Re: [SECURITY] [DSA 3177-1] mod-gnutls security update

On Mar/11, Stephan Beck wrote: Is there any reason for the circumstance that this DSA3177-1 (March 10) is being sent after DSA3181-1, and not, as it would be expected, between the announce dates of DSA3176-1 (February 26) and DSA3178-1 (March 2)? Just curious. None other than the fact I've

Re: inspircd: CVE-2012-1836 patch incomplete

On 2015-03-31, Guillaume Delacour g...@iroqwa.org wrote: Upstream confirm me that the fix is correct for this CVE. The package uploaded on mentors was not modified since my first mail and is ready for upload if anybody can/want upload it to stable. I'm waiting for CVE assignments from MITRE,

Re: [SECURITY] [DSA 3224-1] libx11 security update

On 2015-04-13, Henrique de Moraes Holschuh h...@debian.org wrote: The use of bin-NMUs for this is causing utter havock here due to multi-arch: [...] (obviously a straight apt upgrade run or aptitude upgrade run will give similar results). Indeed; this is tracked via

Re: Downloading all information in JSON format

On 2016-02-01, Grant Murphy wrote: > Cool thanks. I'm currently getting a 404 from this URL - > https://security-tracker.debian.org/tracker/data/json is this > related? The JSON API was disabled this week-end, because it was causing a huge load on security-tracker.d.o,

Bug#812410: 812410

I think we'd want to make tracker_server aware of the not-affected status, but I'll wait for a second opinion... Cheers, --Seb

Re: Downloading all information in JSON format

On 2016-02-01, Sébastien Delafond wrote: > The JSON API was disabled this week-end, because it was causing a > huge load on security-tracker.d.o, thus impacting the rest of the > functionalities. It will be restored shortly. The JSON API is back, after putting in a crude caching

Re: [SECURITY] [DSA 3541-1] roundcube security update

On 2016-04-05, donoban wrote: > Why this took so long? Roundcube team fixed this 2015-12-26: > > https://roundcube.net/news/2015/12/26/updates-1.1.4-and-1.0.8-released > > And it also seems a easy fix to backport: > >

Re: working for wheezy-security until wheezy-lts starts

On 2016-03-01, Mike Gabriel wrote: > @Security Team: Shall we (LTS contributors) handle wheezy-security > updates like described below until Debian wheezy LTS comes into play? > >o Pick a package that has open CVE issues in wheezy, e.g. from > above list >o

[tracker] New sub-states for issues tagged no-dsa

After some discussion about what no-dsa really means, I've added 2 new sub-states to the tracker, and they can be used as follows: CVE-2018-10012345 - foo (bug #9876543) [stretch] - shadow (Minor issue, later) [jessie] - shadow (Minor issue, later)

Re: [PATCH 0/8] Cleanup D*A ist formating

On 2017-05-31, Philipp Hahn wrote: > for my project I need the information which CVE is fixed by which > Debian package. I do that by reading the DSA list. I tried > lib/python/bugs.py first, but at the end wrote my own parser based on > some simple regular expressions.

Report from the Debian Security Team Sprint in Hamburg (May 2018)

), Moritz Muehlenhoff (jmm), Salvatore Bonaccorso (carnil), Sébastien Delafond (seb), and Yves-Alexis Perez (corsac). We'd like to thank the Mini-DebConf organizers for providing the facilities for our sprint, as well as all donors to the Debian project who helped to cover a large part of our expenses

Re: "Version less than 0.0" in OVAL definitions

Hi, the Debian Security team periodically gets requests and/or bug reports about the OVAL exports, and our general stance is that although we can't provide support for them, I'll gladly review and accept PRs on the OVAL generation code if people are interested in fixing whatever issues they