qemu status
Hi Gabriel, hi all :) We have a prepared QEMU update from 3 months ago that needs attention: https://packages.sunweavers.net/debian/pool/main/q/qemu/ It fixes: CVE-2017-9375 CVE-2019-12155 CVE-2017-15124 CVE-2016-5403 CVE-2016-5126 Since then we got: CVE-2019-14378 CVE-2019-13164 CVE-2019-12068 CVE-2019-12067 and possibly CVE-2018-19665 to reconsider. I can take the time to setup a physical box and provide more testing / more patching. Before doing so, I thought I'd first check: what are you plans for this month regarding this update? :) Cheers! Sylvain
Re: Jessie update of ansible (minor security issues)?
On Sat, Aug 31, 2019 at 04:22:38PM +0200, Lee Garrett wrote: > > If you think it's a good thing I'm more than happy to help. I agree with > your assessment that all CVEs are of very low impact. There's a jessie > git branch you can make releases from which I can give you access to. If > you need any help feel free to help. I currently don't have capacity to > commit to maintaining LTS, too, as IRL tends to come in between. :) > Lee, I took a look yesterday and I saw that the ansible project in Salsa has 1000+ maintainers, which I think is every DD. I cloned it and found the jessie branch with Chris Lamb's security update from last year as the most recent changelog entry on that branch. That matches with what is in the archive. In any event, I have moved my work onto that branch and have already some commits locally. Would you like for me to push my commits (one per CVE) as I go so that you can look them over? Or would prefer that I push all the changes together once all my work is complete? Regards, -Roberto -- Roberto C. Sánchez
Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.
On Thu, Aug 29, 2019 at 09:36:39AM +0200, Moritz Mühlenhoff wrote: > Adding the radare2 uploaders to CC. > > On Fri, Aug 16, 2019 at 11:23:05PM +0200, Markus Koschany wrote: > > >> + NOTE: 20190816: Affected by CVE-2019-14745. Vulnerable code is in > > >> + NOTE: libr/core/bin.c. Many no-dsa issues in Jessie and Stretch. > > >> Should we > > >> + NOTE: continue the current approach, update to a newer upstream > > >> version or mark > > >> + NOTE: radare2 as unsupported? Also note that there is a r2-pwnDebian > > >> challenge... > > >> + NOTE: https://bananamafia.dev/post/r2-pwndebian/ (apo) > > > > > > I'd be in favor of marking radare2 as unsupported, probably even for > > > stable, > > > but definitly for oldstable and older. > > > > > > I'd be happy to do these changes in src:debian-security-tracker and > > > uploading this to sid. > > > > +1 > > > > I just noticed that we are not consistent with fixing CVE in radare2 and > > I would also be in favor of marking it as unsupported. Another option > > would be to package always the latest upstream release and backport that > > to stable and oldstable but it seems we already lag behind a few > > versions in unstable, so I'd rather choose the first option. > > The upstream link makes it sound as if they are one of those upstreams > which reject the idea of distributions shipping an older release to > a stable distro. For a tool like radare2 that seems fair enough, so > how about simply excluding it from stable releases (and retroactively > drop it from Buster/Stretch in the forthcoming point releases)? Hilko/Sebastian, as the last uploaders; what do you think? How should we proceed wrt radare in oldstable/stable? Cheers, Moritz
Re: Jessie update of ansible (minor security issues)?
On Wed, Sep 04, 2019 at 02:07:39PM -0400, Roberto C. Sánchez wrote: > In any event, I have moved my work onto that branch and have already > some commits locally. Would you like for me to push my commits (one per > CVE) as I go so that you can look them over? Or would prefer that I > push all the changes together once all my work is complete? create a branch jessie-proposed (or whatever) and push it now? -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
