On Wed, 07 Dec 2011, Vincent Hobeika wrote:
I confirm this bug for 1:1.0.dfsg2-3. However on 1:0.95.dfsg-11 I was
able to produce the User Guide.pdf without any problem.
Yes, the build used to work with the old fop.
I have started a thread on fop users mailing list. We are trying to
find the
On Mon, 26 Oct 2009, Lucas Nussbaum wrote:
No, the build was done with version 1.15.4. You need to build-depend on
install-info, which is no longer provided directly by dpkg.
dpkg people, wouldn't it make sense to depend on install-info in dpkg,
No, the whole point of using Breaks against
Package: axis
Severity: grave
Tags: security
Hi,
the following vulnerability was published for axis.
CVE-2014-3596[0]:
| The getCN function in Apache Axis 1.4 and earlier does not properly
| verify that the server hostname matches a domain name in the subject's
| Common Name (CN) or
Hi,
On Mon, 18 Aug 2014, Salvatore Bonaccorso wrote:
On Thu, Aug 14, 2014 at 11:43:32PM +0200, Emmanuel Bourg wrote:
Is there an example available somewhere of a subject improperly parsed
by commons-httpclient/3.1-10.2? This would help backporting the fix to
this version.
I think this
Hello,
while triaging CVE affecting Debian Squeeze I came on glassfish:
https://security-tracker.debian.org/tracker/source-package/glassfish
From what I gathered, Oracle doesn't provide any useful information to
apply a targeted fix on the current package. The 2.1.x branch is also
no longer
Hi Emmanuel,
On Mon, 22 Sep 2014, Emmanuel Bourg wrote:
Glasshfish is an important package for the Java ecosystem as it provides
JavaEE specification APIs used to build many other packages.
The CVEs reported are most likely related to the complete application
server which is almost unused
Package: libhibernate-validator-java
Severity: serious
Tags: security
Hi,
the following vulnerability was published for libhibernate-validator-java.
CVE-2014-3558[0]:
It was discovered that the implementation of
org.hibernate.validator.util.ReflectionHelper together with the permissions
required
On Thu, 25 Sep 2014, Christoph Biedl wrote:
Raphael Hertzog wrote...
For Squeeze LTS, we can't really remove a single binary package with an
update since the update leaves in its own squeeze-lts repository and this
would not remove the package in the main squeeze repo.
To me
On Sun, 02 Nov 2014 23:38:30 +0100 Emmanuel Bourg ebo...@apache.org wrote:
libhibernate-validator-java is only used as a build dependency of
libhibernate3-java. No package depends on it at runtime, so the risk of
being affected by this vulnerability is rather low, if not zero.
Thank you for
Hello Stephen,
On Mon, 08 Sep 2014, Stephen Nelson wrote:
For what it's worth, CVE-2014-3578 was assigned to a directory traversal
vulnerability in libspring-java
( http://www.pivotal.io/security/cve-2014-3578)
Thanks for letting us know about this one. I've had a quick look and it
might
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of your package:
https://security-tracker.debian.org/tracker/CVE-2014-3596
https://security-tracker.debian.org/tracker/CVE-2012-5784
Would you like to take care of
Hello Emmanuel,
On Tue, 24 Feb 2015, Emmanuel Bourg wrote:
CVE-2011-3923 seems to be a Struts vulnerability, why is it assigned to
Spring?
I asked Salvatore Bonaccorso car...@debian.org to review this since
he confirmed that assignation a while ago... he double checked and
it was a mistake
Hello dear maintainer(s),
the Debian LTS team recently reviewed the security issue(s) affecting your
package in Squeeze:
https://security-tracker.debian.org/tracker/CVE-2015-0886
We decided that we would not prepare a squeeze security update (usually
because the security impact is low and that
[ CC Damien Raude-Morvan draz...@debian.org who handled the last
security upload ]
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of libspring-2.5-java (this source
package only exists in squeeze currently):
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of your jruby:
https://security-tracker.debian.org/tracker/CVE-2012-5370
https://security-tracker.debian.org/tracker/CVE-2011-4838
Would you like to take care of
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of your commons-httpclient:
https://security-tracker.debian.org/tracker/CVE-2012-6153
It would be nice if you could take care of this update as
the package is not
Source: libapache-mod-jk
Severity: serious
Tags: security
Hi,
the following vulnerability was published for libapache-mod-jk.
CVE-2014-8111[0]:
| Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount
| rules for subtrees of previous JkMount rules, which allows remote
| attackers to
Control: tag -1 + patch
On Sun, 09 Aug 2015, Raphaël Hertzog wrote:
A patch will follow.
Please find attached the suggested patch. Applies on your current git.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master
Control: tag -1 + patch
Please consider applying the attached patch.
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
From 60638e0e74c16704c2f27d8357ebed228a3d8175 Mon Sep 17
Control: retitle -1 CVE-2015-7940: bouncycastle: ECC private keys can be
recovered via invalid curve attack
FTR, this issue has been assigned CVE-2015-7940
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master
Hello,
I have backported the relevant commits to version 1.44 and the result
is in the attached patches. The package builds fine but I have not
tested it and I'm not sure how to properly test it... if you have
suggestions, I'm happy to hear them.
I have asked an upstream developer (Peter
Control: tag -1 + security patch
(this is not about commons-httpclient but about httpcomponents-client)
On Fri, 11 Sep 2015, Guido Günther wrote:
> > Note that according to HTTPCLIENT-1478 [1] this was completely fixed in
> > the version 4.3.6. So if this is really a security issue the
> >
On Fri, 04 Dec 2015, Markus Koschany wrote:
> thanks for your work on this bug. We intend to upload version 1.51 of
> bouncycastle to unstable this weekend since we were able to upgrade all
> reverse-dependencies except one so far. Are there any new information
> regarding the patches for Jessie?
Hi,
On Fri, 04 Dec 2015, Markus Koschany wrote:
> thanks for your work on this bug. We intend to upload version 1.51 of
> bouncycastle to unstable this weekend since we were able to upgrade all
> reverse-dependencies except one so far. Are there any new information
> regarding the patches for
On Fri, 20 Nov 2015, Raphael Hertzog wrote:
> On Fri, 23 Oct 2015, Raphael Hertzog wrote:
> > I have asked an upstream developer (Peter Dettman) to review it.
>
> He reviewed them and came up with further suggestions. So there's a third
> patch (attached) to apply on top of the
On Fri, 23 Oct 2015, Raphael Hertzog wrote:
> I have asked an upstream developer (Peter Dettman) to review it.
He reviewed them and came up with further suggestions. So there's a third
patch (attached) to apply on top of the two patches that I already
submitted. I sent him the third pa
Dear maintainers,
The Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of lucene-solr:
https://security-tracker.debian.org/tracker/CVE-2017-3163
Would you like to take care of this yourself?
I noticed that lucene-solr is seriously out-of-date
Source: libpam4j
Version: 1.4-2
Severity: grave
Tags: security
Hi,
the following vulnerability was published for libpam4j.
CVE-2017-12197[0]: libpam4j: Account check bypass
PAM.authentication() does not call pam_acct_mgmt(). As a consequence, the
PAM account is not properly verified. Any user
Source: libpam4j
Severity: serious
Hello,
I just came across libpam4j while handlinge CVE-2017-12197 and I noticed
that:
- the package has not seen an update since 2012
- the package has no reverse dependency in Debian
- upstream seems to have disappeared (the current Homepage URL is dead
and
Hello,
On Wed, 12 Aug 2015, Christian Hammers wrote:
> It does not work though:
>
> # java -Xmx64m -jar
> /usr/share/ca-certificates-java/ca-certificates-java.jar -storepass changeit
That's because the program expects data on standard input. A list of
certificates to add (prefixed with
retitle -1 ca-certificates-java: does not work with OpenJDK 9, applications
fail with InvalidAlgorithmParameterException: the trustAnchors parameter must
be non-empty
severity -1 serious
thanks
Hello,
On Thu, 05 Apr 2018, George B. wrote:
> I am getting an error when connecting to HTTPS from
31 matches
Mail list logo
