Re: CVE-2019-14866
Hi Ok, thank you. Then I'll use the version Thomas used for Debian old and oldold stable. I'll use that as I have tested it already and it is easier to read for someone wanting to compare the difference compared to an older version. Best regards // Ola On Mon, 4 Nov 2019 at 21:25, Sergey Poznyakoff wrote: > Hi Ola, > > > Hi Sergey > > > > I can see that the fix is quite different from the one Thomas proposed. > Do > > I understand correctly that this fix go around the problem in a different > > way? > > Not quite so. It takes basically the same approach as the fix Thomas > proposed, but also removes unnecessary code duplication and ensures > informative error diagnostics. > > > I do not see any explicit value > 0 check. > > See the return from the to_ascii function. > > > it looks like the fix allows larger file sizes > > No, of course all size limits remain the same, > > Regards, > Sergey > -- --- Inguza Technology AB --- MSc in Information Technology | o...@inguza.como...@debian.org| | http://inguza.com/Mobile: +46 (0)70-332 1551 | ---
LTS report for October 2019 - Abhijith PA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 October was my 20th month as a Debian LTS paid contributor. I had 14 hours assigned. Out of which I spent 8 hours and gave back rest to the pool. * novnc: Fixed CVE-2017-18635, tested and uploaded. DLA[1] * libpcap: Fixed CVE-2019-15165, tested and uploaded. DLA[2] * Wordpress: There were 7 CVEs reported at the time. CVE-2019-17673 marked as not-affected for jessie. Commits fixing CVE-2019-17672 and CVE-2019-17674 not found. Backported CVE-2019-17670. Rest fixed in upstream backport. Uploaded 4.1.28 version. Release DLA[3] Misc: Sponsored ruby-mini-magick for Utkarsh Gupta. DLA[4] Regards Abhijith PA [1] - https://lists.debian.org/debian-lts-announce/2019/10/msg4.html [2] - https://lists.debian.org/debian-lts-announce/2019/10/msg00031.html [3] - https://lists.debian.org/debian-lts-announce/2019/11/msg0.html [4] - https://lists.debian.org/debian-lts-announce/2019/10/msg7.html -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl3BrsAACgkQhj1N8u2c KO8Lmw//bumu8SKqUZDey8AEEuTyjOlvDxz66pVAZ3B/4dYl6ftbLlUOxNYyuZ95 gmNZ/g6MzU8hME3wVZn6aJkL0iPH3FGKc/ESxcIkF7c6bGzFiYsjM3mY4jyBrv9u vdvm7EkzNp4Ag2FIiXLsqwlaMvXK+VTsrhAFiEoafabklmJIbqIUEq2X6oIrdNJk O97NTWoZAtJhXbJe5f+FePXyLW9Zc1/LLNCQoPgmwevYB0/OOxHO/teWECtut1YK Mj6LjY457IqvEtzFazdASVXbMfp1Wa6AnInj/1N/9YlbXnXj48uIoY9NjJ6JaT4P gVyfnBzXBWsiHolV/VsItM7bA+cU2VZseqh7b3W4HQytoZJPA4xKKDZst+sff0Dm dC0GI7QDfEWV2pXQ/ewxret5RH+HJN+1flNDvs6F8yUaKK0HAVNBF3CCyoVReolM +TA8u6FlxTqVRppQummFThm7ncE+bNIm1JMx5m8f0vcny7/Mqx14nMq7+gYG66zW DQxhBN6rC6VJmfTULxHr3FEaO10wD/hzDWTbGKlZqbwvJqXTQ7Dw872c/Fga646f y8D9bW9+eUr20u1N9EN58pvIx02CZJ//3eaTvyDnySTKRHITDknckjYmPx4lzFJ9 unMFXXTomuISvv3ZeGloRENB6W0WLlK7LyeNSAEH2mqzRFF50ak= =RkP6 -END PGP SIGNATURE-
Re: Security issues in standards (ruby-openid / CVE-2019-11027)
Utkarsh Gupta writes: > I am not quite sure about what should we do here because the update (DLA > 1956-1) doesn't quite fix the CVE completely and also brings some login > problems as reported in #125. > Because for now, #121 + #126 = actual CVE fix. But the login problem > remains. I guess we have three options: 1. Do nothing. 2. Revert the #121 patch, because it could break. I haven't seen any complaints however... 3. Apply the #126 patch too. Not 100% convinced this is a justified change for LTS, but it "looks right". 4. Wait longer for possible upstream solution to #125. Any opinions? -- Brian May
