Re: [SECURITY] [DSA-2154-1] exim4 security update

Du schriebst in gmane.linux.debian.devel.security: Hi, Please do not copy and paste contents of README.debian file. It's redundant information and significantly add works of translators for each supported language. It's not. README.debian isn't translated (English only) and people need to

Re: [DSA 2160-1] tomcat6 security update

moog m...@sysdev.oucs.ox.ac.uk schrieb: Hi, DSA 2160-1 is about CVE-2010-3718, CVE-2011-0013 and CVE-2011-0534. It says The oldstable distribution (lenny) is not affected by these issues. I wonder if that's mistaken, because http://tomcat.apache.org/security-6.html says: CVE-2010-3718

Re: CVE-2010-4653 fixed in experimental

Arne Wichmann a...@anhrefn.saar.de schrieb: --EP0wieDxd4TSJjHq Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable CVE-2010-4653 seems to be fixed in experimental but the tracker does not reflect this. It does: The table

Re: CVE-2010-4655, CVE-2011-1012 and CVE-2011-1082 fixed in stable

Arne Wichmann a...@anhrefn.saar.de schrieb: --qMm9M+Fa2AknHoGS Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable CVE-2010-4655, CVE-2011-1012 and CVE-2011-1082 seem to be fixed in stable [1-3], the security-tracker still

Re: libpng CVE-2006-7244/CVE-2009-5063

Henri Salo he...@nerv.fi schrieb: There is two open vulnerabilities in libpng 1.2.27-2+lenny4 as you can see from: http://security-tracker.debian.org/tracker/source-package/libpng The issues I am concerned about are CVE-2006-7244 and CVE-2009-5063. Notes of the issues are: package libpng

Some missing packages for opensaml2, krb5-appl and qemu-kvm

FYI: Due to a problem related to the key rollover in the buildd network, updated binaries are not available for a few archs. I'm looking into getting it fixed. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble?

Re: [SECURITY] [DSA 2287-1] libpng security update

Kurt Roeckx k...@roeckx.be schrieb: On Thu, Jul 28, 2011 at 06:23:46PM +0200, Luciano Bello wrote: For the oldstable distribution (lenny), this problem has been fixed in version 1.2.27-2+lenny5. Due to a technical limitation in the Debian archive processing scripts, the updated packages cannot

Re: Debian LTS?

Yves-Alexis Perez cor...@debian.org schrieb: On mar., 2011-10-04 at 11:59 +0100, Dominic Hargreaves wrote: Hi all, I recall coming across the proposal/discussion in http://wiki.debian.org/DebianSecurity/Meetings/2011-01-14 shortly after that wiki page was published, and thought it was

Re: Debian LTS?

Florian Weimer f...@deneb.enyo.de schrieb: One person's essential features is another's backwards-incompatible change. Driver updates to support new hardware are somewhat risky, but often welcomed. Driver backports would likely be left aside for an initial LTS setup: - One of the use cases

Re: Bug#645881: critical update 29 available

On Thu, Dec 01, 2011 at 09:47:53PM +0100, Florian Weimer wrote: * Moritz Mühlenhoff: Florian, what's the status of openjdk6 for stable/oldstable? I've released the pending update for squeeze. lenny will eventually follow, and so will the pending updates for squeeze, but judging by my

Re: Vulnerable PHP version according to nessus

Dave Henley dhenl...@live.com schrieb: --_08b89ad2-8af0-454c-bd3d-7274adf10707_ Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable I recently installed a Debian Squeeze system along with apache2 and PHP5. The system is fully up-to-date and the following

Testers needed for Tomcat security update

Hi, the changes needed to secure Tomcat against the recent hash collision attack are large and instrusive. That's why we decided to update to 6.0.35 in the upcoming stable update. No breakage is expected, but we need more beta testers before we can release the update. The packages can be fetched

Re: Testers needed for Tomcat security update

Moritz Mühlenhoff j...@inutil.org schrieb: Moritz Mühlenhoff j...@inutil.org schrieb: Hi, the changes needed to secure Tomcat against the recent hash collision attack are large and instrusive. That's why we decided to update to 6.0.35 in the upcoming stable update. No breakage is expected

Re: libfreetype6 Security Update w/out DSA?

Wolfgang Karall lists+debian-secur...@karall-edv.at schrieb: Hi, I'm getting this change but can't see a DSA for it: freetype (2.4.2-2.1+squeeze4) stable-security; urgency=low * CVE-2012-11[33|34|36|42|44] -- Moritz Muehlenhoff j...@debian.org Wed, 07 Mar 2012 17:46:07 +0100 Is this

Re: [SECURITY] [DSA 2437-1] icedove security update

On Thu, Mar 22, 2012 at 01:15:35PM +0100, Christophe Garault wrote: Le 21/03/2012 19:58, Moritz Muehlenhoff a écrit : For the stable distribution (squeeze), this problem has been fixed in version icedove 3.0.11-1+squeeze8. Hello Moritz, The only version available today for stable is

Re: A security bug in Debian Squeeze libtiff (+ non-updated ia32-libs??)

Mikulas Patocka miku...@artax.karlin.mff.cuni.cz schrieb: Hi There is a security bug in Debian Squeeze libtiff 3.9.4-5+sq. When loading corrupted images and with ElectricFence memory debugging enabled, programs using libtiff crash. How to reproduce: Download corrupted images from here:

Testers needed for OpenJDK update

I've created backported stable-security OpenJDK packages for the latest Oracle security update round. They have passed initial testing, but since the patches are invasive and OpenJDK has many weird applications using it, I need additional user testing before I release the packages (I need at

Re: [SECURITY] [DSA 2550-1] asterisk security update

On Wed, Sep 19, 2012 at 12:07:15PM +0200, Michael Kozma wrote: Le 19/09/2012 12:00, Cyril Brulebois a écrit : Michael, that should be “chan_sip” apparently? Yes, sorry, but i have the same issue than Herman : monitoring*CLI module load chan_sip Unable to load module chan_sip Command

Re: flashplugin-nonfree : newer Flash Player

Bart Martens ba...@debian.org schrieb: Hi, Maybe I should do announcements like this : | Users of the Debian package flashplugin-nonfree can now run | update-flashplugin-nonfree --install, since I've now updated the download url | and checkums to match the newest Flash Player

Re: flashplugin-nonfree get-upstream-version.pl security concern

On Wed, Dec 12, 2012 at 05:52:31PM +, adrelanos wrote: Hi, I do not want to discuss security implications of the upstream closed source Adobe Flash plugin. This is about how the Flash plugin is downloaded and installed in Debian. /usr/sbin/update-flashplugin-nonfree downloads

Re: [SECURITY] [DSA 2593-1] moin security update

Salvatore Bonaccorso car...@debian.org schrieb: Package: moin Vulnerability : several Problem type : remote Debian-specific: no CVE ID : not available yet This was announced yesterday, but it looks like moin 1.9.3-1+squeeze4. is not yet present in the security

Call for testing: rails update

The upcoming rails update is a little more invasive than usual. If you run a rails-based setup, please test the packages from http://howl.nic.cz/rails/ and send your brief test results to t...@security.debian.org (and keep ond...@debian.org in CC) Cheers, Moritz -- To UNSUBSCRIBE,

Testing needed: openjdk7 update for stable-security

As discussed on debian-release some time ago security support for openjdk will be following upstream releases in the future. The openjdk7 packages available at http://people.debian.org/~jmm/ have seen initial testing and the testsuite results look good, but some advance testing more setups

Re: Testing needed: openjdk7 update for stable-security

Moritz Mühlenhoff j...@inutil.org schrieb: As discussed on debian-release some time ago security support for openjdk will be following upstream releases in the future. The openjdk7 packages available at http://people.debian.org/~jmm/ have seen initial testing and the testsuite results look

Re: Testing needed for openjdk-6 security updates

Jens Schüßler j...@trash.net schrieb: * Moritz Muehlenhoff j...@debian.org wrote: As discussed on debian-release some time ago security support for openjdk will be following upstream releases in the future. The packages for openjdk are generally ready, but I don't use Java myself. As such I

Re: Testing needed for openjdk-6 security updates

On Mon, Jul 22, 2013 at 10:19:00PM +0100, Lisi Reisz wrote: On Sunday 21 July 2013 14:21:20 Moritz Mühlenhoff wrote: Moritz Muehlenhoff j...@debian.org schrieb: As discussed on debian-release some time ago security support for openjdk will be following upstream releases in the future

Testers needed for hplip security update

Hi, I've prepared backports for various security issues in hplip. However, I don't have a printer, so I need help with testing. Packages can be grabbed from http://people.debian.org/~jmm/ Please send test feedback directly to j...@debian.org Cheers, Moritz -- To UNSUBSCRIBE, email to

Re: [SECURITY] [DSA 2819-1] End-of-life announcement for iceape

Chris Frey cdf...@foursquare.net schrieb: Is this for old-stable? Or for the latest 7.3 Debian? Also for Wheezy. Was support dropped due to lack of manpower? And what were the main differences between upstream Seamonkey and the Debian-branded version? If Seamonkey is still supported, why

Re: Enhancements/enabled hardening flags in Wheezy pkgs/release.

Daniel Curtis sidetripp...@gmail.com schrieb: --001a11c223acc55fa604eedd4994 Content-Type: text/plain; charset=ISO-8859-1 Hello everyone, Before Wheezy release we could find a web site, which contained notices about update as many packages as possible to use security hardening build flags

Re: Enhancements/enabled hardening flags in Wheezy pkgs/release.

Michael Gilbert mgilb...@debian.org schrieb: There isn't really any group effort tackling or monitoring the assortment of useful hardening features. That is something that could definitely be improved. Here's some concrete issues where people can help out. Many of these tasks will take less

Re: Debians security features in comparison to Ubuntu

herzogbrigit...@t-online.de herzogbrigit...@t-online.de schrieb: Hello there, I'm a new user of the great Debian distro for my Desktop. But when I talked to a friend and I told him, that I'm using Debian (Wheezy) for my desktop computer, he told me that I shoudn't use it because it is not

Re: [SECURITY] [DSA 3061-1] icedove security update

strumcat strum...@riseup.net schrieb: The Icedove installer seems to be using a script that requires human interaction (Press Q to quit), but the output isn't visible under default settings in Synaptic. This makes the install seem to hang indefinitely, unless the user clicks View details

Things you can help with in the Security Tracker

Hi, quite a few people have been added to the Security Tracker group recently. Here's a few pointers to stuff you can work on: - Try to research the status of undetermined issues and convert them to unfixed or not-affected entries: http://security-tracker.debian.org/tracker/status/undetermined

Re: CVE-2010-4704 is done

On Thu, Apr 07, 2011 at 12:11:53AM +0200, Arne Wichmann wrote: Hi, #611495, to which the security-tracker page refers, is closed. The CVE says it applies to 0.6.1 and earlier - the version is now 0.6.2 . But the security tracker still lists ffmpeg as vulnerable. Did I miss something?

Re: CVE-2010-4704 is done

On Thu, Apr 14, 2011 at 10:43:24AM +0200, Arne Wichmann wrote: begin quotation from Moritz Mühlenhoff (in 20110413182904.GA3998@pisco.westfalen.local): On Thu, Apr 07, 2011 at 12:11:53AM +0200, Arne Wichmann wrote: #611495, to which the security-tracker page refers, is closed. The CVE

Re: CVE-2009-5022

On Thu, May 19, 2011 at 04:21:51PM +0200, Laurent Bonnaud wrote: Hi, I am looking at this security issue: http://security-tracker.debian.org/tracker/CVE-2009-5022 All Debian package versions are marked as vulnerable. However according to the description of the issue it should be

Re: CVE-2011-0726 and others

On Thu, May 26, 2011 at 12:22:20PM +0200, Laurent Bonnaud wrote: Hi, I am looking at the following 3 security issues: http://security-tracker.debian.org/tracker/CVE-2011-0726 http://security-tracker.debian.org/tracker/CVE-2011-1767

Re: Getting started

On Sat, Jul 23, 2011 at 10:22:38PM -0700, Johnathan Ritzi wrote: Thanks for the details! Below is a proposed patch to the introduction file. Questions about what I added: - Did I get everything that needs to be checked before marking a CVE NFU? Yes, seems fine. - Is there an easier

Re: Getting started

On Tue, Jul 26, 2011 at 02:57:37PM -0700, Johnathan Ritzi wrote: As a followup: what amount of checking should be done before marking an issue as fixed? Is a changelog entry by the maintainer saying that CVE/bug has been fixed enough? Or do people on this list research the vulnerability

Re: clamav: floating point exception in OLE2 scanner DoS / TEMP-0000000-6B8835

On Mon, Aug 01, 2011 at 06:50:38PM +0300, Henri Salo wrote: I think TEMP-000-6B8835 is the same as CVE-2007-2650 as seen in these links below: http://security-tracker.debian.org/tracker/TEMP-000-6B8835 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2650

Re: CVE-2011-4356: Affects celery only, not django-celery

On Mon, Jan 02, 2012 at 12:46:15PM +0100, Michael Fladischer wrote: A happy new year to all of you! I'd like to provide some additional information on CVE-2011-4356. [0] states that it affects django-celery but this is just an integration package between django and celery. The CVE itself

Re: CVE-2011-4622

On Fri, Mar 23, 2012 at 06:06:53PM +0100, Laurent Bonnaud wrote: Hi again, I am looking at this page: http://security-tracker.debian.org/tracker/CVE-2011-4622 and kernel 3.2.12-1 in sid and wheezy is marked as vulnerable. However the fix for this bug is here:

Re: CVE-2011-4621

On Fri, Mar 23, 2012 at 04:18:49PM +0100, Laurent Bonnaud wrote: Hi, I am looking at this page: http://security-tracker.debian.org/tracker/CVE-2011-4621 and kernel 3.2.12-1 in sid and wheezy is marked as vulnerable. However the fix for this bug is here:

Bug#669286: security-tracker: DSA-2453-1 vs. tracker

On Wed, Apr 18, 2012 at 09:24:28PM +0200, Francesco Poli (wintermute) wrote: Package: security-tracker Severity: normal Hello, DSA-2453-1 [1] states that three vulnerabilities are fixed in wheezy and sid by gajim/0.15-1, but the tracker seems to disagree regarding CVE-2012-2093 [2], which

Re: libv8 testing - update security tracker status

On Sat, Dec 01, 2012 at 10:32:30AM +0100, Jérémy Lal wrote: On 13/09/2012 23:27, Moritz Muehlenhoff wrote: Package: libv8 Severity: grave Tags: security Hi, please check the status of these security issues in libv8. They were all fixed in Chrome, but it's not clearly from which

Bug#700770: security-tracker: DSA-2624-1 vs. tracker

On Sun, Feb 17, 2013 at 11:06:15AM +0100, Francesco Poli (wintermute) wrote: Package: security-tracker Severity: normal Hello, DSA-2624-1 [1] states that a number of vulnerabilities have been fixed for squeeze in ffmpeg/4:0.5.10-1 . The tracker seems to agree on its corresponding DSA page

Re: CVE-2010-3205 affects textpattern package

On Tue, May 21, 2013 at 10:16:25PM +0100, Steven Chamberlain wrote: On 21/05/13 22:09, Moritz Muehlenhoff wrote: Thanks, I've updated the security tracker! Okay, thank you! I couldn't say for sure the exploit given the CVE is real, and there's very little interest in the package any more

Re: CVE-2012-6150 and samba4

On Sat, Jan 25, 2014 at 12:04:37PM +1300, Andrew Bartlett wrote: I've checked, and this issue does not apply to samba4, because the 'samba4' winbind does not implement this feature at all. That is, the problem directive is ignored in all cases. (This is still fail-open, but in this case

Re: Schema reorganization for package_notes table

On Sun, Feb 02, 2014 at 10:15:42PM +0100, Florian Weimer wrote: The package_notes table currently looks like this: CREATE TABLE package_notes (id INTEGER NOT NULL PRIMARY KEY, bug_name TEXT NOT NULL, package TEXT NOT NULL, fixed_version TEXT

Re: Helping out with debsecan

On Thu, Mar 06, 2014 at 02:37:30PM -0800, Adam L. wrote: I am interested in helping maintain and develop the debsecan script. The first thing I would do is convert the script to a wrapper around a library so that other scripts could use the code. Additionally, I'd like to put together a

Re: [Secure-testing-commits] r28952 - in data: . CVE

On Mon, Sep 22, 2014 at 02:11:07PM +0200, Raphael Hertzog wrote: Hi, Side remark: Could we get reply-to set to debian-security-tracker@lists.debian.org on the commit mails? On Mon, 22 Sep 2014, Moritz Muehlenhoff wrote: Modified: data/CVE/list data/dsa-needed.txt Log:

Bug#762781: security-tracker: Provide list of candidates for dsa-needed.txt/dla-needed.txt

On Sat, Sep 27, 2014 at 12:40:03PM +0200, Holger Levsen wrote: Hi, On Freitag, 26. September 2014, Raphael Hertzog wrote: The annoying part is that the mapping of release = file to use changes over time. There's a one year period where oldstable is the realm of the security team and only

Re: CVE-2014-7191 is closed by node-qs 2.2.4-1

On Sun, Oct 12, 2014 at 09:22:18PM +0200, Jérémy Lal wrote: Hi, sorry that i forgot to mention it in the changelog: https://security-tracker.debian.org/tracker/CVE-2014-7191 is closed by node-qs 2.2.4-1 Thanks, I've updated the tracker. Cheers, Moritz -- To UNSUBSCRIBE,

Re: [SECURITY] [DSA 3148-1] chromium-browser end of life

Paul Wise p...@debian.org schrieb: So, what are the alternatives in our case? Upgrade to jessie or switch to another web browser. Or use the the (non-free) Chrome DEBs provided by Google. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a

Bug#761963: security-tracker: consolidate vulnerable/fixed per release in overviews

On Wed, Sep 17, 2014 at 09:10:39AM +, Thijs Kinkhorst wrote: Package: security-tracker Severity: wishlist Hi, In the overview per-package, the tracker currently shows for each CVE name about seven columns: squeeze, squeeze-security, squeeze-lts, wheezy, wheezy-security, jessie, sid.

Bug#761859: security-tracker json deployed

On Tue, Mar 17, 2015 at 08:17:03AM +0800, Paul Wise wrote: On Tue, 2015-03-17 at 00:03 +0100, Raphael Hertzog wrote: I also noticed that we have nowhere data that says that an issue is undetermined... maybe those issues should be entirely dropped? I don't understand why we have that

Bug#761859: security-tracker json deployed

On Tue, Mar 17, 2015 at 01:09:44PM +0100, Moritz Mühlenhoff wrote: On Tue, Mar 17, 2015 at 08:17:03AM +0800, Paul Wise wrote: On Tue, 2015-03-17 at 00:03 +0100, Raphael Hertzog wrote: I also noticed that we have nowhere data that says that an issue is undetermined... maybe those issues

Re: openjdk-7 security updates after JDK 7 End of Public Updates

Francis Devereux fran...@devrx.org schrieb: Hi, According to http://www.oracle.com/technetwork/java/eol-135779.html, Oracle JDK 7 will reach end of public updates status in April. I believe that OpenJDK 7 will reach EOL at the same time or soon afterwards. Will the openjdk-7 packages in

Re: Sub-release information on per-source-package page

On Sun, May 24, 2015 at 07:27:28PM +0200, Florian Weimer wrote: But does it make a difference to the security team processes? I guess no, but explicit confirmation would be welcome. I don't think so. Whenever I need to have a look whether any security updates are stuck in migration to the

Re: Bug#794466: Virtualbox might not be suitable for Stretch

On Mon, Aug 10, 2015 at 07:16:59AM +, Gianfranco Costamagna wrote: Yes, otherwise the points remains: 1) leave the oracle with CVEs in stable releases or 2) have an exception from Security Team and/or Release Team or 3) wait and hope Oracle will change the model or make an

Re: data/CVE/list color

On Wed, Aug 12, 2015 at 06:23:25PM +0200, Guido Günther wrote: Hi, I wanted some color in debian/CVE/list so I hacked up some very simple highlighting for emacs: https://git.sigxcpu.org/cgit/emacs-tools/commit/?id=200d437c93536d911da85e080188fc68a5221122 I do wonder if there is

Re: [SECURITY] [DSA 3389-1] elasticsearch end-of-life

Rhonda D'Vine schrieb: > Hi, > > * Moritz Muehlenhoff [2015-11-01 23:22:53 CET]: >> elasticsearch will also be removed from Debian stretch (the next stable >> Debian release), but will continue to remain in unstable and available >> in jessie-backports. > >

Re: [SECURITY] [DSA 3389-1] elasticsearch end-of-life

Vincent Bernat wrote: > There are many tradeoffs recently with projects that do not want to > provide a sensible security track for stable releases: > > - always package the latest release (Chromium) For chromium and iceweasel the vast amount of security issues doesn't leave

Re: [SECURITY] [DSA 3389-1] elasticsearch end-of-life

Vincent Bernat wrote: > So, it's a bit like MySQL and VirtualBox, isn't it? Except they don't > provide any stable branch. More or less, yes. Cheers, Moritz

Re: [SECURITY] [DSA 3389-1] elasticsearch end-of-life

Ansgar Burchardt schrieb: > That's in the end just pretending the problem doesn't exist? No, from my PoV it's a clear separation between software following our usual standards (what's in main) and the rest (what's going to be in PPAs) > I'm really not a fan of moving stuff

Re: [SECURITY] [DSA 3358-1] php5 security update

Wolfgang Karall-Ahlborn schrieb: > > --bGR76rFJjkSxVeRa > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > Content-Transfer-Encoding: quoted-printable > > Hello, > > since today marks the end of the security support for PHP 5.4, does

Re: [SECURITY] [DSA 3358-1] php5 security update

Wolfgang Karall schrieb: > > --rQ2U398070+RC21q > Content-Type: text/plain; charset=iso-8859-1 > Content-Disposition: inline > Content-Transfer-Encoding: quoted-printable > > Hello Moritz, > > On 15-09-15 13:58:52, Moritz M=FChlenhoff wrote: >> The upstream

Re: [SECURITY] [DSA 3359-1] virtualbox security update

Georgi Naplatanov schrieb: > > Dear maintainer(s), > virtualbox-guest-additions-iso package version is 4.3.18. Are you going > to update the package to version 4.3.30? The security team support doesn't support non-free. The maintainer can update it in a point update if needed.

Re: Update tracker for CVE-2007-5626

On Wed, Jun 01, 2016 at 11:47:01AM +0200, Carsten Leonhardt wrote: > Hi, > > CVE-2007-5626 is rather ancient but still displayed as "unfixed" in the > tracker. > > Since bacula 5.0.0 "make_catalog_backup.pl" is used by default, the use > of which is not prone to the security issues that

Re: tracking security issues without CVEs

On Sun, Mar 06, 2016 at 06:58:48PM +0100, Salvatore Bonaccorso wrote: > But I think as well that is right now to early to > start adopting these for not yet assigned issues. Agreed, let's stick with the usual "file a bug to get a temporary identifier" procedure for now. Cheers, Moritz

Re: Will Packaging BoringSSL Bring Any Trouble to the Security Team?

殷啟聰 schrieb: > Dear Debian Security Team, Our contact address is t...@security.debian.org, not debian-security... > The "android-tools" packaging team > > are introducing BoringSSL, a

Re: Will Packaging BoringSSL Bring Any Trouble to the Security Team?

Moritz Mühlenhoff <j...@inutil.org> wrote: >> are introducing BoringSSL, a fork of OpenSSL by Google. The latest >> Android OS and its SDK no longer use OpenSSL and they use some APIs >> only provided by BoringSSL, hence we are bringing BoringSSL to Debian. >>

Re: flashplugin-nonfree and latest Flash security updates

Nick Boyce schrieb: > I realise the nonfree plugin is not really supported, but given the > serious (!!!) security implications of running a known-vulnerable Flash > player for a significant time after a fixed version has been released, > and assuming Bart is MIA for

Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?

te3...@sigaint.org schrieb: > I read somewhere on a forum that for security vulnerabilities that have > "NVD security" ratings of medium or low risk, Debian's security team may > not issue patches/fixes for them. Only high-risk security vulnerabilities > will be fixed. Is that

Re: embedding openssl source in sslcan

Sebastian Andrzej Siewior schrieb: Please use t...@security.debian.org if you want to reach the security team, not debian-security@ldo. > tl;dr: Has anyone a problem if sslscan embeds openssl 1.0.2 in its > source? That's for post-stretch, right? Right now it can

Re: maintenance for security-tracker.d.o today 1800Z to 2000Z (i.e. now)

On Tue, Oct 10, 2017 at 09:23:10PM +0200, Julien Cristau wrote: > On Tue, Oct 10, 2017 at 20:02:07 +0200, Julien Cristau wrote: > > > Hi all, > > > > I'll be upgrading soriano.d.o, the host behind the security tracker, > > starting in a few minutes. Please expect some outage. Sorry for the > >

Re: RC bugs with wrong tracking info for wpa?

On Mon, Oct 16, 2017 at 07:47:57PM +0200, Francesco Poli wrote: > Should I just trust my intuition and fix the version tracking info of > those three RC bugs, as said in my message? Yes. Cheers, Moritz

Re: about libhtp security issues

On Sat, Sep 30, 2017 at 02:17:06PM +0200, Arturo Borrero Gonzalez wrote: > Hi, > > just noticed the security issues we have for the libhtp package [0]. > These are all fixed. The package was removed from Debian and then > re-introduced, > In the mean time, the libhtp* binary packages were served

Re: [SECURITY] [DSA 4078-1] linux security update

Frank Nord schrieb: > Peaking at ubuntu: > https://usn.ubuntu.com/usn/usn-3522-3/ > "USN-3522-1 fixed a vulnerability in the Linux kernel to address > Meltdown (CVE-2017-5754). Unfortunately, that update introduced > a regression where a few systems failed to boot

retpoline-enabled GCC build for jessie

Hi, I've created a GCC 4.9 package for jessie with backported support for -mindirect-branch (as needed to build kernels with retpoline support). packages are available at https://people.debian.org/~jmm/gcc/. I've run some tests, but would appreciate additional testing feedback; the update is

Re: retpoline-enabled GCC build for jessie

On Wed, Feb 14, 2018 at 03:26:31PM +0100, Fabian Grünbichler wrote: > is there a debdiff / source available as well? Above URL includes the source, but no debdiff (you can simply debdiff against the latest jessie package). > or is it "just" Jessie's current state plus the 9 patches from hjl's

Re: retpoline-enabled GCC build for jessie

Fabian Grünbichler wrote: > > > (and is the Stretch / gcc-6 update planned in the same > > > time frame as well?) > > > > Yes, an update for GCC 6 is also in the works, but will probably a few days > > after the jessie update. > > any special reason for that? (out of curiosity, since we had also

Re: retpoline-enabled GCC build for jessie

On Thu, Feb 15, 2018 at 02:55:02PM +0100, Fabian Grünbichler wrote: > > > (and is the Stretch / gcc-6 update planned in the same > > > time frame as well?) > > > > Yes, an update for GCC 6 is also in the works, but will probably a few days > > after the jessie update. > > any special reason for

Re: retpoline-enabled GCC build for jessie

Moin, Holger Levsen schrieb: > I have a stupid/uninformed question: is this gcc only useful for > rebuilding the kernel or would it "in theory" (and practice) be better > to rebuild everything with it? (of course the latter is probably not really > practical for Debian,

Re: [PATCH 00/12] Plannings for secure-testing repository migration to git

On Thu, Dec 28, 2017 at 09:13:09AM +0100, Salvatore Bonaccorso wrote: > Hi > > On Wed, Dec 27, 2017 at 11:32:53PM +0100, Salvatore Bonaccorso wrote: > > 1/ desire of commit mailinglist > > Would there be objection to switch those to > debian-security-tracker@l.d.o? A dedicated list IHMO would be

Re: Plannings for secure-testing repository migration to git

Hi, > FTR, so now that the beta for salsa.d.o has been announced I started > to look on what further is needed and recorded further findings in > TODO.gitmigration. Thanks for looking into this. > I suggest to as well create a new namespace and project name away from > secure-testing, namely

Re: Splitting the security-tracker repo [was Re: [PATCH 00/12] Plannings for secure-testing repository migration to git]

On Thu, Dec 28, 2017 at 09:02:56PM +0100, Salvatore Bonaccorso wrote: > With that i think we have most all together to do the switch, any > comments from others? Objections? Concerns? Or somewhing we have > overseen? Thanks for your and Guido's work on this! >From my point of view I'm in favour

Re: Plannings for secure-testing repository migration to git

On Tue, Dec 26, 2017 at 03:36:31PM +, Holger Levsen wrote: > I think a security-tracker-commit maillinglist does make sense on > lists.debian.org as the security tracker is a central part of Debian's > (security) infrastructure. I'd suggest to talk to listmasters about this > (unless you

Bug#907723: link package versions on security-tracker to source packages

On Fri, Aug 31, 2018 at 09:48:52PM +, Mike Gabriel wrote: > Package: security-tracker > Severity: wishlist > X-Debbugs-Cc: debian-...@lists.debian.org > > Hi, > > when working for the LTS team, I regularly need to download source packages > from the LTS version of Debian. My development

Re: Testers needed for ghostscript update

Jason Fergus schrieb: > On Wed, 2018-09-05 at 08:20 -0400, Celejar wrote: >> On Wed, 5 Sep 2018 11:44:23 +0200 >> Moritz Mühlenhoff wrote: >> >> > Moritz Mühlenhoff schrieb: >> > > There's a number of vulnerabilities found in Ghostscript by Tavis >

Re: Gaps in security coverage?

John Goerzen schrieb: Hi John, > So I recently started running debsecan on one of my boxes. debsecan hasn't seen any feature work for about a decade and is far too noisy to the point of being useless these days. > It's a > fairly barebones server install, uses unattended-upgrades and is fully

Re: Query on db package security vurnerablity

On Mon, Feb 25, 2019 at 05:40:28PM +0530, Sathishkumar N wrote: > Hi , > > Can you guys tell why the below listed cves mentioned as NOT-FOR-US in > debian security tracker?. Is it possible to provide fix for this? These are all fixed by Oracle for DB 6, which can't be packaged in Debian or other

Re: Intel Microcode updates

Russell Coker schrieb: > Should it be regarded as a bug in the intel-microcode package that it doesn't > have this update that is "easy enough to source"? Or do you mean "easy to > get > but not licensed for distribution"? This is covered by #929073, which links to a PDF by Intel (which

Re: bullseye-security instead of bullseye/updates

Ansgar wrote: > I would like to switch to *-security instead of */updates starting with > bullseye. There will likely be some complications, but they should be > solvable by the time we will publish packages in bullseye-security. Sounds good to me. Cheers, Moritz

Re: how to deal with widely used packages unsuitable for stable (was Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.)

On Fri, Aug 30, 2019 at 09:17:32AM +0200, Raphael Hertzog wrote: > Hi, > > On Fri, 30 Aug 2019, Pirate Praveen wrote: > > Fast Track repo works exactly like current backports except the packages > > are added from unstable (or experimental during transitions and freeze) > > as they cannot go to

Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.

Adding the radare2 uploaders to CC. On Fri, Aug 16, 2019 at 11:23:05PM +0200, Markus Koschany wrote: > >> + NOTE: 20190816: Affected by CVE-2019-14745. Vulnerable code is in > >> + NOTE: libr/core/bin.c. Many no-dsa issues in Jessie and Stretch. Should > >> we > >> + NOTE: continue the

[SECURITY] [DSA 4515-1] webkit2gtk security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4515-1 secur...@debian.org https://www.debian.org/security/ Alberto Garcia September 04, 2019

Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.

On Thu, Aug 29, 2019 at 09:36:39AM +0200, Moritz Mühlenhoff wrote: > Adding the radare2 uploaders to CC. > > On Fri, Aug 16, 2019 at 11:23:05PM +0200, Markus Koschany wrote: > > >> + NOTE: 20190816: Affected by CVE-2019-14745. Vulnerable code is in > > >> + N

Re: empty oval xml (2019-10-24 03:31)

On Thu, Oct 24, 2019 at 02:14:19PM +0200, Alexandre DERUMIER wrote: > > Hi, > > It seem that all oval xml files are empty today (2019-10-24 03:31) > > https://www.debian.org/security/oval/ These are not available again. Cheers, Moritz

Re: about older security advisories

Thomas Lange schrieb: >> On Mon, 28 Oct 2019 17:31:22 +, krishna said: > > > i am going through older security advisories at webpage [z]. i have > found some links are dead, etc.. some security advisory does not contain > "More information" and "Security database references".

  1   2   >