Re: NodeJS Security

Hi Sven, On Wed, Jun 15, 2016 at 02:08:17PM +, Sven Buesing wrote: > Dear Debian Security-Team, > > Are you going to address the following issues in nodejs for jessie > (CVE-2016-2107, CVE-2016-2105, CVE-2016-0705, CVE-2016-0702)? For more > information see below. I'm afraid, but nodejs and

Call for testing: regression update for samba security update (DSA-3548-1)

Hi The last Samba security update issued as DSA-3548-1 introduced several upstream regressions, which are addressed in this update. Before we release the packages we would like to call for additional testing. The packages can be found on https://people.debian.org/~carnil/tmp/samba/jessie

Call for testing: upcoming libxml2 security update

Hi The upcoming libxml2 security update is little more bigger than usual, thus we want to expose the package a bit for additional testing. If you find a problem introduced by updating to these packages, please report the problem directly to t...@security.debian.org . The packages can be found

Re: Update tracker for CVE-2012-1620

Hi Ilias, On Sat, May 07, 2016 at 12:54:47PM +0300, Ilias Tsitsimpis wrote: > Could someone update the security tracker for suckless-tools? > CVE-2012-1620 has been fixed since version suckless-tools/39-1. > The corresponding Debian Bug is #667796. Thanks. I have updated the tracker information.

Call for testing: upcoming samba security update

Hi The upcoming Samba update is bigger than usual since for Jessie an update is needed to 4.2. We want to expose the package a bit more for additional testing. Please test the packages found on https://people.debian.org/~carnil/tmp/samba/ (no apt repository available for these test

Re: tracking security issues without CVEs

Hi Brian, hi Paul, On Sun, Mar 06, 2016 at 04:59:43PM +0100, Salvatore Bonaccorso wrote: > Hi, > > On Sun, Mar 06, 2016 at 03:33:16PM +1100, Brian May wrote: > > Just wondering if there is some other way we can track security issues > > for when CVEs are not availab

Re: tracking security issues without CVEs

Hi Brian, hi Paul, On Sun, Mar 06, 2016 at 04:59:43PM +0100, Salvatore Bonaccorso wrote: > Hi, > > On Sun, Mar 06, 2016 at 03:33:16PM +1100, Brian May wrote: > > Just wondering if there is some other way we can track security issues > > for when CVEs are not availab

Re: tracking security issues without CVEs

Hi, On Sun, Mar 06, 2016 at 03:33:16PM +1100, Brian May wrote: > Just wondering if there is some other way we can track security issues > for when CVEs are not available. > > Thinking of imagemagick here, it has a lot of security issues, and > requests for CVEs are not getting any responses.

Re: tracking security issues without CVEs

Hi, On Sun, Mar 06, 2016 at 03:33:16PM +1100, Brian May wrote: > Just wondering if there is some other way we can track security issues > for when CVEs are not available. > > Thinking of imagemagick here, it has a lot of security issues, and > requests for CVEs are not getting any responses.

Re: squid3: CVE-2016-2569 CVE-2016-2570 CVE-2016-2571

Hi Amos, On Sat, Feb 27, 2016 at 07:20:57AM +1300, Amos Jeffries wrote: > Hi, > FYI the "squid" (version 2.7.*) source packages still hanging around > in squeeze and wheezy are not affected by these. Thanks. I will update the tracker information. Regards, Salvatore

Re: [SECURITY] [DSA 3482-1] libreoffice security update

Hi Rene, On Wed, Feb 17, 2016 at 11:40:17PM +0100, Rene Engelhard wrote: > On Wed, Feb 17, 2016 at 07:29:59PM +, Sebastien Delafond wrote: > > For the testing (stretch) and unstable (sid) distributions, these > > problems have been fixed in version 1:5.1.1~rc1-1. > > Actually, as I said (and

Re: stalin: CVE-2015-8697: Insecure use of temporary files

Hi Rob, On Wed, Jan 20, 2016 at 05:41:56AM -0600, Rob Browning wrote: > Rob Browning writes: > > > I believe the package is scheduled to be removed next week, and I'm > > still waiting on a discussion with upstream about a (non-trivial) patch > > I wrote to attempt to

Re: [SECURITY] [DSA 3448-1] linux security update

Hi, On Wed, Jan 20, 2016 at 10:42:04AM +0800, Bjoern Nyjorden wrote: > Thanks Holger & Ben, > > Most appreciated. So, just to confirm; my take away on this is: > > * 1. "Wheezy" Linux kernels are NOT AFFECTED. > > * 2. "Wheezy" & "Jessie" BACKPORTS Linux kernels are VUNERABLE. > > If I

Re: Bug#810799: libcgi-session-perl: Perl DSA-3441-1 exposes taint bug in CGI::Session::Driver::file

Hi, On Tue, Jan 12, 2016 at 01:38:51PM +, Dominic Hargreaves wrote: > Control: tags -1 - security > Control: found -1 4.46-1 > > On Tue, Jan 12, 2016 at 12:54:19PM +, Chris Boot wrote: > > Control: tag -1 security > > > > On 12/01/16 12:28, Chris Boot wrote: > > [snip] > > > Forwarded:

Call for testing: libxml2 update

Hi The upcoming libxml2 security update is little more bigger than usual, thus we want to expose the package a bit for additional testing. If you find a problem introduced by updating to these packages, please report the problem directly to t...@security.debian.org . The packages can be found

Re: Cannot retrieve updates from security repos

Hi, On Thu, Dec 17, 2015 at 11:40:47PM +0200, Pavlos K. Ponos wrote: > Hello everyone, > > First of all, apologies in advance if this mailing list is not the correct > one :) > > While I was trying to do my usual updates in my Jessie installation, I took > the following message: > > Err

Bug#805079: security-tracker: External check for CVEs from Red Hat not working anymore

Package: security-tracker Severity: normal Owner: car...@debian.org Currently the external check for CVEs found on Red Hat but not in the security-tracker is not working anymore due to changes on Red Hat's site listing the CVEs. Working on trying to find an alternative method. Regards,

Re: [SECURITY] [DSA 3386-2] unzip regression update

Hi David, On Tue, Nov 10, 2015 at 08:59:04AM +0100, Thijs Kinkhorst wrote: > Hi David, > > On Mon, November 9, 2015 23:25, David McDonald wrote: > > Hi Salvatore, > > > > Your e-mail below states: > > > > "For the stable distribution (jessie), this problem has been fixed in > > version

Re: [SECURITY] [DSA 3386-2] unzip regression update

Hi Dave, On Tue, Nov 10, 2015 at 09:54:19PM +, David McDonald wrote: > Thank you Salvatore & Thijs for your responses. > > I appreciate and understand your advice. > > My specific interest in the matter arose after receiving the alert. > I prepared to install the update that was listed in

Re: [SECURITY] [DSA 3355-2] libvdpau regression update

Hi Ansgar, On Tue, Nov 03, 2015 at 08:30:56AM +0100, Ansgar Burchardt wrote: > Hi, > > Salvatore Bonaccorso <car...@debian.org> writes: > > On Tue, Nov 03, 2015 at 01:08:36AM +0100, Cyril Brulebois wrote: > >> Daniel Reichelt <deb...@nachtgeist.net> (2015-11-0

Re: [SECURITY] [DSA 3355-2] libvdpau regression update

Hi, Adding FTP masters to the loop, since they might help best in this case. On Tue, Nov 03, 2015 at 01:08:36AM +0100, Cyril Brulebois wrote: > Hi, > > Daniel Reichelt (2015-11-03): > > Hi * > > > > the amd64 build for 0.8-3+deb8u2 seems to be missing from [1]. > > > >

Re: Embedded code copy in passwordsafe

Hi Bill, On Tue, Oct 13, 2015 at 06:46:02PM -0400, Bill Blough wrote: > > Hi! > > The passwordsafe package (still in NEW) contains an embedded copy of pugixml > (src:pugixml). > > The version of pugixml included in passwordsafe uses a different compile-time > configuration than the packaged

Re: Missing package in Debian Security Tracker site

Hi On Tue, Oct 13, 2015 at 05:08:39PM +0800, Xiaoguang Bai wrote: > Hi, > > For DSA-3348-1, the information in following 2 sources does not match. The > security tracker site does not show the fixed package/version for wheezy. > >

Re: Correction to CVE-2015-3330 information

Hi Will, On Mon, Jun 01, 2015 at 02:31:15PM -0600, Will Aoki wrote: https://security-tracker.debian.org/tracker/CVE-2015-3330 shows everything but squeeze-lts as vulnerable. There are two corrections I suggest: - As I understand it, wheezy isn't affected unless someone has upgraded

Re: [SECURITY] [DSA 3269-1] postgresql-9.* security update

Hi, On Thu, May 28, 2015 at 12:50:43PM +0200, ma...@wk3.org wrote: Hi, it seems this upgrade introduced some issues regarding symlinks. It's very easy to mitigate, but I guess less stressful if you know about it in advance:

Re: upgrading soler.d.o

Hi. On Thu, May 28, 2015 at 06:34:44AM +0200, Salvatore Bonaccorso wrote: Hi, On Thu, May 28, 2015 at 11:39:34AM +0800, Paul Wise wrote: On Wed, 2015-05-27 at 22:16 +0200, Salvatore Bonaccorso wrote: It was updated already and did afterwards some testing. Looks fine so far

Re: upgrading soler.d.o

Hi all, On Thu, May 28, 2015 at 10:33:19AM +0200, Salvatore Bonaccorso wrote: Hi. On Thu, May 28, 2015 at 06:34:44AM +0200, Salvatore Bonaccorso wrote: Hi, On Thu, May 28, 2015 at 11:39:34AM +0800, Paul Wise wrote: On Wed, 2015-05-27 at 22:16 +0200, Salvatore Bonaccorso wrote

Re: upgrading soler.d.o

Hi Florian, On Wed, May 27, 2015 at 10:08:12PM +0200, Florian Weimer wrote: * Peter Palfrader: we'd like to upgrade soler.d.o jessie shortly. Any objections? Should we just do it and let you pick up the pieces, if any, or would you rather stop by in #debian-admin on IRC to coordinate?

Call for testing: libapache-mod-jk fixing CVE-2014-8111

Hi Markus Koschany prepared updated package for libapache-mod-jk for wheezy-security and jessie-security. If you run libapache-mod-jk in production testing of the prepared packages would be very welcome. If you find a problem introduced by updating to these packages, please report the problem

Re: Sub-release information on per-source-package page

Hi Florian, On Mon, May 25, 2015 at 05:57:20PM +0200, Salvatore Bonaccorso wrote: Hi Florian, On Mon, May 25, 2015 at 05:52:00PM +0200, Florian Weimer wrote: * Florian Weimer: Salvatore pointed me to the long-standing bug which causes the per-source-package pages

Re: Sub-release information on per-source-package page

Hi Florian, On Mon, May 25, 2015 at 05:52:00PM +0200, Florian Weimer wrote: * Florian Weimer: Salvatore pointed me to the long-standing bug which causes the per-source-package pages such as https://security-tracker.debian.org/tracker/source-package/dnsmasq not to display fixes

Re: External check

Hi, On Tue, May 19, 2015 at 05:49:44AM +, Raphael Geissert wrote: CVE-2015-8146: missing from list CVE-2015-8147: missing from list These two seem wrong both in the Debian bug #784773 subject and as consequence in the Red Hat bugzilla. They should be CVE-2014-8146 and CVE-2014-8147 afaics.

Re: [SECURITY] [DSA 3258-1] quassel security update

Hi, On Wed, May 13, 2015 at 07:43:47PM +0800, Paul Wise wrote: On Wed, May 13, 2015 at 5:26 PM, Dominic Hargreaves wrote: As far as I can tell from https://security-tracker.debian.org/tracker/CVE-2013-4422 wheezy wasn't affected by the original CVE since the version of QT there is

Bug#783491: security-tracker: document what needs to be done on releases and other archive changes

Hi all, FTR/for documentation: I as well reverted a change to bin/add-dsa-needed.sh since it otherwise looked as well at oldoldstable and generated wrong suggestions for addition to dsa-needed.txt. (r34131) Reference is added as well in

Bug#783491: security-tracker: document what needs to be done on releases and other archive changes

Hi I think two more changes were actually needed to get the testing status view show the correct information: r34072 and 34073. https://security-tracker.debian.org/tracker/status/release/testing should look better now. Regards, Salvatore -- To UNSUBSCRIBE, email to

Re: Embedded code copy in flightcrew

Hi Mattia, On Sun, Mar 01, 2015 at 07:42:49PM +0100, Mattia Rizzolo wrote: Hi! The flightcrew package, recently accepted by the ftp folks, contains a patched copy of zipios. Look at https://sources.debian.net/src/flightcrew/0.7.2%2Bdfsg-1/src/zipios/changes_made.txt/ for more info.

Bug#761859: security-tracker json deployed

Hi Paul, On Fri, Feb 27, 2015 at 07:31:10AM +0800, Paul Wise wrote: On Thu, 2015-02-26 at 17:41 +0100, Holger Levsen wrote: On Donnerstag, 26. Februar 2015, Paul Wise wrote: I noticed the description fields are truncated, is that intentional? that's all that is stored in the db...

Bug#777456: security-tracker: DSA-2978-2 vs. tracker

Hi Francesco, On Sun, Feb 08, 2015 at 12:35:56PM +0100, Francesco Poli (wintermute) wrote: Package: security-tracker Severity: normal Hello again, there seems to be a typo in the tracker page for CVE-2014-3660 [1]: it states that the vulnerability is fixed in jessie by

Call for testing: c-icap security update

Hi There is an upcoming update for c-icap for wheezy-security. If you run a c-icap setup, testing of the prepared packages would be very welcome. If you find a problem introduced by updating to these packages, please report the problem directly to t...@security.debian.org . The packages can be

Bug#771121: security-tracker: often returns 502 Proxy Error

Hi Francesco, On Wed, Nov 26, 2014 at 11:56:26PM +0100, Francesco Poli (wintermute) wrote: Am I the only one who experiences such issues? I was hoping to see the problem fixed, but no joy yet... Just to confirm: you are not the only one, I'm seeing the same from time to time in the last couple

Bug#764091: security-tracker: CVE overview does not sort group anymore by Source Package when one CVE affects multiple source packages

Package: security-tracker Severity: normal Hi After the changes in #761889 when a CVE affects multiple source packages the vulnerable and fixed packages the table sorts only by release. So now for example CVE-2014-0207 shows: Source Package Release Version

Re: [SECURITY] [DSA 3032-1] bash security update

Hi Jens, On Thu, Sep 25, 2014 at 10:05:28AM +0200, Rabe, Jens wrote: is there a chance to get the bash-update for squeeze (6.0)? Note that regular security support for squeeze has endet. You will need to use squeeze-lts for recieving still updates, more details are in [1]. [1]

Re: Guidance on no-dsa and adding entries to dsa/dla-needed.txt

Hi all, On Wed, Sep 24, 2014 at 02:37:00PM +0200, Holger Levsen wrote: [...] Then the separate text files could go away, and we can just use no-dsa in the CVE list to keep those pages up to date. you mean those dsa-needed.txt and dla-needed.txt files? We could. But right now we also use

Re: Switching the tracker to git

Hi I forgot about two more points: One is the sectracker user is subscribed to the commits mailinglists, and the commit messages trigger updates of the tracker. The other thing, the svn checkout is also used for http://security-team.debian.org, but this should be a simple case. I will add all

Bug#610220: Show URLs in TODO/NOTE as hyperlinks in the web view

Hi Holger, On Mon, Sep 15, 2014 at 02:32:54PM +0200, Holger Levsen wrote: On Samstag, 13. September 2014, Salvatore Bonaccorso wrote: I had a look at this patch. It can only address isolated URLs in the notes this way. We usually use this in other ways, one example is that was Florian

Bug#610220: Show URLs in TODO/NOTE as hyperlinks in the web view

Hi Holger, On Mon, Sep 15, 2014 at 03:30:05PM +0200, Holger Levsen wrote: Hi, On Montag, 15. September 2014, Salvatore Bonaccorso wrote: Hmm, would something wrapping around of the following work? sounds like a good start... Considering there might be more than one matching group

Bug#610220: Show URLs in TODO/NOTE as hyperlinks in the web view

Hi Holger, On Mon, Sep 15, 2014 at 06:05:29PM +0200, Salvatore Bonaccorso wrote: Hi Holger, On Mon, Sep 15, 2014 at 03:30:05PM +0200, Holger Levsen wrote: Hi, On Montag, 15. September 2014, Salvatore Bonaccorso wrote: Hmm, would something wrapping around of the following work

Bug#742855: Sort releases correctly in tabular view. (Closes: #742855)

Hi Holger, On Mon, Sep 15, 2014 at 01:47:57AM +0200, Holger Levsen wrote: Hi Salvatore, On Samstag, 13. September 2014, Salvatore Bonaccorso wrote: I tested the patch in my local instance. yeah, it's clearly the wrong patch, I attached, sorry. libspring-java as by now, might change

Re: RFC: Invert ordering of issues in source package view: newest should be up

Hi, On Mon, Sep 15, 2014 at 02:24:34PM +0200, Holger Levsen wrote: Hi Salvatore, On Samstag, 13. September 2014, Salvatore Bonaccorso wrote: This changes the ordering in the 'Security announcements section, ordering it by release date of the DSA/DLA, right? So for example file will show

Bug#610220: Show URLs in TODO/NOTE as hyperlinks in the web view

Hi, On Mon, Sep 15, 2014 at 07:59:53PM +0200, Holger Levsen wrote: Hi Salvatore, On Montag, 15. September 2014, Salvatore Bonaccorso wrote: https://security-tracker.debian.org/tracker/CVE-2011-2825 hmpf, that works for 1 out 3, the other 2 are detected as one :/ We only have

Bug#742382: Display oldstable/stable security and olstable-lts repositories in tabular view. (Closes: #742382)

Hi, On Mon, Sep 15, 2014 at 11:40:59PM +0200, Holger Levsen wrote: Hi, On Samstag, 13. September 2014, Salvatore Bonaccorso wrote: I have your patch running on my testinstance and looks good so far! (But having done only some basic tests). I'd like to push this one next, as this really

Bug#610220: Show URLs in TODO/NOTE as hyperlinks in the web view

Control: tags -1 - pending Hi Holger, On Fri, Sep 12, 2014 at 12:19:06PM +0200, Holger Levsen wrote: attached is a patch to lib/python/web_support.py which turns the notes (used in CVEs) into hyperlinks - if they start with http(s):// Please tell me whether it's ok to commit this. I had a

Bug#742382: Display oldstable/stable security and olstable-lts repositories in tabular view. (Closes: #742382)

Hi Holger, On Sat, Sep 13, 2014 at 01:51:52AM +0200, Holger Levsen wrote: Hi, commit b22f1ba0cd9499e716f7b729f546a98bd4950dda Author: Holger Levsen hol...@layer-acht.org Date: Sat Sep 13 01:47:11 2014 +0200 Display oldstable/stable security and olstable-lts repositories in

Re: small misc fixes

Hi Holger, On Fri, Sep 12, 2014 at 03:14:57PM +0200, Holger Levsen wrote: Hi, On Freitag, 12. September 2014, Holger Levsen wrote: attached are three small no brainer fixes I'd like to apply, please confirm thanks to Thijs, this diff even got smaller and better, see attached. I've

Bug#742855: Sort releases correctly in tabular view. (Closes: #742855)

Control: tags -1 - pending Hi, On Sat, Sep 13, 2014 at 01:32:38AM +0200, Holger Levsen wrote: Hi, commit baa7d44e460efe2b24e7b029633701cd29986d0d Author: Holger Levsen hol...@layer-acht.org Date: Sat Sep 13 01:23:35 2014 +0200 Sort releases correctly in tabular view. (Closes:

Re: RFC: Invert ordering of issues in source package view: newest should be up

Hi Holger, On Sat, Sep 13, 2014 at 01:35:06AM +0200, Holger Levsen wrote: Hi, I think this is clearly a bugfix ;-) Please comment. Both open and resolved issues will be inverse sorted, so that newest CVEs will be on top of the list. cheers, Holger commit

Re: fixing four bugs, let's start with a Makefile.diff

Hi, On Fri, Sep 12, 2014 at 01:04:01AM +0200, Holger Levsen wrote: [...] So, may I commit this Makefile? :) (Further cleanup seems useful but I have no idea how the targets are called by cron...) The documentation for for the setup on soler is in doc/soler.txt. I can check this weekend if

Bug#761061: tracker doesnt show closed issues as done

Hi, On Wed, Sep 10, 2014 at 02:06:01PM +0200, Holger Levsen wrote: package: security-tracker severity: important x-debbugs-cc: debian-...@lists.debian.org Hi, the tracker doesnt show issues which are only closed in the security or lts subreleases as closed, as for example can be seen

Call for testing: gnupg update

Hi, The upcoming gnupg update introduces import functions that apply a constraining filter to imported keys, allowing to ensure that the keys fetched from the keyserver are in fact those selected by the user beforehand. The initial patch introduced regressions which were fixed upstream. Please

Bug#759727: patches for including LTS into security-tracker.d.o

Hi Holger, hi Florian, On Sun, Aug 31, 2014 at 02:37:34PM -0700, Holger Levsen wrote: Hi, On Sonntag, 31. August 2014, Florian Weimer wrote: You mean, with TEMP-%? yeah, thats what I ment... It's currently not possible to address TEMP- vulnerabilities reliably, so they cannot

Re: [SECURITY] [DSA 2992-1] linux security update

Hello Romain, On Tue, Jul 29, 2014 at 10:00:25AM +0200, Romain Francoise wrote: The advisory text should perhaps mention that 3.2.60-1+deb7u3 includes 3.2.60-1+deb7u2, which reverts two commits from previous updates that caused networking regressions. Yes indeed, I should have mentioned that.

Re: CVE-2014-3477 fixed in dbus/1.6.8-1+deb7u2

Hi Simon, On Thu, Jun 12, 2014 at 08:15:24PM +0100, Simon McVittie wrote: In case the mention of the CVE ID in debian/changelog is not enough for someone to update the security tracker: CVE-2014-3477 is fixed in dbus/1.6.8-1+deb7u2, which was just accepted into proposed-updates. It was also

Re: [SECURITY] [DSA 2945-1] chkrootkit security update

Hi, On Wed, Jun 04, 2014 at 01:08:44AM +0200, Luigi Bianca wrote: what's about oldstable ? Mi system says 0.49-4 but apt-get doesn't find anything to update. Thanks in advance. Security support for oldstable has ended at the end of the month, but there is squeeze-lts available. See

Re: [SECURITY] [DSA 2911-1] icedove security update

Hi, On Thu, Apr 24, 2014 at 11:36:49AM -0400, charlie derr wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 04/24/2014 11:21 AM, Salvatore Bonaccorso wrote: This is indeed seem a typo in the DSA-2911-1. The fixed version for the unstable distribution for the given CVEs

Re: [SECURITY] [DSA 2911-1] icedove security update

Hi, On Thu, Apr 24, 2014 at 10:05:08AM -0400, charlie derr wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 04/22/2014 11:25 AM, Moritz Muehlenhoff wrote: - Debian Security Advisory DSA-2911-1

Re: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?

Hi Frederik, On Tue, Apr 08, 2014 at 04:01:37PM +, Fredrik Jonson wrote: Hi, After upgrading the packages in DSA 2896-2 (openssl security update), the second version, 1.0.1e-2+deb7u6, that detects services to restart, I noted that the postist script didn't suggest that I should restart

Bug#742855: security-tracker: tabular view should always be by release order

Package: security-tracker Severity: normal Hi Unfortunately the tabular view is not always ordered by release. For example [1] shows in the tablular view: +---++---+++ | Bug | jessie | sid | wheezy

Bug#742096: security-tracker: CVE table not shown in Open unimportant issues section

Package: security-tracker Severity: wishlist Hi, Paul Wise pointed on IRC out that the new CVE table view is shown on the Open issues section, but not in the Open unimportant issues. Open a but to track status/fix also for that part. Regards, Salvatore -- To UNSUBSCRIBE, email to

Re: [SECURITY] [DSA 2867-1] otrs2 security update

Hi, On Sun, Feb 23, 2014 at 08:42:01PM +, Salvatore Bonaccorso wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2867-1 secur...@debian.org http

Re: [SECURITY] [DSA 2858-1] iceweasel security update

Hi Christoph, On Wed, Feb 12, 2014 at 10:07:47PM +0100, Christoph Biedl wrote: Hello Debian security, Moritz Muehlenhoff wrote... Package: iceweasel (...) This update updates Iceweasel to the ESR24 series of Firefox. Unfortunately, this upgrade broke the

Bug#727534: security-tracker: Add tabular view listing all CVEs and version table for a source package

Hi Antonio, On Thu, Oct 24, 2013 at 09:49:19AM -0300, Antonio Terceiro wrote: It would be nice if someone familiar with the codebase could write up instructions on how to do that. Actually at the Security Team meeting we are working now on this. Mainly if you want to set up a testinstance of

Testers for typo3-src security update (in particular squeeze packages)

Hi Christian Welzel, maintainer of typo3-src prepared backports for security issues in typo3-src. Some testing of the squeeze packages in particular would be welcome before releasing these packages. Packages are uploaded at [1]. If you find a regression/problem explicitly caused by an update of

Re: cmrekey.adv ?

Hi Yanosz, On Sat, Nov 16, 2013 at 10:32:27AM +0100, Jan Lühr wrote: Hello folks, short one: Is Debian GNU/Linux affected by http://www.openssh.com/txt/gcmrekey.adv ? See: https://security-tracker.debian.org/tracker/CVE-2013-4548 . In short, oldstable and stable where not affected, for

Bug#727534: security-tracker: Add tabular view listing all CVEs and version table for a source package

Package: security-tracker Severity: wishlist Hi On last DebConf Antonio Terceiro brought up the following idea for an additional view for a source package in the security-tracker. I'm opening the bugreport to not forget about it. It would be nice to have for a given source package a report/view

Automatic CVE updates cronjob problem?

Hi [Cc'ing Joey directly as I don't know if you are subscribed to the list, let me know if I should drop] I noticed that since the 2nd of September the automatic update of the CVE list is not done anymore for the security-tracker. Joey do you know if there is some problem with your cronjob

Re: Linking security tracker with exploit-db ?

Hi all, On Thu, Mar 21, 2013 at 11:53:33PM +0200, Henri Salo wrote: On Thu, Mar 21, 2013 at 10:38:47PM +0100, Raphael Hertzog wrote: (I'm not subscribed to debian-security-tracker@lists.debian.org, please keep me in CC) Hello, while discussing with someone at Offensive Security, I

Bug#717103: security-tracker: DSA-2722-1 vs. tracker

Hi Francesco, On Tue, Jul 16, 2013 at 10:38:46PM +0200, Francesco Poli (wintermute) wrote: Package: security-tracker Severity: normal Hi, DSA-2722-1 [1] says that many vulnerabilities have been fixed for sid in openjdk-7/7u25-2.3.10-1 . The tracker seems to agree for all the

security-tracker problems after alioth update

Hi After the alioth update there are still some problems for the security-tracker. The website right now does not get updated anymore automatically. What I have done on vasks.d.o side: - /home/groups/secure-testing/repo relocated from svn://svn.debian.org/secure-testing to

Re: CVE-2012-5083 does not affect openjdk

Hi Steven On Tue, Apr 30, 2013 at 07:21:29PM +0100, Steven Chamberlain wrote: Bug #690774 was closed (as invalid), and the remaining CVEs from the Oracle Java October 2012 updates have been marked as invalid, except for CVE-2012-5083, which is still open in the security tracker. I don't

Re: [SECURITY] [DSA 2593-1] moin security update

Hi On Sat, Dec 29, 2012 at 09:31:42PM +0100, Moritz Muehlenhoff wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2593-1 secur...@debian.org

Re: Informazioni Log Analyzer Postfix

Ciao Stefano [ I'm first saying him in italian that this is a english spoken list and that I'm trying to translate ] Questa e una lista in inglese. Se hai domande in italiano potresti contattare la lista debian-italian[1]. [1]: https://lists.debian.org/debian-italian/ Cerco di tradurre adesso

<    3   4   5   6   7   8