / > --- > -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com

imagemagick collab-maint repository

2016-12-26 Thread Roberto C . Sánchez
, I think. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature

Re: imagemagick collab-maint repository

2016-12-27 Thread Roberto C . Sánchez
On Tue, Dec 27, 2016 at 04:38:59PM -0500, Antoine Beaupré wrote: > On 2016-12-26 18:55:31, Roberto C. Sánchez wrote: > > All, > > > > I recently saw that php5, squid, and squid3 have LTS-specific > > repositories on git.debian.org. Since imagemagick appears to have a

Re: Fwd: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download

2017-03-28 Thread Roberto C . Sánchez
On Tue, Mar 28, 2017 at 11:34:44AM +0200, Mathieu Parent wrote: > Hi, > > 2017-03-26 14:39 GMT+02:00 Roberto C. Sánchez <robe...@connexer.com>: > > On Thu, Mar 23, 2017 at 11:30:09AM +0100, Mathieu Parent wrote: > >> > >> See attached the backported pa

Update wheezy samba to 3.6.25?

2017-03-28 Thread Roberto C . Sánchez
package, I feel it prudent to solicit comments and suggestions on this. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature

Re: Fwd: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download

2017-03-26 Thread Roberto C . Sánchez
amba-3.6.6/source3/lib -I.. -D_SAMBA_BUILD_=3 -D_SAMBA_BUILD_=3 -fPIC -c modules/vfs_dirsort.c -o modules/vfs_dirsort.o make[2]: *** [modules/vfs_dirsort.o] Error 1 The resolution for this one is not obvious to me. I intend to dig into it, but if anyone has a suggestion, I welcome it. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature

Re: Fwd: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download

2017-03-29 Thread Roberto C . Sánchez
> > The 3.6 branch was in maintenance mode since 2012-12-11, i.e after 3.6.10. > So it is probably better to only cherry-pick the fixes and continue > like Roberto did. > OK. I will continue working on integrating the patch from upstream. > I can help the testing. > I will announce when I have packages available for testing. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com

Samba has released a regression update

2017-03-31 Thread Roberto C . Sánchez
Hello. Samba announced an update a few hours ago to address this problem: * BUG 12721: Fix regression with "follow symlinks = no". That appears to correspond to #858564. I am not sure if the fix has any effect on #858590. Regards, -Roberto -- Roberto C. Sánchez http://people.co

Re: Fwd: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download

2017-03-31 Thread Roberto C . Sánchez
more confident now that the patches are correct. Now I am going about confirming that the regressions reported in #858564 and #858590 are addressed by the regression patch. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com

Re: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download

2017-03-24 Thread Roberto C . Sánchez
On Fri, Mar 24, 2017 at 04:04:08PM +0100, Moritz Muehlenhoff wrote: > On Fri, Mar 24, 2017 at 03:55:23PM +0100, Guido Günther wrote: > > Hi Roberto, > > On Fri, Mar 24, 2017 at 10:45:44AM -0400, Roberto C. Sánchez wrote: > > > On Fri, Mar 24, 2017 at 03:16:28PM +01

Re: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download

2017-03-24 Thread Roberto C . Sánchez
ail.com> > > mail. These should apply more cleanly. Quite right. I missed that. The good thing is I am only on patch 6 at this point and I haven't encountered any difficult failures. I will switch to the patches from Mathieu. Regards, -Roberto -- Roberto C. Sánchez http://people

Re: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download

2017-03-24 Thread Roberto C . Sánchez
for samba now. There are 37 individual patches in jessie's CVE-2017-2619.patch, and not all apply cleanly to 3.6.6 in wheezy. That said, I will wait on uploading until those bugs are resolved and I have incorportated their fixes. Regards, -Roberto -- Roberto C. Sánchez http://peopl

Review and help test Wheezy LTS update of Samba

2017-03-31 Thread Roberto C . Sánchez
e packages, and publish the DLA. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com samba_3.6.6-6+deb7u11_3.6.6-6+deb7u12.diff.xz Description: application/xz signature.asc Description: Digital signature

Re: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download

2017-03-31 Thread Roberto C . Sánchez
unity to speak up in case there was something I overlooked. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature

LTS Report for March 2017

2017-04-01 Thread Roberto C . Sánchez
-- Roberto C. Sánchez signature.asc Description: Digital signature

LTS Report for February 2017

2017-03-01 Thread Roberto C . Sánchez
and tested final package, uploaded, and released advisory - libevent: Took initial steps on this package until Bálint Réczey spoke up to say that he was becoming co-maintainer and wanted to perform the LTS update Regards, -Roberto -- Roberto C. Sánchez

Re: Fwd: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download

2017-03-30 Thread Roberto C . Sánchez
ages could use some testing as well. I will try to do some testing, but give the scope of the changes (~850 lines of diff in total) more testing would certainly be a good thing. Also, I would appreciate any suggestions/feedback on minimizing the prereq patch. Regards, -Roberto -- Roberto C. Sánc

Re: Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection

2017-08-12 Thread Roberto C . Sánchez
uming that you have otherwise built/tested in a wheezy environment). > > How do I upload, i.e. to what queue do I dput, and do I use -sa? > You can dput to security-master like a normal security update and -sa would likely get the upload rejected as the .orig.tar.gz is alre

LTS Report for July 2017

2017-08-11 Thread Roberto C . Sánchez
, CVE-2017-12429 (so far; I will complete the remaining patches as part of my work in August) Regards, -Roberto -- Roberto C. Sánchez signature.asc Description: Digital signature

Re: Wheezy update of apache2?

2017-07-17 Thread Roberto C . Sánchez
one of you take care of it? > > > Best wishes, > > -- > ,''`. > : :' : Chris Lamb, Debian Project Leader > `. `'` la...@debian.org / chris-lamb.co.uk >`- > -- Roberto C. Sánchez signature.asc Description: Digital signature

Re: Wheezy update of ncurses?

2017-07-11 Thread Roberto C . Sánchez
gt; All the open ncurses issues are marked no-dsa for jessie and stretch. Should we do the same for wheezy? Regards, -Roberto -- Roberto C. Sánchez signature.asc Description: Digital signature

[SECURITY] [DLA 1023-1] tiff3 security update

2017-07-11 Thread Roberto C . Sánchez
Package: tiff3 Version: 3.9.6-11+deb7u7 CVE ID : CVE-2017-9936 Debian Bug : 866113 A vulnerabilitie has been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code. CVE-2017-9936 A

[SECURITY] [DLA 1022-1] tiff security update

2017-07-11 Thread Roberto C . Sánchez
Package: tiff Version: 4.0.2-6+deb7u15 CVE ID : CVE-2017-9936 CVE-2017-10688 Debian Bug : 866113 866611 Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code.

Re: openssh_7.2p2+ availability for wheezy

2017-07-27 Thread Roberto C . Sánchez
uldn't be able to guarantee its > quality. > I'm also concerned about side effects of installing it. > I would also be concerned by that. > Please advise if there is any better alternative before I continue with > that. > You are almost certainly best served by using the offic

Re: openssh_7.2p2+ availability for wheezy

2017-07-27 Thread Roberto C . Sánchez
a covert timing channel (closes: #831902). -- Laszlo Boszormenyi (GCS) <g...@debian.org> Thu, 21 Jul 2016 15:51:59 + If you request that whomever provided you those descriptions give you the accompanying CVE IDs you will be able to confirm that they are in fact fixed in the currrent openssh in wheezy. Regards, -Roberto -- Roberto C. Sánchez

LTS Report for June 2017

2017-07-01 Thread Roberto C . Sánchez
: prepared update 2.2.22-13+deb7u9, including patches for CVE-2017-3167, CVE-2017-3169, CVE-2017-7668, and CVE-2017-7679 Regards, -Roberto -- Roberto C. Sánchez signature.asc Description: Digital signature

Re: avoid friday deployments?

2017-06-30 Thread Roberto C . Sánchez
ue had to do with Xen and with booting the guest VMs. All in all, though, a dist-upgrade to a new release is far more risky than a security update to a small number of packages. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com

[SECURITY] [DLA 1009-1] apache2 security update

2017-07-02 Thread Roberto C . Sánchez
Package: apache2 Version: 2.2.22-13+deb7u9 CVE ID : CVE-2017-3167 CVE-2017-3169 CVE-2017-7668 CVE-2017-7679 Several vulnerabilities have been found in the Apache HTTPD server. CVE-2017-3167 Emmanuel Dreyfus reported that the use of ap_get_basic_auth_pw() by

Re: Request for testing: apache2

2017-06-27 Thread Roberto C . Sánchez
On Tue, Jun 27, 2017 at 10:17:46AM -0400, Antoine Beaupré wrote: > On 2017-06-25 16:56:46, Roberto C. Sánchez wrote: > > Hi all, > > > > I have prepared an update for apache2 and I would like to request some > > testing. The packages are here: > > >

Re: Request for testing: apache2

2017-06-27 Thread Roberto C . Sánchez
his. > Yeah, that seems an odd thing to do on such an old branch. > but then any Apache release is... a patchy release. ;) > > *rimshot* > For some reason, that is still funny to me after many years. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~robe

Re: Debconf 2017 LTS BoF Summary

2017-08-09 Thread Roberto C . Sánchez
ill OK to use verbatim text from a DSA in a DLA? It seems like that should be OK, and it is something I do sometimes, as the DSAs are frequently published first and I feel like sharing the same summary text regarding a particular vulnerability keeps everything consistent. -- Roberto C. Sánchez

Re: LTS team Bof at Debconf

2017-08-08 Thread Roberto C . Sánchez
On Tue, Aug 08, 2017 at 10:53:22AM -0300, Guido Günther wrote: > Hi, > On Mon, Aug 07, 2017 at 03:47:41PM -0400, Roberto C. Sánchez wrote: > > On Mon, Aug 07, 2017 at 04:36:40PM -0300, Guido Günther wrote: > > > Hi, > > > On Mon, Aug 07, 2017 at 08:13:24PM +

Re: LTS team Bof at Debconf

2017-08-07 Thread Roberto C . Sánchez
On Mon, Aug 07, 2017 at 04:36:40PM -0300, Guido Günther wrote: > Hi, > On Mon, Aug 07, 2017 at 08:13:24PM +0200, Sébastien Delafond wrote: > > On Aug/07, Roberto C. Sánchez wrote: > > > Would there be a willingness to allow remote participation via > > > laptop+webc

Re: LTS team Bof at Debconf

2017-08-07 Thread Roberto C . Sánchez
ching schedule). However, I had to cancel my plans several weeks ago so I am not there in Montreal. Would there be a willingness to allow remote participation via laptop+webcam? Regards, -Roberto -- Roberto C. Sánchez

LTS Report for April 2017

2017-05-09 Thread Roberto C . Sánchez
Thorsten with investigation of test failure Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature

  1   2   3   >