LTS report for November 2019 - Abhijith PA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 November was my 21st month as a Debian LTS paid contributor. I was assigned 8 hours and I spent all of them for the following: * libssh2: Fixed CVE-2019-17498, tested and uploaded. DLA[1] * slurm-lnll: Backported a huge part of CVE-2019-12838, CVE-2019-6438 after combing through the upstream changes history. Currently testing the build and will be uploaded soon. Thanks to Gennaro Oliva for helping in testing. Package is available here[2]. * otrs2: Started Working on CVE-2019-18179, CVE-2019-18180. Regards Abhijith PA [1] - https://lists.debian.org/debian-lts-announce/2019/11/msg00010.html [2] - https://people.debian.org/~abhijith/upload/slurm-llnl_14.03.9-5+deb8u5.dsc -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl3g1psACgkQhj1N8u2c KO/uCQ/+KCfYC5qVvwJaHiwjHbXy6U3+LyaevVKJuhfQlOZmJ6zyn3Y8NOXmuCt5 nZD2IUXHZlTUp8Nz7P2NwJVrBETCLpfBHN5SvME1bpbsL3+ThIhj9Ps4J8ceaTVN FHtylBove+6E/mfwc8pkyhrplNIb2E3LFPYlpM5/MiMqcz3XTw3ANp0Sk1v83e4W ZnAmUAvGS2gMlinutUTA9wJn+v6jwlTpriLNz1WqBCgFoYKtm3KQi3d5oIcMN7YS 0rK7LguI6WtVeyEIscWIKQoain9TN9yYlxXY/DGknrnrUmqWFAyhVfGlmXHh+Q1s euMOy/1koeX0YyAcyzZdq2g7NvR0JrmrmML/rl+2kL4IlKsr+xki7Y7FdtFkF88J UTquiydG0J30NhWJojk3jLj8hc13NsSOjUWLqdfpSevuA8Joyp68rBjKPd+SMSYX hEcGB3gfCbKeQKgRecJfZUDLMdswvamHYZeAsDoxWwhI5iZpWuZyw+WH6vi7/hbx tTtO7TcR4b0RtObPLjwWEvSYlZqgcsopAzctww1QdX+gxfWsiWjJs0vx2KijSITH 0sC0UM013b9/A3AUX8QXIDMsqX26IayiHJMe+svaE0UZ6u3GQTBbuyUXqBJJoqyr KLHeh3w/TcYmlj7FvvH5cmVuC5yeTypgKSxnCq/B1gPmE26NVJg= =xnnZ -END PGP SIGNATURE-
Jessie update of ssvnc?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of ssvnc: https://security-tracker.debian.org/tracker/CVE-2018-20020 https://security-tracker.debian.org/tracker/CVE-2018-20021 https://security-tracker.debian.org/tracker/CVE-2018-20022 https://security-tracker.debian.org/tracker/CVE-2018-20024 These security issues have recently become known while looking into all Debian packages that bundle some or another version of code originally derived from the libvncserver source package. I will soon send a .debdiff to the Debian bugtracker that resolves above named issues for ssvnc in Debian jessie. The patches should be easily forward-portable to ssvnc in stretch, buster and testing/unstable. Would you like to take care of the jessie LTS upload yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just review the proposed fixes in the source package and give feedback, if there is any. I, with my LTS team member hat on, will take care of the upload then. If you don't want to take care of this update at all, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of ssvnc updates for the LTS releases. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Re: RFS: 389-ds-base
Hi Utkarsh, On Mo 25 Nov 2019 02:11:35 CET, Utkarsh Gupta wrote: Hey, I have fixed CVE-2019-14824 for 389-ds-base and uploaded the same to mentors.d.net. The relevant .dsc could be found at [1]. Requesting to upload the same on my behalf. Attaching the DLA file for the same. Also, sent a patch for (Stretch,) Buster, Bullseye, and Sid to the maintainer. CCed #944150. Best, Utkarsh --- [1]: https://mentors.debian.net/debian/pool/main/3/389-ds-base/389-ds-base_1.3.3.5-4+deb8u7.dsc Sorry for the delay. Looking into it right now. Mike (with LTS frontdesk hat on) -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgp3nBL3t8Fg8.pgp Description: Digitale PGP-Signatur
Re: RFS: 389-ds-base
Hi, On Mo 25 Nov 2019 02:11:35 CET, Utkarsh Gupta wrote: Hey, I have fixed CVE-2019-14824 for 389-ds-base and uploaded the same to mentors.d.net. The relevant .dsc could be found at [1]. Requesting to upload the same on my behalf. Attaching the DLA file for the same. Also, sent a patch for (Stretch,) Buster, Bullseye, and Sid to the maintainer. CCed #944150. Best, Utkarsh --- [1]: https://mentors.debian.net/debian/pool/main/3/389-ds-base/389-ds-base_1.3.3.5-4+deb8u7.dsc Upload to security-master now. Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgp8fJc2LbsIt.pgp Description: Digitale PGP-Signatur
Re: RFS: tnef
Hi, On Mo 25 Nov 2019 06:00:51 CET, Utkarsh Gupta wrote: Hey, I have fixed CVE-2019-18849 for tnef and uploaded the same to mentors.d.net. The relevant .dsc could be found at [1]. Requesting to upload the same on my behalf. Attaching the DLA file for the same. Also, sent a patch for Stretch, Buster, Bullseye, and Sid to the maintainer. CCed #944851 and the Security team as well. Best, Utkarsh --- [1]: https://mentors.debian.net/debian/pool/main/t/tnef/tnef_1.4.9-1+deb8u4.dsc Uploaded to security-master now. Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpCEl1eXdxAi.pgp Description: Digitale PGP-Signatur
Re: RFS: 389-ds-base
Hi Mike, Utkarsh, On Fri, Nov 29, 2019 at 12:24:34PM +, Mike Gabriel wrote: > Sorry for the delay. Looking into it right now. > Mike (with LTS frontdesk hat on) thanks a lot for this and the uploads, Mike! Utkarsh has pinged me privately last night and thus it was on my list for today, but I'm glad to scratch it from there now! ;) -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: RFS: 389-ds-base
Hi Holger, On Fr 29 Nov 2019 13:46:23 CET, Holger Levsen wrote: Hi Mike, Utkarsh, On Fri, Nov 29, 2019 at 12:24:34PM +, Mike Gabriel wrote: Sorry for the delay. Looking into it right now. Mike (with LTS frontdesk hat on) thanks a lot for this and the uploads, Mike! Utkarsh has pinged me privately last night and thus it was on my list for today, but I'm glad to scratch it from there now! ;) I saw those mails yesterday and wondered why nobody picked those RFSs up... Then I realized this week's frontdesk hat of mine..., and it still took a day for the bells to start ringing gently, that this might be my task... You could hear the clockwork creak in my brain before the bell rang, tststs... :-) Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgp7PoBvEvRMT.pgp Description: Digitale PGP-Signatur
Jessie update of libjackson-json-java?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of libjackson-json-java: https://security-tracker.debian.org/tracker/CVE-2019-10172 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of libjackson-json-java updates for the LTS releases. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Jessie update of asterisk?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of asterisk: https://security-tracker.debian.org/tracker/CVE-2019-18790 https://security-tracker.debian.org/tracker/CVE-2019-18610 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of asterisk updates for the LTS releases. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Jessie update of proftpd-dfsg?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of proftpd-dfsg: https://security-tracker.debian.org/tracker/CVE-2019-19269 https://security-tracker.debian.org/tracker/CVE-2019-19270 https://security-tracker.debian.org/tracker/CVE-2019-19271 https://security-tracker.debian.org/tracker/CVE-2019-19272 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of proftpd-dfsg updates for the LTS releases. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Re: RFT: OpenJDK 7 7u241-2.6.20-1~deb8u1
On Tue, Nov 26, 2019 at 04:01:44PM +0100, Markus Koschany wrote: > Hello, > > I have uploaded a new version of OpenJDK 7 to > > https://people.debian.org/~apo/openjdk7/amd64/ > > including all binaries and sources, along with a signed .changes file. > > Please let me know if you find any regressions from the current released > version 7u231-2.6.19-1~deb8u2. > I have spent some time working on bringing the autopkg tests to openjdk-7 for wheezy. Here is a summary of my findings so far: - the openjdk-11 autopkg tests, which Markus suggested to me as a potential starting point via direct email, are substantially different to the point where making them work with openjdk-7 is likely more difficult than it is worth; the openjdk-8 tests, however, make for a better starting point - the openjdk-8 tests contain some restrictions (i.e., skippable and flaky) which do seem to cause errors when running the tests on wheezy - apart from removing the skippable and flaky restrictions, the scripts in debian/tests (taken from openjdk-8) need only some minor tweaks to be able to function and execute - in order to run any autopkg test suite on wheezy, it must be done from a host environment of stretch or older; the dpkg in buster produces .deb archives which the older dpkg in wheezy is not capable of reading (the specific error had to do with a not understandable control.tar.xz member) - the naming conventions are a bit different in the openjdk-7 package with respect to the jtreg report files; interestingly, the packages I build locally seem to include the failed test report (used by the jtdiff-autopkgtest.sh to compare the results of the test suite in the last version with those produced by the autopkgtest run), while the packages in the archive (on deb.freexian.com, that is) do not contain the jtreg support files - after finally figuring out the last item, it seems that I will need to rebuild the last version to generate the necessary jtreg reports, then use those for autopkg test to make a comparison to the current update we are preparing; I looked in the archive [0] and it seems that the jessie openjdk-7 packages ship the necessary files so the rebuild should not be needed for the jessie opnejdk-7 I still need to work on tweaking the scripts under debian/tests and will provide a further update when I have something that at least somewhat works. Regards, -Roberto -- Roberto C. Sánchez
Re: RFT: OpenJDK 7 7u241-2.6.20-1~deb8u1
On Fri, Nov 29, 2019 at 10:48:06AM -0500, Roberto C. Sánchez wrote: > > I still need to work on tweaking the scripts under debian/tests and will > provide a further update when I have something that at least somewhat > works. > I have been able to get a "working" autopkgtest such that the test executes and completes. At the moment the test passes, but I need ensure that the result is correct. The autopkgtest which I used from openjdk-8 to form the basis of what I implemented for openjdk-7 assumes some differences in layout of the test reports generated at build time. I will continue investigating and update again when there is more to report. Regards, -Roberto -- Roberto C. Sánchez
