-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
- -
Debian Security Advisory DSA-4664-1 secur...@debian.org
https://www.debian.org/security/ Thijs Kinkhorst
April 26, 2020
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
- -
Debian Security Advisory DSA-4414-1 secur...@debian.org
https://www.debian.org/security/ Thijs Kinkhorst
March 23, 2019
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
- -
Debian Security Advisory DSA-4127-1 secur...@debian.org
https://www.debian.org/security/ Thijs Kinkhorst
March 02, 2018
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
- -
Debian Security Advisory DSA-4108-1 secur...@debian.org
https://www.debian.org/security/ Thijs Kinkhorst
February 09, 2018
On Fri, December 23, 2016 18:53, Moritz Mühlenhoff wrote:
> Sebastian Andrzej Siewior schrieb:
>
> Please use t...@security.debian.org if you want to reach the security
> team, not debian-security@ldo.
>
>> tl;dr: Has anyone a problem if sslscan embeds openssl 1.0.2 in
Hi David,
On Mon, November 9, 2015 23:25, David McDonald wrote:
> Hi Salvatore,
>
> Your e-mail below states:
>
> "For the stable distribution (jessie), this problem has been fixed in
> version 6.0-16+deb8u2" (Note bene the last digit)
>
> However,
anyone confirm this?
Confirmed, sorry for that. We will release an updated package a.s.a.p.
Regards,
Thijs Kinkhorst
Debian Security Team
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive
On Wed, February 18, 2015 18:50, John Goerzen wrote:
On 02/18/2015 08:53 AM, Thijs Kinkhorst wrote:
Hi John,
On Wed, February 18, 2015 14:51, John Goerzen wrote:
CVE-2013-1961 Stack-based buffer overflow in the t2p_write_pdf_page...
http://security-tracker.debian.org/tracker/CVE-2013-1961
On Thu, February 19, 2015 14:29, John Goerzen wrote:
But how else is someone going to learn that when security-tracker says
vulnerable, in hundreds of instances, that may be wrong, other than by
asking? I didn't find this documented anywhere.
I think where your misunderstanding originates is
Hi John,
On Wed, February 18, 2015 15:11, John Goerzen wrote:
Hi folks,
So I recently downloaded and installed debsecan on several of my
machines. These are all fully up-to-date machines, running either
wheezy or jessie. For now I'll just focus on wheezy since it's where
our security
Hi John,
On Wed, February 18, 2015 14:51, John Goerzen wrote:
CVE-2013-1961 Stack-based buffer overflow in the t2p_write_pdf_page...
http://security-tracker.debian.org/tracker/CVE-2013-1961
- libtiff4 (remotely exploitable, high urgency)
The reason is explained when you follow this link
On Wed, February 18, 2015 15:44, Thijs Kinkhorst wrote:
you can e.g. see a motivation for why libtiff4 is not that urgent to fix,
similar for php5 and the useful note that clamav will be fixed through
Where I said php5 I meant python2.6 (all these interpreters are the same
to me...)
Cheers
Hi,
On Thu, February 5, 2015 13:57, Ml Ml wrote:
Looks good!
Who can report this? :)
I've CC'ed this message to Raphael, the maintainer of http.debian.net.
Cheers,
Thijs
On Thu, Feb 5, 2015 at 1:51 PM, Michael Stone mst...@debian.org wrote:
On Thu, Feb 05, 2015 at 01:34:36PM +0100, Ml Ml
On Thu, February 5, 2015 15:40, Raphael Geissert wrote:
Jens, you wrote the original wiki page, is there a reason it specifies
http.debian.net rather than a debian.org resource?
Mike Stone
There's httpredir.debian.org if you wish, same codebase.
Maybe a d-d-a post suggesting that people use
Hi Stephane,
I tried to upgrade my Debian Wheezy amd64 arch.
I encountered this issue :
dpkg: error processing libc6: amd64 (--configure):
the libc6 package: amd64 2.13-38 + deb7u7 can not be configured because
the version of libc6: i386 is different (2.13-38 + deb7u6)
Errors were
Hi Daniel,
On Mon, December 8, 2014 09:16, Daniel Pocock wrote:
I've made some changes to TLS code in reSIProcate
- setting OpenSSL's SSL_OP_NO_SSLv3 by default when using SSLv23_method()
- adding configuration options to override the options to
SSL_CTX_set_options (as it is possible there
On Wed, November 12, 2014 10:23, Sébastien NOBILI wrote:
Hi,
I received an upgrade notification from apticron about file packages
(file
libmagic1) for Wheezy.
It seems no announce has been sent about this upgrade
(http://www.debian.org/security/).
Is it safe to upgrade ?
Yes. The
Hi Chris,
On Mon, October 27, 2014 07:48, Chris wrote:
the ZNC IRC Bouncer (https://packages.debian.org/wheezy/znc) finally
allows to choose own ciphers and to disable SSLv2/SSLv3 protocols with
this pull requests:
https://github.com/znc/znc/pull/716
https://github.com/znc/znc/pull/717
On Wed, October 22, 2014 17:17, Jason Fergus wrote:
Now that the jessie release is well underway, is it possible either to
request unblocks for security uploads or to begin to support a
jessie/testing suite in security.debian.org?
Technically nothing is blocked yet (except udebs), but yes
All,
Our collegues at Red Hat have published a list of frequently asked questions
regarding the bash ('shellshock') flaws:
https://securityblog.redhat.com/2014/09/26/frequently-asked-questions-about-
the-shellshock-bash-flaws/
Basically, all answers that are given there apply to Debian just as
through the Squeeze LTS repository.
This page has more information for you:
https://wiki.debian.org/LTS/Using
Kind regards,
Thijs Kinkhorst
Debian Security Team
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas
Hi Denny,
On Thu, September 25, 2014 19:35, Denny Bortfeldt wrote:
Is it possible to fix also the 2nd part so that bash is really not
vulnerable at all? I saw that Gentoo patched the bash also twice.
It's indeed known that the bash fixes are incomplete.
I would like to stress that the current
Hi,
On Wed, September 24, 2014 21:43, Darko Gavrilovic wrote:
Hi, is there a bash upgrade for squeeze to address below cve?
https://www.debian.org/security/2014/dsa-3032
Updates to squeeze-lts are announced on the debian-lts-announce list.
There you will find that this bug has indeed been
Package: security-tracker
Severity: wishlist
Hi,
In the overview per-package, the tracker currently shows for each CVE
name about seven columns: squeeze, squeeze-security, squeeze-lts, wheezy,
wheezy-security, jessie, sid.
I think for the overviews it would be preferable if the table just
On Tue, September 16, 2014 09:10, Paul Wise wrote:
Could we get a new URL that also has information about unimportant and
resolved issues and DSAs? I would suggest a format like what lintian
uses:
Not sure what you'd use that additional info for, but I would heartily
disrecommend to display
On Mon, September 15, 2014 07:33, Henri Salo wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sun, Sep 14, 2014 at 07:06:46PM -0400, micah wrote:
My guess is that the only reason that subversion is still used is
inertia and that people would be happier with git. However, I'm curious
On Mon, September 15, 2014 01:36, Holger Levsen wrote:
Hi,
See attached or branch html5+external_css from
ssh://git.debian.org/git/collab-maint/secure-testing.git
These patches turn the html into html5 and introduce a modern, slick css
style
inspired from tracker.d.o - enjoy! :)
On Fri, September 12, 2014 15:14, Holger Levsen wrote:
Hi,
On Freitag, 12. September 2014, Holger Levsen wrote:
attached are three small no brainer fixes I'd like to apply, please
confirm
thanks to Thijs, this diff even got smaller and better, see attached.
I've verified that the code
On Wed, September 3, 2014 15:05, Michael Stone wrote:
On Tue, Sep 02, 2014 at 01:41:05PM -0700, Jameson Graef Rollins wrote:
This package is Priority: optional, and therefore not installed by
default. What about just making it important or required?
On my system it pulled in more than 20MB of
Hi all,
When using APT to install security updates, by default services using the
upgraded libraries are not restarted. Take for example openssl updates: merely
doing apt-get update apt-get upgrade is not enough to be safe: you also
need to restart Apache, Postfix, ...
Although well-trained
Hi Mathieu.
On Wed, April 16, 2014 18:59, vielg...@gmail.com wrote:
Is there a way to get the list of the correcting packets for each CVE in
Debian ?
Yes, if you go to https://security-tracker.debian.org/tracker/ and search
for a CVE name in the text field, you will get a list of the packages
Hi Mathieu,
On Wed, April 16, 2014 19:58, vielg...@gmail.com wrote:
Hi Thijs,
Yes, thanks, but is there a list .txt or .gz which sum up everything ?
The source data is plain text:
http://anonscm.debian.org/viewvc/secure-testing/data/CVE/
What may also be of use is the source data for the
Package: wnpp
Severity: normal
We request an adopter for the signing-party package. There's currently
a number of co-maintainers but the majority of them have indicated to
have no time to contribute a lot to the package.
The package is an interesting collection of tools and in the BTS there's
a
On Thu, September 5, 2013 23:17, Luke L wrote:
as root, I issue:
apt-get update
I get errors such as:
Err http://security.debian.org squeeze/updates/main amd64 Packages
503 Forwarding failure
This error is most probably generated by some intermediate proxy between
your system and
On Thu, July 18, 2013 19:58, Moritz Muehlenhoff wrote:
Debian Security Advisory DSA-2725-1 secur...@debian.org
Package: tomcat6
For the oldstable distribution (squeeze), these problems have been fixed
in version 6.0.35-1+squeeze3.
Due to an error the update for
On Thu, June 20, 2013 09:08, jaros...@thinline.cz wrote:
Can someone please confirm that the Wheezy package is really not
vulnerable? I tried to use the test code from PHP (attached below) on
multiple PHP versions, but it doesn't cause segfaults (as it's supposed
to) on any of those I tried
Hi dsa,
On Thu, April 4, 2013 11:10, Thijs Kinkhorst wrote:
Hi admins,
It was noted that the security tracker now blanket redirects to
https://security-tracker.debian.org. This is fine of course for us DD's,
but it presents a problem for externals using it. The tracker is often
used by e.g
On Wed, February 27, 2013 04:43, Steven Chamberlain wrote:
Dear Security Team,
In the tracker, CVE-2011-1092 and CVE-2011-1148 in PHP before 5.3.6
are correctly shown as fixed in 5.3.3-7+squeeze14. But 5.4.4-13 is
still suggested as being vulnerable.
The upstream changelog for 5.4.4
On Mon, January 14, 2013 17:53, Carlos Alberto Lopez Perez wrote:
Seems that the upgrade is causing some serious issues (segfaults) on
stable:
http://bugs.debian.org/698118
http://bugs.debian.org/698112
The maintainer has made updated packages available for test in response to
this problem.
Hi Daniel,
On Tue, December 4, 2012 18:33, daniel curtis wrote:
Thank You, I should look there first (Security Tracker). But I see,
that two of three CVE's are marked as 'vulnerable' for all branches;
stable, testing and unstable. Frankly, only first CVE is Fixed for
Squeeze.
It is normal?
On Wed, November 7, 2012 09:33, Raphael Hertzog wrote:
Are there any plans to further upgrade squeeze in this manner?
I leave this to Yves-Alexis... It would be nice to formalize this
approach with the security team.
I think we should do this only when it has been shown that applying the
Hi Adrian,
On Tue, September 18, 2012 10:58, Adrian Minta wrote:
is there a DSA for apache2 2.2.16-6+squeeze8 ?
No, there is not. apache2 2.2.16-6+squeeze8 is in
squeeze-proposed-updates, a preparation area for packages that will be
part of the next Squeeze point update (6.0.6). It is not
Hi David,
On Fri, September 14, 2012 03:28, David Prevot wrote:
This is a notice to inform you, that our previous PGP/GPG key expired.
Thanks for notifying us on debian-security-announce@l.d.o, but I
disagree that such an announcement deserves a DSA number. DSA-2360 was
also a misuse of a
Hi Adam,
On Thu, August 16, 2012 07:56, echo083 wrote:
The sun-java6 in the stable branch is the version 1.6.0_26 is there a
plan for any security upgrade ?
I'm afraid that's not possible. Oracle has changed licensing such that
it's no longer allowed for Debian to distribute newer versions.
Hi Olivier,
On Mon, August 6, 2012 10:20, Olivier Sallou wrote:
a CVE has been created for the bug id below in logol package.
In the meanwhile the issue has been fixed and uploaded.
Can anyone tell me how to manage CVEs? CVE id is in the bug report, but
should I do something else to
On Mon, July 2, 2012 13:38, Silvio Cesare wrote:
On Mon, Jul 2, 2012 at 8:27 PM, Bernd Zeimetz be...@bzed.de wrote:
The ia32-libs stuff are all false positives (assuming the package was
updated after the security fixes came out, I'm not 100% sure about that
:) And the openssl source is
On Sat, June 16, 2012 00:40, s...@powered-by-linux.com wrote:
Hi Team,
I had prepared a new security-stable version for mantis package to fix
some new CVE's, and I found out that CVE-2011-3578 [1], patched on mantis
1.1.8+dfsg-10squeeze1, from 2011, was not yet updated in the security
On Sat, June 2, 2012 15:03, Vincent Blut wrote:
Wrong subject: s/arpwatch/libgdata/
Yes, sorry for the confusion, a corrected version has already been sent.
Thijs
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact
Hi,
On Thu, May 10, 2012 09:45, Benjamin Vetter wrote:
my apt wants to update linux-image-2.6 ? (amd64)
the last-modified stamp of the .deb on the mirrors is 06-May, so quite a
few days have already passed
http://ftp.de.debian.org/debian/pool/main/l/linux-2.6/
i don't see any advisory and
On Thu, May 10, 2012 12:39, Mark Rushing wrote:
This mistake made it onto a few machines here before I noticed and came
to check... it's an okay update to have installed, in the meantime
though, yes? I mean, it's not some untested work-in-progress that
slipped in... that I should revert
Hi,
On Sat, April 7, 2012 06:24, Mikulas Patocka wrote:
There is a security bug in Debian Squeeze libtiff 3.9.4-5+sq.
Thanks for reporting. Just to clarify, which package version is this
exactly? There seems to be something missing from the version number you
quote.
BTW. how does Debian
On Sat, March 3, 2012 02:52, Chris Frey wrote:
I've done the latest update, but apt-cache show file still shows
version 5.04-5 available, instead of 5.04-5+squeeze1.
You are probably using one of the following archs:
armel i386 ia64 kfreebsd-amd64 kfreebsd-i386 mips
Unfortunately these builds
On Thu, March 1, 2012 08:43, Pascal Hambourg wrote:
For the stable distribution (squeeze), this problem has been fixed in
version 5.04-5+squeeze1.
This update is not available for some architectures yet.
Is this normal ?
It's not intended but caused by a limitation of the archive software
Hi,
The new upstream release of GnuPG, 1.4.12, is now packaged in
experimental. Some other changes were made as well, for example for the
hardening build flags and multiarch release goals.
If you're interested, please don't hesitate to try it out in your
environment. The basic plan is to upload
On Mon, February 6, 2012 03:24, Carlos Alberto Lopez Perez wrote:
On 05/02/12 22:52, Luk Claes wrote:
On 02/05/2012 05:23 PM, Carlos Alberto Lopez Perez wrote:
On 04/02/12 01:12, Luk Claes wrote:
On 02/03/2012 10:35 PM, Mario Antonio wrote:
Do you think that there will be a fix for Lenny even
On Thu, December 29, 2011 16:37, Nicolas Carusso wrote:
How about creating a Referense list with all the suggestions that we are
doing?
If all of you agree, Let's start now.
SECURITY LIST
**
There's already the Securing Debian HOWTO:
Hi Paul,
Op zondag 13 november 2011 09:59:19 schreef Paul Wise:
Package: www.debian.org
Severity: normal
X-Debbugs-CC: debian-security@lists.debian.org
These two links are referenced by the Debian security audit pages but
the domain has been taken by squatters. Could someone from the
On Wed, October 19, 2011 12:50, Sylvestre Ledru wrote:
CC debian release security
Le mercredi 19 octobre 2011 à 12:21 +0200, Thijs Kinkhorst a écrit :
Upstream has released Java SE 6 update 29 yesterday:
http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html
On Wed, October 19, 2011 14:15, Matthias Klose wrote:
On 10/19/2011 02:09 PM, Thijs Kinkhorst wrote:
Have we been in contact with Oracle upstream and explained that we are
eager to comply with their wish to move entirely to openjdk for our next
release, but have the problem that we have
Hi Vladislav,
On Mon, October 10, 2011 12:04, Vladislav Kurz wrote:
i wonder if there is something wrong with this DSA. I manage a lot of
servers with cyrus, but the update is available only on one of them
(squeeze, amd64), and not on the others (squeeze/lenny, i386).
I do not use nntp, so I
On Sun, September 11, 2011 22:28, Paul van der Vlis wrote:
Hello,
I see security issues in Django on the Django website,
https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
But I don't see anything in the Debian security tracker about it:
Hi Enno,
On Mon, June 6, 2011 14:14, Enno Gröper wrote:
the link at [1] to http://svn.debian.org/wsvn/secure-testing/data/
doesn't work anymore. Last time I (my Newsreader) saw it working was May
20th.
The repository itself seems to still be there.
Is there any special reason for hiding the
On Fri, June 3, 2011 22:05, Francesco Poli wrote:
On Fri, 3 Jun 2011 20:01:05 +0200 Thijs Kinkhorst wrote:
On Fri, June 3, 2011 00:04, Francesco Poli wrote:
Hi,
DSA-2252-1 [1] talks about dovecot, but the tracker [2] claims that
the
DSA is about mahara.
Is there something wrong
Hi dave,
On Tue, May 17, 2011 14:56, dave b wrote:
Hi it would seem that policykit-1 is not listed on
http://security-tracker.debian.org/tracker/status/release/stable as a
vulnerable source package (regarding CVE-2011-1485 ) ... ( although
CVE-2011-1485 appears to have been fixed in debian
On Wednesday 23 February 2011 10:12:08 Philipp Kern wrote:
Hi,
On Wed, Feb 09, 2011 at 09:32:48PM +, Steve Kemp wrote:
Michael Brooks (Sitewatch) discovered a reflective XSS flaw in
cgiirc, a web based IRC client, which could lead to the execution
of arbitrary javascript.
For
Hi Dominic,
On Monday 21 February 2011 14:11:45 Dominic Hargreaves wrote:
Are there any plans to update the sun-java6 packages in lenny and
squeeze for the recent floating point DoS issue?
Yes: http://lists.debian.org/debian-release/2011/02/msg00240.html
Thijs
signature.asc
Description:
On Monday 14 February 2011 19:07:41 Francesco Poli wrote:
No, wait: it fails again with the same exact proxy error as yesterday!
What's going on?
I just restarted the tracker after updating the code to the most recent
version and it seems to work again.
Thijs
signature.asc
Description:
On Wed, February 9, 2011 19:50, Francesco Poli wrote:
On the other hand, the security tracker seems to still think that lenny
is stable [1] and squeeze is testing [2], while I have been unable to
find any traces of wheezy...
Is there something that should be done manually, in order to let the
On Thu, February 10, 2011 03:40, Michael Gilbert wrote:
On Wed, 9 Feb 2011 22:12:21 +0100 Thijs Kinkhorst wrote:
On Wed, February 9, 2011 19:50, Francesco Poli wrote:
On the other hand, the security tracker seems to still think that
lenny
is stable [1] and squeeze is testing [2], while I
Hi Dominic,
On Mon, February 7, 2011 18:18, Dominic Hargreaves wrote:
squeeze-security (i386 at least) has the following binary packages
which are not in squeeze. They are therefore selected as candidates for
install even though they represent an unmaintained branch of code.
The i386 packages
On Sunday 06 February 2011 17:05:23 Michael Gilbert wrote:
I am usiong postgres on squeeze.
Reading DSA-2157-1 I can see that I must upgrade to 8.4.7-0squeeze1 but
I can't find that package using http://www.debian.org/distrib/packages
or apt.
Unfortunately, the squeeze
On Wed, December 22, 2010 21:35, Francesco Poli wrote:
I ran a script that automatically added released DSA's to data/DSA/list.
As
this script uses bin/dsa2list and that tool cannot cope with the changed
advisory format, it doesn't make sense to keep committing half parsed
advisories.
I am
Hi,
I ran a script that automatically added released DSA's to data/DSA/list. As
this script uses bin/dsa2list and that tool cannot cope with the changed
advisory format, it doesn't make sense to keep committing half parsed
advisories.
Cheers,
Thijs
signature.asc
Description: This is a
On Monday 15 November 2010 13:59:01 Gerfried Fuchs wrote:
Also, you just stated that he is not a part of the security team - that
unfortunately doesn't get us anywhere though. Were his statements in
that respect untrue? I would have expected at least a single message
with respect to some-kind
Hi Kurt,
On Thursday 11 November 2010 19:43:33 Kurt Roeckx wrote:
So I've prepared a package based on the ubuntu patch. I also went
over every commit between the 0.9.8l and 0.9.8m release and am
reasonly confident this patch should work properly.
The current package is available at:
On Saturday 13 November 2010 18:21:45 Jordon Bedwell wrote:
On Sat, 2010-11-13 at 18:14 +0100, Thijs Kinkhorst wrote:
I have tested it in some different environments with different types of
configurations and the packages work very fine for me.
Just one question, did you test the patch
On Saturday 13 November 2010 11:14:16 Petter Reinholdtsen wrote:
I just created URL: http://bugs.debian.org/603344 to track
CVE-2010-2941 in BTS. You might want to add a reference to it from
URL: http://security-tracker.debian.org/tracker/CVE-2010-2941 .
Done, thanks.
Thijs
signature.asc
On tongersdei 9 Septimber 2010, Francesco Poli wrote:
it looks like something is missing in the tracker data [1] for
DSA-2107-1 [2] !
Completed, thanks!
Thijs
signature.asc
Description: This is a digitally signed message part.
Hi,
Is there a reason that the DNS name security-tracker.debian.net has been
removed? This seems problematic to me since there's still quite some links to
that, most notably debsecan in stable.
Unless there's a good reason I'd like to reinstate it.
Cheers,
Thijs
signature.asc
Description:
Hi Benjamin,
On Sun, February 21, 2010 17:19, Benjamin Vetter wrote:
I'm wondering why the squirrelmail package has a php4 -or- php5
dependency http://packages.debian.org/en/lenny/squirrelmail
I updated from etch to lenny long time ago, but I still had etch's php4
installed through this
On Mon, January 25, 2010 21:05, Florian Weimer wrote:
* Adrian Minta:
Hi,
Does squirrelmail 1.4.15-4+lenny2 has fixes for SA34627 ?
According to http://security-tracker.debian.org/tracker/CVE-2009-2964,
it's still vulnerable.
Indeed. Backporting the fix for this is not trivial since it's
On snein 3 Jannewaris 2010, Michael Gilbert wrote:
I've updated the sql logic to workaround a bug in lenny's aspw (and
the code is actually now a bit cleaner...for sql anyway). Please push
this new commit to the live tracker.
Ulib/python/security_db.py
Updated to revision 13701.
--
On sneon 2 Jannewaris 2010, Michael Gilbert wrote:
It appears that new commits to the tracker service do not
automatically go live (based on the above syntax checker message
recieved from sectrac...@soler.debian.org). Anyway, can someone with
appropriate permissions update the repo there
On Sun, November 8, 2009 13:34, Yves-Alexis Perez wrote:
Hey,
apt-get update on my lenny box gives the following warning:
W: GPG error: http://security.debian.org lenny/updates Release: The
following signatures were invalid: BADSIG 9AA38DCD55BE302B Debian
Archive Automatic Signing Key
On moandei 9 Novimber 2009, Jakub Wilk wrote:
NOTE: embeds msgfmt.py script
- - mailman unfixed (embed)
+ - mailman unfixed (embed; #555416)
Although this is installed into the Debian package, it is never used and not
installed into the path. What is the risk here? I can
Hi,
The recent release candidate 1 for GnuPG 1.4.10 has been packaged and uploaded
to Debian's experimental distribution, in order to facilitate testing. If
you wish, please try it out and of course report bugs found. All cautions
around release candidates and the experimental distribution of
On Mon, June 15, 2009 16:42, Dominic Hargreaves wrote:
For the oldstable distribution (etch), this problem will be fixed soon.
2.1.22.dfsg1-8+etch1 has now appeared in the security archive which
appears to fix this problem, but no subsequent advisory has been released.
Is this an oversight?
Hi John,
On moandei 25 Maaie 2009, john wrote:
The recent key-change forced me to use the main stable repos to get
the new keys (e.g apt-get install debian-archive-keyring )
. and got me thinking...
Is the approach I outlined the best way to maintain the security and
stability of these
On snein 24 Maaie 2009, Joey Hess wrote:
CVE-2007-2004 (Multiple SQL injection vulnerabilities in
InoutMailingListManager 3.1 ...)
- {DTSA-133-1}
NOT-FOR-US: InoutMailingListManager
Would it be possible for the tracker to error out on this when first
encountering the
Hi,
On tongersdei 21 Maaie 2009, FTF 3k3 wrote:
The Upgrade instructions section of each email contains instructions
for apt-get instead of aptitude which is Debian recommended package
manager.
In some documents, aptitude is indeed preferred over apt-get because of the
dependency resolving
On moandei 11 Maaie 2009, Michael S. Gilbert wrote:
security team,
should the DSA announcement be reissued to correct/clarify?
That should not be necessary. The DSA mails pertain to the state of afairs in
old/stable; we mention sid fixed versions as a courtesy but I don't see it
necessary to
On moandei 11 Maaie 2009, Michael S. Gilbert wrote:
security team,
should the DSA announcement be reissued to correct/clarify?
That should not be necessary. The DSA mails pertain to the state of afairs in
old/stable; we mention sid fixed versions as a courtesy but I don't see it
necessary to
On freed 17 April 2009, Kees Cook wrote:
For embargoed issues, this is supposed to happen already, by way of
vendor-sec. Who all from Debian is on that list, and what are the policies
and procedures you have in place for contacting maintainers?
The Security Team is on that list. We do contact
On sneon 14 Febrewaris 2009, Florian Weimer wrote:
Our servers use commercial certificates, with GTE CyberTrust Global
Root as the root certificate. It apparently is a v1 x509 certificate...
It's uses 1024 bit RSA, it is more than ten years old, and GTE
Cybertrust does not exist
On Saturday 10 January 2009 17:50, Francesco Poli wrote:
Otherwise, are there plans to do so?
RC bugfixes are usually unblocked without the need for asking. Also,
security bugfixes for ice* packages are allowed by habit.
Nonetheless, iceape, iceweasel, and xulrunner are 20 days old
On Wed, December 17, 2008 00:03, Francesco Poli wrote:
It seems that there's no tracker page [1][2] for DSA-1686-1 [3] and
DSA-1687-1 [4]. What's wrong?
Something went wrong which brought the checkout the script uses to commit
its update in, in a conflict state. I resolved that now, and
On Thu, November 20, 2008 12:59, Gerfried Fuchs wrote:
The script itself (bin/dsa2list) is able to work through it properly,
so I suspect a mail problem, DSA-1666-1 got added automatically again?
There is a chance that the mail got lost or filtered.
Another possibility is that dsa2list failed
On Wed, October 22, 2008 23:59, Michael Gilbert wrote:
The tracker page [1] for CVE-2008-3699 says Debian/stable not known
to be vulnerable, yet in the next section it says that etch 1.4.4-4
vulnerable. These two statements contradict one another, and lead one
clueless as to whether the issue
On Mon, September 8, 2008 13:09, [EMAIL PROTECTED] wrote:
Regression fixed in wordnet
- - wordnet 1:3.0-12 (medium; bug #497441)
+ - wordnet 1:3.0-13 (medium; bug #497441)
Since the regression doesn't have security implications, wouldn't it be
more accurate to keep the fixed-version
On Thursday 28 August 2008 03:51, Michael Gilbert wrote:
what about a getting a fix for this issue into stable?
it doesn't affect stable
ok, can someone update the tracker [1] to reflect that this issue does
not effect etch (yelp 2.14) and sarge (yelp 2.6)?
I've updated the etch
1 - 100 of 118 matches
Mail list logo