[SECURITY] [DSA 4664-1] mailman security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-4664-1 secur...@debian.org https://www.debian.org/security/ Thijs Kinkhorst April 26, 2020

[SECURITY] [DSA 4414-1] libapache2-mod-auth-mellon security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-4414-1 secur...@debian.org https://www.debian.org/security/ Thijs Kinkhorst March 23, 2019

[SECURITY] [DSA 4127-1] simplesamlphp security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-4127-1 secur...@debian.org https://www.debian.org/security/ Thijs Kinkhorst March 02, 2018

[SECURITY] [DSA 4108-1] mailman security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-4108-1 secur...@debian.org https://www.debian.org/security/ Thijs Kinkhorst February 09, 2018

Re: embedding openssl source in sslcan

On Fri, December 23, 2016 18:53, Moritz Mühlenhoff wrote: > Sebastian Andrzej Siewior schrieb: > > Please use t...@security.debian.org if you want to reach the security > team, not debian-security@ldo. > >> tl;dr: Has anyone a problem if sslscan embeds openssl 1.0.2 in

RE: [SECURITY] [DSA 3386-2] unzip regression update

Hi David, On Mon, November 9, 2015 23:25, David McDonald wrote: > Hi Salvatore, > > Your e-mail below states: > > "For the stable distribution (jessie), this problem has been fixed in > version 6.0-16+deb8u2" (Note bene the last digit) > > However,

Re: [SECURITY] [DSA 3328-1] wordpress security update

anyone confirm this? Confirmed, sorry for that. We will release an updated package a.s.a.p. Regards, Thijs Kinkhorst Debian Security Team -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive

Re: Missing tiff3 patch in security repo

On Wed, February 18, 2015 18:50, John Goerzen wrote: On 02/18/2015 08:53 AM, Thijs Kinkhorst wrote: Hi John, On Wed, February 18, 2015 14:51, John Goerzen wrote: CVE-2013-1961 Stack-based buffer overflow in the t2p_write_pdf_page... http://security-tracker.debian.org/tracker/CVE-2013-1961

Re: Should we be alarmed at our state of security support?

On Thu, February 19, 2015 14:29, John Goerzen wrote: But how else is someone going to learn that when security-tracker says vulnerable, in hundreds of instances, that may be wrong, other than by asking? I didn't find this documented anywhere. I think where your misunderstanding originates is

Re: Should we be alarmed at our state of security support?

Hi John, On Wed, February 18, 2015 15:11, John Goerzen wrote: Hi folks, So I recently downloaded and installed debsecan on several of my machines. These are all fully up-to-date machines, running either wheezy or jessie. For now I'll just focus on wheezy since it's where our security

Re: Missing tiff3 patch in security repo

Hi John, On Wed, February 18, 2015 14:51, John Goerzen wrote: CVE-2013-1961 Stack-based buffer overflow in the t2p_write_pdf_page... http://security-tracker.debian.org/tracker/CVE-2013-1961 - libtiff4 (remotely exploitable, high urgency) The reason is explained when you follow this link

Re: Should we be alarmed at our state of security support?

On Wed, February 18, 2015 15:44, Thijs Kinkhorst wrote: you can e.g. see a motivation for why libtiff4 is not that urgent to fix, similar for php5 and the useful note that clamav will be fixed through Where I said php5 I meant python2.6 (all these interpreters are the same to me...) Cheers

http.d.n. broken (was: Re: https://wiki.debian.org/LTS/Using = broken?)

Hi, On Thu, February 5, 2015 13:57, Ml Ml wrote: Looks good! Who can report this? :) I've CC'ed this message to Raphael, the maintainer of http.debian.net. Cheers, Thijs On Thu, Feb 5, 2015 at 1:51 PM, Michael Stone mst...@debian.org wrote: On Thu, Feb 05, 2015 at 01:34:36PM +0100, Ml Ml

Re: https://wiki.debian.org/LTS/Using = broken?

On Thu, February 5, 2015 15:40, Raphael Geissert wrote: Jens, you wrote the original wiki page, is there a reason it specifies http.debian.net rather than a debian.org resource? Mike Stone There's httpredir.debian.org if you wish, same codebase. Maybe a d-d-a post suggesting that people use

Re: Issues during Debian Wheezy upgrade libc6:amd64

Hi Stephane, I tried to upgrade my Debian Wheezy amd64 arch. I encountered this issue : dpkg: error processing libc6: amd64 (--configure): the libc6 package: amd64 2.13-38 + deb7u7 can not be configured because the version of libc6: i386 is different (2.13-38 + deb7u6) Errors were

Re: SSL 3.0 and older ciphers selected in applications

Hi Daniel, On Mon, December 8, 2014 09:16, Daniel Pocock wrote: I've made some changes to TLS code in reSIProcate - setting OpenSSL's SSL_OP_NO_SSLv3 by default when using SSLv23_method() - adding configuration options to override the options to SSL_CTX_set_options (as it is possible there

Re: No announce for file update ?

On Wed, November 12, 2014 10:23, Sébastien NOBILI wrote: Hi, I received an upgrade notification from apticron about file packages (file libmagic1) for Wheezy. It seems no announce has been sent about this upgrade (http://www.debian.org/security/). Is it safe to upgrade ? Yes. The

Re: Patch / update for znc to disable weak ciphers and SSLv2/SSLv3 protocols

Hi Chris, On Mon, October 27, 2014 07:48, Chris wrote: the ZNC IRC Bouncer (https://packages.debian.org/wheezy/znc) finally allows to choose own ciphers and to disable SSLv2/SSLv3 protocols with this pull requests: https://github.com/znc/znc/pull/716 https://github.com/znc/znc/pull/717

Re: [SECURITY] [DSA 3053-1] openssl security update

On Wed, October 22, 2014 17:17, Jason Fergus wrote: Now that the jessie release is well underway, is it possible either to request unblocks for security uploads or to begin to support a jessie/testing suite in security.debian.org? Technically nothing is blocked yet (except udebs), but yes

FAQ about the bash Shellshock issue

All, Our collegues at Red Hat have published a list of frequently asked questions regarding the bash ('shellshock') flaws: https://securityblog.redhat.com/2014/09/26/frequently-asked-questions-about- the-shellshock-bash-flaws/ Basically, all answers that are given there apply to Debian just as

Re: please fix CVE-2014-6271£¨bash£© for debian6.0

through the Squeeze LTS repository. This page has more information for you: https://wiki.debian.org/LTS/Using Kind regards, Thijs Kinkhorst Debian Security Team -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas

Re: Bash still vulnerable (4.2+dfsg-0.1+deb7u1)

Hi Denny, On Thu, September 25, 2014 19:35, Denny Bortfeldt wrote: Is it possible to fix also the 2nd part so that bash is really not vulnerable at all? I saw that Gentoo patched the bash also twice. It's indeed known that the bash fixes are incomplete. I would like to stress that the current

Re: bash 4.2 for squeeze

Hi, On Wed, September 24, 2014 21:43, Darko Gavrilovic wrote: Hi, is there a bash upgrade for squeeze to address below cve? https://www.debian.org/security/2014/dsa-3032 Updates to squeeze-lts are announced on the debian-lts-announce list. There you will find that this bug has indeed been

Bug#761963: security-tracker: consolidate vulnerable/fixed per release in overviews

Package: security-tracker Severity: wishlist Hi, In the overview per-package, the tracker currently shows for each CVE name about seven columns: squeeze, squeeze-security, squeeze-lts, wheezy, wheezy-security, jessie, sid. I think for the overviews it would be preferable if the table just

Re: Bug#761730: tracker.d.o: please provide links to https://security-tracker.debian.org/tracker/source-package/$PKG

On Tue, September 16, 2014 09:10, Paul Wise wrote: Could we get a new URL that also has information about unimportant and resolved issues and DSAs? I would suggest a format like what lintian uses: Not sure what you'd use that additional info for, but I would heartily disrecommend to display

Re: Switching the tracker to git

On Mon, September 15, 2014 07:33, Henri Salo wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sun, Sep 14, 2014 at 07:06:46PM -0400, micah wrote: My guess is that the only reason that subversion is still used is inertia and that people would be happier with git. However, I'm curious

Bug#611163: nice css: let there be patches...

On Mon, September 15, 2014 01:36, Holger Levsen wrote: Hi, See attached or branch html5+external_css from ssh://git.debian.org/git/collab-maint/secure-testing.git These patches turn the html into html5 and introduce a modern, slick css style inspired from tracker.d.o - enjoy! :)

Re: small misc fixes

On Fri, September 12, 2014 15:14, Holger Levsen wrote: Hi, On Freitag, 12. September 2014, Holger Levsen wrote: attached are three small no brainer fixes I'd like to apply, please confirm thanks to Thijs, this diff even got smaller and better, see attached. I've verified that the code

Re: Checking for services to be restarted on a default Debian installation

On Wed, September 3, 2014 15:05, Michael Stone wrote: On Tue, Sep 02, 2014 at 01:41:05PM -0700, Jameson Graef Rollins wrote: This package is Priority: optional, and therefore not installed by default. What about just making it important or required? On my system it pulled in more than 20MB of

Checking for services to be restarted on a default Debian installation

Hi all, When using APT to install security updates, by default services using the upgraded libraries are not restarted. Take for example openssl updates: merely doing apt-get update apt-get upgrade is not enough to be safe: you also need to restart Apache, Postfix, ... Although well-trained

Re: Debian - A list of correctin packets

Hi Mathieu. On Wed, April 16, 2014 18:59, vielg...@gmail.com wrote: Is there a way to get the list of the correcting packets for each CVE in Debian ? Yes, if you go to https://security-tracker.debian.org/tracker/ and search for a CVE name in the text field, you will get a list of the packages

Re: Debian - A list of correctin packets

Hi Mathieu, On Wed, April 16, 2014 19:58, vielg...@gmail.com wrote: Hi Thijs, Yes, thanks, but is there a list .txt or .gz which sum up everything ? The source data is plain text: http://anonscm.debian.org/viewvc/secure-testing/data/CVE/ What may also be of use is the source data for the

Bug#739815: RFA: signing-party -- Various OpenPGP related tools

Package: wnpp Severity: normal We request an adopter for the signing-party package. There's currently a number of co-maintainers but the majority of them have indicated to have no time to contribute a lot to the package. The package is an interesting collection of tools and in the BTS there's a

Re: apt can't reach security.debian.org

On Thu, September 5, 2013 23:17, Luke L wrote: as root, I issue: apt-get update I get errors such as: Err http://security.debian.org squeeze/updates/main amd64 Packages 503 Forwarding failure This error is most probably generated by some intermediate proxy between your system and

Re: [SECURITY] [DSA 2725-1] tomcat6 security update

On Thu, July 18, 2013 19:58, Moritz Muehlenhoff wrote: Debian Security Advisory DSA-2725-1 secur...@debian.org Package: tomcat6 For the oldstable distribution (squeeze), these problems have been fixed in version 6.0.35-1+squeeze3. Due to an error the update for

Re: PHP5 in Wheezy vulnerable to CVE-2013-2110?

On Thu, June 20, 2013 09:08, jaros...@thinline.cz wrote: Can someone please confirm that the Wheezy package is really not vulnerable? I tried to use the test code from PHP (attached below) on multiple PHP versions, but it doesn't cause segfaults (as it's supposed to) on any of those I tried

Re: security-tracker now on https?

Hi dsa, On Thu, April 4, 2013 11:10, Thijs Kinkhorst wrote: Hi admins, It was noted that the security tracker now blanket redirects to https://security-tracker.debian.org. This is fine of course for us DD's, but it presents a problem for externals using it. The tracker is often used by e.g

Re: php5: CVE-2011-1092 and CVE-2011-1148

On Wed, February 27, 2013 04:43, Steven Chamberlain wrote: Dear Security Team, In the tracker, CVE-2011-1092 and CVE-2011-1148 in PHP before 5.3.6 are correctly shown as fixed in 5.3.3-7+squeeze14. But 5.4.4-13 is still suggested as being vulnerable. The upstream changelog for 5.4.4

Re: [SECURITY] [DSA 2605-1] asterisk security update

On Mon, January 14, 2013 17:53, Carlos Alberto Lopez Perez wrote: Seems that the upgrade is causing some serious issues (segfaults) on stable: http://bugs.debian.org/698118 http://bugs.debian.org/698112 The maintainer has made updated packages available for test in response to this problem.

Re: Zero Day MySQL Buffer Overflow

Hi Daniel, On Tue, December 4, 2012 18:33, daniel curtis wrote: Thank You, I should look there first (Security Tracker). But I see, that two of three CVE's are marked as 'vulnerable' for all branches; stable, testing and unstable. Frankly, only first CVE is Fixed for Squeeze. It is normal?

Re: [SECURITY] [DSA 2670-1] wordpress security update

On Wed, November 7, 2012 09:33, Raphael Hertzog wrote: Are there any plans to further upgrade squeeze in this manner? I leave this to Yves-Alexis... It would be nice to formalize this approach with the security team. I think we should do this only when it has been shown that applying the

Re: DSA for apache2 2.2.16-6+squeeze8

Hi Adrian, On Tue, September 18, 2012 10:58, Adrian Minta wrote: is there a DSA for apache2 2.2.16-6+squeeze8 ? No, there is not. apache2 2.2.16-6+squeeze8 is in squeeze-proposed-updates, a preparation area for packages that will be part of the next Squeeze point update (6.0.6). It is not

Re: Use of DSA number for general announcements (was: [DSA 2548-1] Debian Security Team PGP/GPG key change notice)

Hi David, On Fri, September 14, 2012 03:28, David Prevot wrote: This is a notice to inform you, that our previous PGP/GPG key expired. Thanks for notifying us on debian-security-announce@l.d.o, but I disagree that such an announcement deserves a DSA number. DSA-2360 was also a misuse of a

Re: sun-java6-plugin outdated and vulnerable to an actively exploited security issue

Hi Adam, On Thu, August 16, 2012 07:56, echo083 wrote: The sun-java6 in the stable branch is the version 1.6.0_26 is there a plan for any security upgrade ? I'm afraid that's not possible. Oracle has changed licensing such that it's no longer allowed for Debian to distribute newer versions.

Re: How to manage CVE

Hi Olivier, On Mon, August 6, 2012 10:20, Olivier Sallou wrote: a CVE has been created for the bug id below in logol package. In the meanwhile the issue has been fixed and uploaded. Can anyone tell me how to manage CVEs? CVE id is in the bug report, but should I do something else to

Re: Audit of Debian/Ubuntu for unfixed vulnerabilities because of embedded code copies

On Mon, July 2, 2012 13:38, Silvio Cesare wrote: On Mon, Jul 2, 2012 at 8:27 PM, Bernd Zeimetz be...@bzed.de wrote: The ia32-libs stuff are all false positives (assuming the package was updated after the security fixes came out, I'm not 100% sure about that :) And the openssl source is

Re: Please help with discrepancies in CVE-2011-3578

On Sat, June 16, 2012 00:40, s...@powered-by-linux.com wrote: Hi Team, I had prepared a new security-stable version for mantis package to fix some new CVE's, and I found out that CVE-2011-3578 [1], patched on mantis 1.1.8+dfsg-10squeeze1, from 2011, was not yet updated in the security

Re: [SECURITY] [DSA 2482-1] arpwatch security update

On Sat, June 2, 2012 15:03, Vincent Blut wrote: Wrong subject: s/arpwatch/libgdata/ Yes, sorry for the confusion, a corrected version has already been sent. Thijs -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact

Re: linux-image-2.6

Hi, On Thu, May 10, 2012 09:45, Benjamin Vetter wrote: my apt wants to update linux-image-2.6 ? (amd64) the last-modified stamp of the .deb on the mirrors is 06-May, so quite a few days have already passed http://ftp.de.debian.org/debian/pool/main/l/linux-2.6/ i don't see any advisory and

Re: Re: linux-image-2.6

On Thu, May 10, 2012 12:39, Mark Rushing wrote: This mistake made it onto a few machines here before I noticed and came to check... it's an okay update to have installed, in the meantime though, yes? I mean, it's not some untested work-in-progress that slipped in... that I should revert

Re: [Pkg-ia32-libs-maintainers] A security bug in Debian Squeeze libtiff (+ non-updated ia32-libs??)

Hi, On Sat, April 7, 2012 06:24, Mikulas Patocka wrote: There is a security bug in Debian Squeeze libtiff 3.9.4-5+sq. Thanks for reporting. Just to clarify, which package version is this exactly? There seems to be something missing from the version number you quote. BTW. how does Debian

Re: [SECURITY] [DSA 2422-1] file security update

On Sat, March 3, 2012 02:52, Chris Frey wrote: I've done the latest update, but apt-cache show file still shows version 5.04-5 available, instead of 5.04-5+squeeze1. You are probably using one of the following archs: armel i386 ia64 kfreebsd-amd64 kfreebsd-i386 mips Unfortunately these builds

Re: [DSA 2422-1] file security update

On Thu, March 1, 2012 08:43, Pascal Hambourg wrote: For the stable distribution (squeeze), this problem has been fixed in version 5.04-5+squeeze1. This update is not available for some architectures yet. Is this normal ? It's not intended but caused by a limitation of the archive software

GnuPG 1.4.12 now in experimental; please test

Hi, The new upstream release of GnuPG, 1.4.12, is now packaged in experimental. Some other changes were made as well, for example for the hardening build flags and multiarch release goals. If you're interested, please don't hesitate to try it out in your environment. The basic plan is to upload

Re: [SECURITY] [DSA 2403-1] php5 security update

On Mon, February 6, 2012 03:24, Carlos Alberto Lopez Perez wrote: On 05/02/12 22:52, Luk Claes wrote: On 02/05/2012 05:23 PM, Carlos Alberto Lopez Perez wrote: On 04/02/12 01:12, Luk Claes wrote: On 02/03/2012 10:35 PM, Mario Antonio wrote: Do you think that there will be a fix for Lenny even

RE: need help with openssh attack

On Thu, December 29, 2011 16:37, Nicolas Carusso wrote: How about creating a Referense list with all the suggestions that we are doing? If all of you agree, Let's start now. SECURITY LIST ** There's already the Securing Debian HOWTO:

Re: Bug#648595: broken links under www.d.o/security/audit/

Hi Paul, Op zondag 13 november 2011 09:59:19 schreef Paul Wise: Package: www.debian.org Severity: normal X-Debbugs-CC: debian-security@lists.debian.org These two links are referenced by the Debian security audit pages but the domain has been taken by squatters. Could someone from the

Re: Bug#645881: critical update 29 available

On Wed, October 19, 2011 12:50, Sylvestre Ledru wrote: CC debian release security Le mercredi 19 octobre 2011 à 12:21 +0200, Thijs Kinkhorst a écrit : Upstream has released Java SE 6 update 29 yesterday: http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html

Re: Bug#645881: critical update 29 available

On Wed, October 19, 2011 14:15, Matthias Klose wrote: On 10/19/2011 02:09 PM, Thijs Kinkhorst wrote: Have we been in contact with Oracle upstream and explained that we are eager to comply with their wish to move entirely to openjdk for our next release, but have the problem that we have

Re: [SECURITY] [DSA 2318-1] cyrus-imapd-2.2 security update

Hi Vladislav, On Mon, October 10, 2011 12:04, Vladislav Kurz wrote: i wonder if there is something wrong with this DSA. I manage a lot of servers with cyrus, but the update is available only on one of them (squeeze, amd64), and not on the others (squeeze/lenny, i386). I do not use nntp, so I

Re: python-django

On Sun, September 11, 2011 22:28, Paul van der Vlis wrote: Hello, I see security issues in Django on the Django website, https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/ But I don't see anything in the Debian security tracker about it:

Re: Repository not in websvn anymore

Hi Enno, On Mon, June 6, 2011 14:14, Enno Gröper wrote: the link at [1] to http://svn.debian.org/wsvn/secure-testing/data/ doesn't work anymore. Last time I (my Newsreader) saw it working was May 20th. The repository itself seems to still be there. Is there any special reason for hiding the

Re: DSA-2252-1 vs. tracker

On Fri, June 3, 2011 22:05, Francesco Poli wrote: On Fri, 3 Jun 2011 20:01:05 +0200 Thijs Kinkhorst wrote: On Fri, June 3, 2011 00:04, Francesco Poli wrote: Hi, DSA-2252-1 [1] talks about dovecot, but the tracker [2] claims that the DSA is about mahara. Is there something wrong

Re: packages not listed on http://security-tracker.debian.org/tracker/status/release/stable

Hi dave, On Tue, May 17, 2011 14:56, dave b wrote: Hi it would seem that policykit-1 is not listed on http://security-tracker.debian.org/tracker/status/release/stable as a vulnerable source package (regarding CVE-2011-1485 ) ... ( although CVE-2011-1485 appears to have been fixed in debian

Re: [SECURITY] [DSA-2158-1] cgiirc security update

On Wednesday 23 February 2011 10:12:08 Philipp Kern wrote: Hi, On Wed, Feb 09, 2011 at 09:32:48PM +, Steve Kemp wrote: Michael Brooks (Sitewatch) discovered a reflective XSS flaw in cgiirc, a web based IRC client, which could lead to the execution of arbitrary javascript. For

Re: sun-java6 updates for {old,}stable?

Hi Dominic, On Monday 21 February 2011 14:11:45 Dominic Hargreaves wrote: Are there any plans to update the sun-java6 packages in lenny and squeeze for the recent floating point DoS issue? Yes: http://lists.debian.org/debian-release/2011/02/msg00240.html Thijs signature.asc Description:

Re: Squeeze release vs. tracker

On Monday 14 February 2011 19:07:41 Francesco Poli wrote: No, wait: it fails again with the same exact proxy error as yesterday! What's going on? I just restarted the tracker after updating the code to the most recent version and it seems to work again. Thijs signature.asc Description:

Re: Squeeze release vs. tracker

On Wed, February 9, 2011 19:50, Francesco Poli wrote: On the other hand, the security tracker seems to still think that lenny is stable [1] and squeeze is testing [2], while I have been unable to find any traces of wheezy... Is there something that should be done manually, in order to let the

Re: Squeeze release vs. tracker

On Thu, February 10, 2011 03:40, Michael Gilbert wrote: On Wed, 9 Feb 2011 22:12:21 +0100 Thijs Kinkhorst wrote: On Wed, February 9, 2011 19:50, Francesco Poli wrote: On the other hand, the security tracker seems to still think that lenny is stable [1] and squeeze is testing [2], while I

Re: Some obsolete packages on squeeze-security

Hi Dominic, On Mon, February 7, 2011 18:18, Dominic Hargreaves wrote: squeeze-security (i386 at least) has the following binary packages which are not in squeeze. They are therefore selected as candidates for install even though they represent an unmaintained branch of code. The i386 packages

Re: how to apply DSA-2157-1

On Sunday 06 February 2011 17:05:23 Michael Gilbert wrote: I am usiong postgres on squeeze. Reading DSA-2157-1 I can see that I must upgrade to 8.4.7-0squeeze1 but I can't find that package using http://www.debian.org/distrib/packages or apt. Unfortunately, the squeeze

Re: script to add DSA's to tracker disabled

On Wed, December 22, 2010 21:35, Francesco Poli wrote: I ran a script that automatically added released DSA's to data/DSA/list. As this script uses bin/dsa2list and that tool cannot cope with the changed advisory format, it doesn't make sense to keep committing half parsed advisories. I am

script to add DSA's to tracker disabled

Hi, I ran a script that automatically added released DSA's to data/DSA/list. As this script uses bin/dsa2list and that tool cannot cope with the changed advisory format, it doesn't make sense to keep committing half parsed advisories. Cheers, Thijs signature.asc Description: This is a

Re: [SECURITY] [DSA 2038-3] New pidgin packages fix regression

On Monday 15 November 2010 13:59:01 Gerfried Fuchs wrote: Also, you just stated that he is not a part of the security team - that unfortunately doesn't get us anywhere though. Were his statements in that respect untrue? I would have expected at least a single message with respect to some-kind

Re: CVE-2009-3555 not addressed in OpenSSL

Hi Kurt, On Thursday 11 November 2010 19:43:33 Kurt Roeckx wrote: So I've prepared a package based on the ubuntu patch. I also went over every commit between the 0.9.8l and 0.9.8m release and am reasonly confident this patch should work properly. The current package is available at:

Re: CVE-2009-3555 not addressed in OpenSSL

On Saturday 13 November 2010 18:21:45 Jordon Bedwell wrote: On Sat, 2010-11-13 at 18:14 +0100, Thijs Kinkhorst wrote: I have tested it in some different environments with different types of configurations and the packages work very fine for me. Just one question, did you test the patch

Re: Debian BTS report for CVE-2010-2941 (cups)

On Saturday 13 November 2010 11:14:16 Petter Reinholdtsen wrote: I just created URL: http://bugs.debian.org/603344 to track CVE-2010-2941 in BTS. You might want to add a reference to it from URL: http://security-tracker.debian.org/tracker/CVE-2010-2941 . Done, thanks. Thijs signature.asc

Re: DSA-2107-1 vs. tracker

On tongersdei 9 Septimber 2010, Francesco Poli wrote: it looks like something is missing in the tracker data [1] for DSA-2107-1 [2] ! Completed, thanks! Thijs signature.asc Description: This is a digitally signed message part.

security-tracker.debian.net no longer functional

Hi, Is there a reason that the DNS name security-tracker.debian.net has been removed? This seems problematic to me since there's still quite some links to that, most notably debsecan in stable. Unless there's a good reason I'd like to reinstate it. Cheers, Thijs signature.asc Description:

Re: squirrelmail package in lenny

Hi Benjamin, On Sun, February 21, 2010 17:19, Benjamin Vetter wrote: I'm wondering why the squirrelmail package has a php4 -or- php5 dependency http://packages.debian.org/en/lenny/squirrelmail I updated from etch to lenny long time ago, but I still had etch's php4 installed through this

Re: squirrelmail SA34627

On Mon, January 25, 2010 21:05, Florian Weimer wrote: * Adrian Minta: Hi, Does squirrelmail 1.4.15-4+lenny2 has fixes for SA34627 ? According to http://security-tracker.debian.org/tracker/CVE-2009-2964, it's still vulnerable. Indeed. Backporting the fix for this is not trivial since it's

Re: Getting new tracker service code to go live

On snein 3 Jannewaris 2010, Michael Gilbert wrote: I've updated the sql logic to workaround a bug in lenny's aspw (and the code is actually now a bit cleaner...for sql anyway). Please push this new commit to the live tracker. Ulib/python/security_db.py Updated to revision 13701. --

Re: Getting new tracker service code to go live

On sneon 2 Jannewaris 2010, Michael Gilbert wrote: It appears that new commits to the tracker service do not automatically go live (based on the above syntax checker message recieved from sectrac...@soler.debian.org). Anyway, can someone with appropriate permissions update the repo there

Re: problem with security mirror?

On Sun, November 8, 2009 13:34, Yves-Alexis Perez wrote: Hey, apt-get update on my lenny box gives the following warning: W: GPG error: http://security.debian.org lenny/updates Release: The following signatures were invalid: BADSIG 9AA38DCD55BE302B Debian Archive Automatic Signing Key

Re: [Secure-testing-commits] r13252 - data

On moandei 9 Novimber 2009, Jakub Wilk wrote: NOTE: embeds msgfmt.py script -   - mailman unfixed (embed) +   - mailman unfixed (embed; #555416) Although this is installed into the Debian package, it is never used and not installed into the path. What is the risk here? I can

GnuPG 1.4.10 RC1 available from Debian Experimental

Hi, The recent release candidate 1 for GnuPG 1.4.10 has been packaged and uploaded to Debian's experimental distribution, in order to facilitate testing. If you wish, please try it out and of course report bugs found. All cautions around release candidates and the experimental distribution of

Re: [SECURITY] [DSA 1807-1] New cyrus-sasl2/cyrus-sasl2-heimdal packages fix arbitrary code execution

On Mon, June 15, 2009 16:42, Dominic Hargreaves wrote: For the oldstable distribution (etch), this problem will be fixed soon. 2.1.22.dfsg1-8+etch1 has now appeared in the security archive which appears to fix this problem, but no subsequent advisory has been released. Is this an oversight?

Re: What is best practice for managing sources.list for security and stability?

Hi John, On moandei 25 Maaie 2009, john wrote: The recent key-change forced me to use the main stable repos to get the new keys (e.g apt-get install debian-archive-keyring ) . and got me thinking... Is the approach I outlined the best way to maintain the security and stability of these

Re: [Secure-testing-commits] r11972 - data/CVE

On snein 24 Maaie 2009, Joey Hess wrote:  CVE-2007-2004 (Multiple SQL injection vulnerabilities in InoutMailingListManager 3.1 ...) -   {DTSA-133-1} NOT-FOR-US: InoutMailingListManager Would it be possible for the tracker to error out on this when first encountering the

Re: debian-security-announce - Upgrade instructions

Hi, On tongersdei 21 Maaie 2009, FTF 3k3 wrote: The Upgrade instructions section of each email contains instructions for apt-get instead of aptitude which is Debian recommended package manager. In some documents, aptitude is indeed preferred over apt-get because of the dependency resolving

Re: DSA vs tracker: is CVE-2008-5814 fixed in unstable?

On moandei 11 Maaie 2009, Michael S. Gilbert wrote: security team, should the DSA announcement be reissued to correct/clarify? That should not be necessary. The DSA mails pertain to the state of afairs in old/stable; we mention sid fixed versions as a courtesy but I don't see it necessary to

Re: DSA vs tracker: is CVE-2008-5814 fixed in unstable?

On moandei 11 Maaie 2009, Michael S. Gilbert wrote: security team, should the DSA announcement be reissued to correct/clarify? That should not be necessary. The DSA mails pertain to the state of afairs in old/stable; we mention sid fixed versions as a courtesy but I don't see it necessary to

Re: [Secure-testing-commits] r11636 - data/CVE

On freed 17 April 2009, Kees Cook wrote: For embargoed issues, this is supposed to happen already, by way of vendor-sec.  Who all from Debian is on that list, and what are the policies and procedures you have in place for contacting maintainers? The Security Team is on that list. We do contact

Re: [SECURITY] [DSA 1719-1] New gnutls13 packages fix certificate validation

On sneon 14 Febrewaris 2009, Florian Weimer wrote: Our servers use commercial certificates, with GTE CyberTrust Global Root as the root certificate. It apparently is a v1 x509 certificate... It's uses 1024 bit RSA, it is more than ten years old, and GTE Cybertrust does not exist

Re: Freeze exceptions for iceape/iceweasel/xulrunner?

On Saturday 10 January 2009 17:50, Francesco Poli wrote: Otherwise, are there plans to do so? RC bugfixes are usually unblocked without the need for asking. Also, security bugfixes for ice* packages are allowed by habit. Nonetheless, iceape, iceweasel, and xulrunner are 20 days old

Re: No DSA-168[67]-1 on the tracker

On Wed, December 17, 2008 00:03, Francesco Poli wrote: It seems that there's no tracker page [1][2] for DSA-1686-1 [3] and DSA-1687-1 [4]. What's wrong? Something went wrong which brought the checkout the script uses to commit its update in, in a conflict state. I resolved that now, and

Re: No DSA-1665-1 on the tracker

On Thu, November 20, 2008 12:59, Gerfried Fuchs wrote: The script itself (bin/dsa2list) is able to work through it properly, so I suspect a mail problem, DSA-1666-1 got added automatically again? There is a chance that the mail got lost or filtered. Another possibility is that dsa2list failed

Re: Conflicting Information on CVE-2008-3699 Page

On Wed, October 22, 2008 23:59, Michael Gilbert wrote: The tracker page [1] for CVE-2008-3699 says Debian/stable not known to be vulnerable, yet in the next section it says that etch 1.4.4-4 vulnerable. These two statements contradict one another, and lead one clueless as to whether the issue

Re: [Secure-testing-commits] r9775 - data/CVE

On Mon, September 8, 2008 13:09, [EMAIL PROTECTED] wrote: Regression fixed in wordnet - - wordnet 1:3.0-12 (medium; bug #497441) + - wordnet 1:3.0-13 (medium; bug #497441) Since the regression doesn't have security implications, wouldn't it be more accurate to keep the fixed-version

Re: Bug#496851: yelp: does not correctly handle format strings for certain error messages

On Thursday 28 August 2008 03:51, Michael Gilbert wrote: what about a getting a fix for this issue into stable?  it doesn't affect stable ok, can someone update the tracker [1] to reflect that this issue does not effect etch (yelp 2.14) and sarge (yelp 2.6)? I've updated the etch

  1   2   >