Hi!
El 04/05/22 a las 10:14, Enrico Zini escribió:
> On Wed, May 04, 2022 at 08:58:36AM +0100, Neil Williams wrote:
>
> > > I'm working at a LTS release of ffmpeg, and the CI is failing with
> > > Lintian errors that weren't present in the previous version:
> >
> > Is the version of lintian in t
El 14/09/22 a las 08:04, Chris Lamb escribió:
> Chris Lamb wrote:
>
> >> Did you forget to upload this? I don't see any sqlite3 update in
> >> buster-security (or maybe it was rejected or something).
> >
> > I didn't forget. Rather, it was REJECTED late last night and I re-
> > uploaded first thi
Hi Chris,
Thanks for handling this.
El 07/10/22 a las 18:10, Debian FTP Masters escribió:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Format: 1.8
> Date: Fri, 07 Oct 2022 10:17:02 -0700
> Source: knot-resolver
> Binary: knot-resolver knot-resolver-dbgsym knot-resolver-doc
> knot-res
Hi!
El 14/11/22 a las 09:52, Chris Lamb escribió:
> Hi Otto,
>
> > I was wondering how common is it for DDs to use Salsa-CI while doing
> > quality assurance prior to Bullseye and Buster uploads?
>
> Since Debian LTS and ELTS changed its policy to use Salsa a few months
> back, I have been using
El 20/03/23 a las 09:08, Emilio Pozuelo Monfort escribió:
> Hi Otto,
>
> I do run lintian from the target release before upload (actually on every
> build). I don't think running lintian from sid for (old*)stable makes sense
> as I'm not interested in newly introduced warnings or errors that affec
Source: debian-security-support
Version: 1:12+2023.05.04
Severity: normal
X-Debbugs-Cc: secur...@debian.org, debian-lts@lists.debian.org
Dear security and LTS teams,
ISC is not longer maintaing any of the components of isc-dhcp (client,
relay or server):
https://lists.isc.org/pipermail/dhcp-users
Hi,
El 13/06/23 a las 08:59, Enrique Pérez Arnaud escribió:
> Hi,
>
> The people from Shibboleth released yesterday 12th of June a security
> advisory and update [1].
>
> Does anyone here know whether there will be a security update for Debian
> LTS (buster) regarding this?
>
> Thanks!
>
>
>
Dear xmltooling maintainers,
According to the security team's dsa-needed, you are preparing an update
for the recent shibboleth/xmltooling security issue. Would you be
willing to prepare an update for buster too, or would you like the
Debian LTS team handles it?
Cheers,
-- Santiago
signature.
El 14/06/23 a las 18:30, Ferenc Wágner escribió:
> Santiago Ruano Rincón writes:
>
> > Dear xmltooling maintainers,
> >
> > According to the security team's dsa-needed, you are preparing an update
> > for the recent shibboleth/xmltooling security issue. Wou
El 14/06/23 a las 23:36, Ferenc Wágner escribió:
> Santiago Ruano Rincón writes:
>
> > El 14/06/23 a las 18:30, Ferenc Wágner escribió:
> >
> >> Santiago Ruano Rincón writes:
> >>
> >>> According to the security team's dsa-needed, you ar
Hi,
First of all, thanks a lot for Debian Code Search. It is really useful!
I would like to give feedback about this from the FAQ:
> Q: Which Debian distributions are indexed (e.g. testing, sid,
> experimental)?
>
> Currently, DCS indexes sid only. If you have good arguments for
> extending or
El 04/03/20 a las 21:09, Roberto C. Sánchez escribió:
> On Wed, Feb 26, 2020 at 10:33:22AM -0500, Roberto C. Sánchez wrote:
> > Hello all,
> >
> > I've been doing some work on CVE-2017-18641/lxc to understand the
> > precise nature of the vulnerability and potential approaches to fixing
> > it. I
Dear all
I've prepared a glib2.0 update for buster (and I am working for older
releases). I think it should be ready, all the test pass. But since
there were some regressions with a first set of patches, it would be
great if someone could give it a try.
The packages are available following these
hi!
El 16/09/23 a las 15:44, Utkarsh Gupta escribió:
> Hi Chris,
>
> On Fri, Sep 15, 2023 at 8:09 PM Chris Frey wrote:
> > Attached is a patch that applies to the unpackaged sources of Debian
> > Buster's
> > version of mutt 1.10.
> >
> > It includes 3 patches:
> >
> > upstream/Fix-rfc2
Hi Chris,
El 17/09/23 a las 21:56, Chris Frey escribió:
> On Sun, Sep 17, 2023 at 08:34:57PM +0300, Santiago Ruano Rincón wrote:
> > Chris, thanks for preparing the patches. Much appreciated. I have a
> > question though: Why are you placing those two patches in
> > debian
Package: debian-security-support
Version: 1:13+2023.09.27
Severity: normal
X-Debbugs-Cc: debian-lts@lists.debian.org
Samba as AD Domain Controller is not supported in bullseye since [DSA 5477-1]
and in buster since [DSA 5015-1]. debian-security-support should include
this information in security-s
Hi Yadd,
El 13/10/23 a las 20:59, Yadd escribió:
> and Buster ;-)
Thanks for preparing the fix!
Just to be on the safe side, have you been able to test it, and how?
Are you willing to upload it by yourself, or do you want some help?
Cheers,
-- Santiago
signature.asc
Description: PGP signat
Hey,
node-babel was accepted into buster-security. Yadd, will you do the
paperwork by yourself or do you want some help?
Cheers,
-- S
El 18/10/23 a las 21:20, Debian FTP Masters escribió:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> Format: 1.8
> Date: Fri, 13 Oct 2023 20:56:38 +04
El 19/10/23 a las 11:29, Yadd escribió:
> Hi,
>
> I think I did what is needed (mail + webml). Let me know if everything is
> OK.
It is perfect. Thank you!
Cheers,
-- Santiago
signature.asc
Description: PGP signature
unce/2023/msg00258.html
and:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056606
I think we should follow that for buster. Any objections?
Cheers,
--
Santiago Ruano Rincón ◈ Freexian SARL
https://www.freexian.com
signature.asc
Description: PGP signature
Dear Security, Release and Wanna-build teams,
As some of you may be aware, we (the LTS Team) are reviewing the
packages with limitations in their support, and I would like to bring
some discussion regarding Go, Rust and the like. As the bookworm (and
older) release notes document:
The Debian
El 22/12/23 a las 09:54, Moritz Muehlenhoff escribió:
> On Thu, Dec 21, 2023 at 07:30:51PM -0300, Santiago Ruano Rincón wrote:
> > So let me ask you: are you interested in addressing the infrastructure
> > limitations to handle those kind of packages? and having some he
El 22/12/23 a las 14:21, Moritz Muehlenhoff escribió:
> On Fri, Dec 22, 2023 at 10:19:15AM -0300, Santiago Ruano Rincón wrote:
> > El 22/12/23 a las 09:54, Moritz Muehlenhoff escribió:
> > > On Thu, Dec 21, 2023 at 07:30:51PM -0300, Santiago Ruano Rincón wrote:
> > > &
El 01/02/24 a las 13:34, Colin Watson escribió:
> On Thu, Feb 01, 2024 at 05:41:19PM +0530, Utkarsh Gupta wrote:
> > On Thu, Feb 1, 2024 at 1:44 AM Colin Watson wrote:
> > > I'm both the Debian and upstream maintainer of man-db. I'm considering
> > > uploading some variation of the attached diff
El 05/02/24 a las 15:30, Colin Watson escribió:
> On Mon, Feb 05, 2024 at 11:33:41AM -0300, Santiago Ruano Rincón wrote:
> > As part of the LTS workflow, we keep information about VCS of the
> > packages uploaded, including git tags for every upload.
> >
> > Woul
El 29/02/24 a las 14:14, Sean Whitton escribió:
> Hello,
>
> Does anyone have working debvm runes for stretch & jessie?
>
> If you just use 'debvm-create -r stretch --
> http://deb.freexian.com/extended-lts'
> then there isn't working networking.
AFAIU, networking is set up while running debvm-
Hello Ola,
El 08/03/24 a las 00:20, Ola Lundqvist escribió:
> Hi
>
> I'm triaging issues and I found one undetermined one for kfreebsd-10.
> There is very little information on the issue so I agree with the
> undetermined status.
>
> My question is whether we should even try to determine it... I
El 08/03/24 a las 18:51, Ola Lundqvist escribió:
> Hi
>
> Ah, right. I was thinking i386, amd64 were only hardware architectures. If
> it includes freebsd as a separate then it is clearly not supported.
> Thank you
That is a good point. We tend to use the term architecture, but if you
want to be
El 15/03/24 a las 08:31, Roberto C. Sánchez escribió:
> On Fri, Mar 15, 2024 at 11:06:10AM +0100, Raphael Hertzog wrote:
> > Hello Roberto,
> >
> > On Thu, 14 Mar 2024, Roberto C. Sánchez wrote:
> > > Santiago and I are in agreement that at the moment the best available
> > > option is to use dla-
Hi (especially Ola),
El 08/04/24 a las 13:59, Sylvain Beucler escribió:
> Hi,
>
> I think this requires a bit of coordination:
> - the package is basically dead upstream, there hasn't been a fix in the
> official repos, neither Debian or other distros attempted to fix them
The only "exception" s
Hi Ola,
El 10/04/24 a las 22:08, Ola Lundqvist escribió:
> Hi all
>
> Sorry for late reply. It took me too long today to answer the CVE
> triaging discussion. Now to this issue.
>
> Regarding the fedora patches. The patches seem to help for those
> specific issues they solve.
>
> My intention f
Hi Ola,
El 11/04/24 a las 08:25, Ola Lundqvist escribió:
> On Thu, 11 Apr 2024 at 02:34, Santiago Ruano Rincón
> > El 10/04/24 a las 22:08, Ola Lundqvist escribió:
> > > Hi all
> > >
> > > Sorry for late reply. It took me too long today to answer the CVE
&g
Hello Cyrille,
El 11/04/24 a las 09:15, Cyrille Bollu escribió:
> Why not using CVSS as a base calculation for assigning severity levels?
>
> IIRC, something like:
>
> CVSS>=8 => High
> 4<=CVSS<8 => Medium
> CVSS<4 => Low
...
Thanks for the comment!
I cannot talk for the security team, but I u
Hi,
Cyrille, thank you for checking this. However, I don't think the contact
address you had sent the email is correct.
CVE is maintained by MITRE (not NIST). And there exist several CNAs that
could issue CVE IDs for specific products/domains.
According to https://www.cve.org/CVERecord?id=CVE-2019
t; > NOTE: in libopenjpeg, not freeimage. Without reproducer or
> > stacktrace, this is
> > NOTE: nearly unfixable.
> > + NOTE: Turned out that the issue is not in freeimage at all,
> > but rather in openjpeg.
> > + NOTE: For more information see
>
Hi,
El 15/04/24 a las 21:47, Ola Lundqvist escribió:
> Hi Santiago
>
> On Mon, 15 Apr 2024 at 21:10, Santiago Ruano Rincón
> wrote:
> >
> > Hi Ola,
> >
> > As being discussed with Salvatore, there is not enough evidence to
> > conclude there is n
Hi Cyrille,
El 16/04/24 a las 16:09, Cyrille Bollu escribió:
> Hi Santiago,
>
> >It is not a question of trust. It is a problem of lack of strong
> >evidence that the issue is no longer there in freeimage or openjepg2.
> >We cannot rely only on CVE description to track the issues.
>
> I think yo
Dear team,
TL;DR: if you have a local copy of the lts-team/packages/samba repo,
please consider resetting the debian/buster branch.
The lts-team's was originally created from scratch, then we moved over a
fork of the debian maintainers. To reconcile the differences in history
between the buster u
Hi Ola,
El 19/04/24 a las 07:54, Ola Lundqvist escribió:
> Hi
>
> I have now made the package build.
Thank you for preparing the patch. I've built, tested basic
functionality and tested reversed dependencies.
However, I have a question: could you please point me where do you get
from the changes
Hi Cyrille!
El 25/04/24 a las 15:00, Cyrille Bollu escribió:
> Hi Santiago,
>
> Here's some follow up :-)
>
> Best regards,
>
> Cyrille
>
> Le mardi 16 avril 2024 à 12:52 -0300, Santiago Ruano Rincón a écrit :
> > Hi Cyrille,
> >
> > El 16/0
the first time I
looked at these CVEs, when they just came out.
Thanks, and sorry for the noise,
-- S
>
> Cheers
>
> // Ola
>
> On Tue, 23 Apr 2024 at 22:55, Santiago Ruano Rincón
> wrote:
> >
> > Hi Ola,
> > El 19/04/24 a las 07:54, Ola Lundqvist
Package: wnpp
Severity: wishlist
Owner: Emmanuel Arias , Santiago Ruano Rincón
X-Debbugs-Cc: debian-de...@lists.debian.org, t...@security.debian.org,
debian-ker...@lists.debian.org, debian-lts@lists.debian.org, eam...@debian.org
* Package name: linux-livepatching
Version
Hi Ubuntu security team,
I would just like to put you in the loop about this git issue, and a
possible regression in Ubuntu related to its fix. Please, see below.
El 31/05/24 a las 10:41, Roberto C. Sánchez escribió:
> Hi Sean,
>
> On Fri, May 31, 2024 at 03:05:35PM +0100, Sean Whitton wrote:
>
nt to mark gpac EOL for bullseye as well?
I think it makes sense, yes. Would you like to proceed and document
this in d-d-s?
Thanks,
--
Santiago Ruano Rincón ◈ Freexian SARL
https://www.freexian.com
signature.asc
Description: PGP signature
Hi all,
As suggested by Moritz, giving the status of iotjs, I think it is not
possible to support it during the bullseye LTS period. iotjs was removed
from unstable (and bookworm when it was testing) nearly two years ago:
https://tracker.debian.org/news/1354004/removed-10715-1-from-unstable/.
It
El 08/08/24 a las 23:06, Moritz Mühlenhoff escribió:
> Am Thu, Aug 08, 2024 at 09:31:31PM +0200 schrieb Salvatore Bonaccorso:
> > So the package can be safely removed I would say and so my proposal
> > would be to ask for removal of iotjs in the last bullseye point
> > release.
> >
> > What do you
(I had tried to answer from the web debian-lts archive, and I don't know
why firefox ended up sending four empty emails to the list. Really sorry
for the noise)
El 31/05/22 a las 05:42, Mike Gabriel escribió:
> Hi Moritz, Salvatore, Sylvain,
>
> On Mo 30 Mai 2022 20:04:14 CEST, Moritz Mühlenhoff
El 12/08/24 a las 00:27, Mike Gabriel escribió:
> Hi Moritz, hi Santiago,
>
> On So 11 Aug 2024 12:57:23 CEST, Moritz Muehlenhoff wrote:
>
> > On Sat, Aug 10, 2024 at 11:19:24AM -0300, Santiago Ruano Rincón wrote:
> > > (I had tried to answer from the web debian-lt
Hi,
El 08/08/24 a las 12:10, Sylvain Beucler escribió:
> Hello Security Team,
>
> python2.7 was marked unsupported in bullseye.
>
> We recently noted that pypy[v2] (included up to bullseye) and jython (all
> dists) include the python2 stdlib. Unlike pypy3, neither package currently
> track the
Dear wanna-build team,
El 13/12/23 a las 11:56, Salvatore Bonaccorso escribió:
> Hi Sylvain,
>
> On Wed, Dec 13, 2023 at 07:50:38AM +0100, Sylvain Beucler wrote:
> > Hi all,
> >
> > Actually we have a summary of the situation here:
> > https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/5
Hi!
El 12/05/23 a las 12:06, Alberto Garcia escribió:
> On Fri, May 12, 2023 at 08:27:49AM +, Holger Levsen wrote:
> > > Note that wpewebkit is still supported in bullseye and will remain
> > > supported until the distro reaches EOL.
> > does that mean when the Debian security stops supporting
El 16/08/24 a las 18:03, Alberto Garcia escribió:
> On Thu, Aug 15, 2024 at 02:32:42PM -0300, Santiago Ruano Rincón wrote:
> >
> > Alberto, does the following change matches your thoughts?
> >
> > diff --git a/security-support-limited.deb11 b/security-support-limi
El 19/08/24 a las 05:33, Holger Levsen escribió:
> On Fri, Aug 16, 2024 at 02:31:02PM -0300, Santiago Ruano Rincón wrote:
> > I have updated
> > https://salsa.debian.org/debian/debian-security-support/-/merge_requests/29
> > accordingly.
>
> will you also merge it? :
Hi!
El 22/08/24 a las 14:30, Sylvain Beucler escribió:
> Hi Wanna-Build Team,
>
> On 19/08/2024 18:57, Aurelien Jarno wrote:
> > On 2024-08-14 12:59, Santiago Ruano Rincón wrote:
> > > El 13/12/23 a las 11:56, Salvatore Bonaccorso escribió:
> > > > On W
Control: severity -1 important
(CCing: the security team)
Hi,
El 24/08/24 a las 02:08, alexvong.rc...@simplelogin.com escribió:
> Subject: youtube-dl: GHSA-22fp-mf44-f2mq GHSA-9jqj-9wwh-r5mg
> Source: youtube-dl
> Version: 2021.12.17-1~bpo11+1
> X-Debbugs-Cc: debian-lts@lists.debian.org
> Severi
El 26/08/24 a las 19:22, Adrian Bunk escribió:
> Hi,
>
> where has the binary package been built, and where is it available for
> our users to download?
>
> Except for this announcement, I have not seen traces of it anywhere.
python-html-sanitizer and libtommath uploads have been rejected. Chri
Dear Debian LTS users,
Bernhard (FreeRADIUS debian maintainer), Bastien and myself (with the kind
help from Alan DeKok - upstream maintainer) have been preparing freeradius
updates that mitigate the Blast-RADIUS issue for both bookworm and bullseye.
To mitigate the vulnerability, RADIUS servers a
El 13/08/24 a las 19:37, Sylvain Beucler escribió:
> Hi,
>
> On 13/08/2024 11:54, Moritz Mühlenhoff wrote:
> > Am Mon, Aug 12, 2024 at 03:10:06PM -0300 schrieb Santiago Ruano Rincón:
> > > El 08/08/24 a las 12:10, Sylvain Beucler escribió:
> > > > python2.
El 31/08/24 a las 16:43, Adrian Bunk escribió:
> On Sat, Aug 31, 2024 at 10:12:19AM -0300, Santiago Ruano Rincón wrote:
> >...
> > It seems the bullseye-security upload queue is finally open (now that
> > the point release has been published).
> >...
>
> Are yo
Hello Chris, hello LTS Team,
El 26/08/24 a las 13:59, Santiago Ruano Rincón escribió:
> El 26/08/24 a las 19:22, Adrian Bunk escribió:
> > Hi,
> >
> > where has the binary package been built, and where is it available for
> > our users to download?
> >
> &g
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: override
X-Debbugs-Cc: syst...@packages.debian.org, debian-lts@lists.debian.org, Adrian
Bunk , debian-ad...@lists.debian.org
Control: affects -1 + src:systemd
Dear FTP Master team,
It seems the bullseye-s
Hi,
FYI, I've moved the debian-security-support repo to Salsa:
https://salsa.debian.org/debian/debian-security-support
Cheers,
Santiago
signature.asc
Description: PGP signature
El 09/10/18 a las 21:24, Sebastian Andrzej Siewior escribió:
> On 2018-08-20 10:07:43 [+0200], Kiko Piris wrote:
> > Package: clamav-daemon
> > Version: 0.100.1+dfsg-0+deb8u1
> > Severity: important
> >
> > The following packages have unmet dependencies:
> > clamav-daemon : Depends: clamav-base (
El 07/11/18 a las 16:59, Brian May escribió:
> I see libdatetime-timezone-perl is in dla-needed.txt, but I can't see
> *any* security vulnerabilies in
> https://security-tracker.debian.org/tracker/source-package/libdatetime-timezone-perl
I included it to dla-needed. It doesn't have any known secur
Dear Maintainers,
(It seems my first attempt to send this mail failed. Sorry if you
received it twice)
As opposed to stretch, I have been unable to reproduce CVE-2018-19788 in
jessie. i.e. systemctl correctly doesn't allow me to stop services, and
pkexec blocks me from executing applications that
El 20/12/18 a las 12:57, Moritz Muehlenhoff escribió:
> On Thu, Dec 20, 2018 at 03:11:49PM +0530, Abhijith PA wrote:
> > Hi Santiago,
> >
> > On Thursday 20 December 2018 01:00 AM, Santiago Ruano Rincón wrote:
> > > Dear Maintainers,
> > >
> > &
El 21/03/19 a las 00:03, Ondřej Surý escribió:
> Hi,
>
> I have a question - did you update the KSK2017 in bind9 package in Wheezy
> before it became EOL, and did you update the KSK2017 in Jessie?
>
> Would it be still possible to update the keys in bind9 package in Wheezy if
> that hasn’t been
Hi there,
I am preparing my first package for squeeze lts. This is a simple change
on the squid package and it seems to work for me, but I'd be thankful if
you can test it:
https://people.debian.org/~santiago/debian/santiago-squeeze-lts/
squid (2.7.STABLE9-2.2+deb6u1~1) santiago-squeeze-lts; ur
+squeeze3~1
Distribution: santiago-squeeze-lts
Urgency: medium
Maintainer: Jay Berkenbilt
Changed-By: Santiago Ruano Rincón
Description:
icu-doc- API documentation for ICU classes and functions
lib32icu-dev - Development files for International Components for Unicode
(32-bi
lib32icu44
On Wed, Apr 29, 2015 at 11:02:40AM +0200, Santiago Ruano Rincón wrote:
> Hi, and thanks for the welcome!
>
> icu has several issues to be fixed [0]. For the moment, I have backported
> from wheezy a patch that fixes four of them: CVE-2013-1569,
> CVE-2013-2383, CVE-2013-2384, an
On Thu, May 07, 2015 at 12:25:44AM +0200, Santiago Ruano Rincón wrote:
> On Wed, Apr 29, 2015 at 11:02:40AM +0200, Santiago Ruano Rincón wrote:
> > Hi, and thanks for the welcome!
> >
> > icu has several issues to be fixed [0]. For the moment, I have backported
> > fro
On Thu, May 14, 2015 at 12:51:08AM +0200, Santiago Ruano Rincón wrote:
> On Thu, May 07, 2015 at 12:25:44AM +0200, Santiago Ruano Rincón wrote:
> > On Wed, Apr 29, 2015 at 11:02:40AM +0200, Santiago Ruano Rincón wrote:
> > > Hi, and thanks for the welcome!
> > >
> &g
Source: tomcat6
Version: 6.0.35-6+deb7u1
Severity: important
Tags: security patch upstream fixed-upstream
Hi there,
The following vulnerability affects current tomcat 6.x in squeeze and wheezy.
According to CVE-2014-0227 [cve], "Apache Tomcat 6.x before 6.0.42, 7.x before
7.0.55, and 8.x before
Source: tomcat6
Version: 6.0.41-2+squeeze6
Severity: normal
Tags: security upstream fixed-upstream
Hello,
The following vulnerability affects tomcat6 in squeeze and wheezy.
CVE-2014-0230 [cve]: Tomcat permits a limited Denial of Service.
I have prepared the attached patch for the 6.0.41-2+squee
oS by streaming malformed data
+- CVE-2014-0230: non-persistent DoS attack by feeding data aborting an
+ upload
+
+ -- Santiago Ruano Rincón Fri, 15 May 2015 10:38:49 +0200
+
tomcat6 (6.0.41-2+squeeze6) squeeze-lts; urgency=medium
* Security upload by the Debian LTS team.
diff -Nru tomcat
Hi Simon,
On Thu, May 14, 2015 at 09:57:24PM +0100, Simon Kelley wrote:
> Hi Raphael.
>
> I'm over-committed trying to get the long-overdue 2.73 release of
> dnsmasq out at the moment, so if the LTS team could handle the Debian
> mechanics of this, that would really help me.
>
In that case, I
Hi Simon,
On Fri, May 15, 2015 at 04:24:30PM +0200, Santiago Ruano Rincón wrote:
...
> I'm attaching the clean patch to fix CVE-2015-3294.
These other CVEs are related each other and still affect dnsmasq in
squeeze and wheeze:
https://security-tracker.debian.org/tracker/CVE-2012-34
On Sat, May 16, 2015 at 12:26:51PM +0200, Santiago Ruano Rincón wrote:
> Hi Simon,
>
> On Fri, May 15, 2015 at 04:24:30PM +0200, Santiago Ruano Rincón wrote:
> ...
> > I'm attaching the clean patch to fix CVE-2015-3294.
>
> These other CVEs are related each othe
> On 16/05/15 11:26, Santiago Ruano Rincón wrote:
> > Hi Simon,
> >
> > On Fri, May 15, 2015 at 04:24:30PM +0200, Santiago Ruano Rincón
> > wrote: ...
> >> I'm attaching the clean patch to fix CVE-2015-3294.
> >
> > These other CVEs are relat
cause
+DoS via malformed DNS requests.
+
+ -- Santiago Ruano Rincón Sun, 17 May 2015 10:19:25 +0200
+
dnsmasq (2.55-2) unstable; urgency=high
* Fix crash on double free. (closes: #597205)
only in patch2:
unchanged:
--- dnsmasq-2.55.orig/src/rfc1035.c
+++ dnsmasq-2.55/src/rfc1035.c
@@ -
.
+
+ -- Santiago Ruano Rincón Fri, 22 May 2015 15:44:39 +0200
+
tomcat6 (6.0.41-2+squeeze6) squeeze-lts; urgency=medium
* Security upload by the Debian LTS team.
diff -Nru tomcat6-6.0.41/debian/patches/CVE-2014-0227.patch tomcat6-6.0.41/debian/patches/CVE-2014-0227.patch
--- tomcat6-6.0.41/debian/patches
Hi Laszlo,
Please find the attached dpatch to prevent CVE-2015-3202 in squeeze. It
makes lib/mount_util.c use execle instead of execl to run external
helpers.
Please, let me know if you want me to upload a patched package, or if
you want to do it by yourself.
Cheers,
Santiago
#! /bin/sh /usr/sh
Source: tomcat6
Version: 6.0.41-2+squeeze6
Severity: normal
Tags: security patch upstream fixed-upstream
Dear Debian Java maintainers,
The Tomcat security team has identified a security issue [cve] that
allows malicious web applications to bypass the Security Manager, by the
use of expression lan
Hi,
I've backported most of wheezy patches of zendframework, and upload the
package to my personal repository:
deb https://people.debian.org/~santiago/debian santiago-squeeze-lts/
Tests and comments are welcome!
Cheers,
Santiago
signature.asc
Description: Digital signature
El 30/05/15 a las 14:37, Mike Gabriel escribió:
...
> @Santiago: please put your name in data/dla-needed.txt when starting to work
> on an LTS package update. I put my name in for fuse yesterday and realized
> just now, that you already started working on fuse for squeeze-lts (which is
> great!!!)
Hi there,
Last May, I was assigned with my first paid hours to work on Squeeze
LTS, thanks to the Freexian initiative. It has been an interesting and
enjoyable experience. This is how I have spend my 10.25 hours:
* dnsmasq: I've uploaded the 2.55-2+deb6u1 version [DLA 225-1] to fix the
CVE-2015
El 01/06/15 a las 20:12, Mike Gabriel escribió:
> Hi Laszlo,
>
> - Original message -
> > On Mon, Jun 1, 2015 at 3:36 PM, Mike Gabriel
> > wrote:
> > > On Mo 01 Jun 2015 11:44:27 CEST, László Böszörményi (GCS) wrote:
> > > > I consider this my fault - I had the assumption that Thorsten
Hi,
sqlite3's DSA-3252-1 concerns three CVEs: CVE-2015-3414, CVE-2015-3415
and CVE-2015-3416. I've took a look on how they impact wheezy and
squeeze, and as far as I can see, backporting CVE-2015-3414 and
CVE-2015-3415 is not so trivial and I'm not sure if they affect the old
stable releases.
How
El 22/06/15 a las 18:14, Евгений Смолин escribió:
> Hi.
>
> It seems that Zend Http Client is broken after security update from
> zendframework-1.10.6-1squeeze2 to zendframework-1.10.6-1squeeze3
>
Hi,
Thanks for your report and patch. I'll upload a new version of
zendframework.
Best regards,
rtain internal objects.
+
+ -- Santiago Ruano Rincón Tue, 23 Jun 2015 22:47:39 +0200
+
ruby1.9.1 (1.9.2.0-2+deb6u4) squeeze-lts; urgency=high
* Non-maintainer upload by the Squeeze LTS Team.
diff -Nru ruby1.9.1-1.9.2.0/debian/patches/CVE-2012-5371.patch ruby1.9.1-1.9.2.0/debian/patches/CVE
n the set_cs_start function in
+t1disasm.c allowed remote attackers to cause a denial of service (crash)
+and possibly execute arbitrary code via a crafted font file.
+
+ -- Santiago Ruano Rincón Fri, 26 Jun 2015 06:46:34 +0200
+
t1utils (1.36-1) unstable; urgency=low
* New upstream re
El 25/06/15 a las 22:50, Paul Gevers escribió:
> Hi all,
>
> I intend to upload cacti 0.8.7g-1+squeeze6 soon (tomorrow, hopefully).
> However, due to differences in the mysql version I am not able to test
> the changes easily myself. I will try to upload the package to some
> location for testing
package is ready and I will upload it, unless you want to take care
of it. If you do, please follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development
Please, tell me if you want to upload it by yourself.
Thank you very much.
Santiago Ruano Rincón,
on behalf of the Debian
El 26/06/15 a las 12:03, Guido Günther escribió:
> Hi Santiago,
Hi Guido,
Thanks for reviewing!
> On Wed, Jun 24, 2015 at 10:16:08PM +0200, Santiago Ruano Rincón wrote:
> > Hi there,
> >
> > I've prepared a ruby 1.9.1 package to fix the two open CVEs
> >
El 15/05/15 a las 20:23, Salvatore Bonaccorso escribió:
> Hi,
>
> On Fri, Apr 24, 2015 at 06:36:28AM +0200, Salvatore Bonaccorso wrote:
> > Hi Raphael,
> >
> > On Mon, Apr 20, 2015 at 03:54:51PM +0200, Raphael Hertzog wrote:
> > > Hello dear maintainer(s),
> > >
> > > the Debian LTS team would l
Hi,
Last June was my second paid month working on Squeeze LTS. This is how I
spend my 14.75 hours:
* zendframework: I fixed two remaining CVEs from last month:
CVE-2012-6531 and CVE-2012-6532 and I sent
[DLA
251-1](https://lists.debian.org/debian-lts-announce/2015/06/msg00017.html).
Unfort
1 - 100 of 226 matches
Mail list logo
