Re: Jessie update of nethack (minor security issues)?
Hi Markus and Mike On 21/12/19 3:26 am, Mike Gabriel wrote: > On Fr 20 Dez 2019 15:35:01 CET, Markus Koschany wrote: >> Nethack is a game and I believe it should be added to our end-of-life >> list. > +1 from me. > > Mike I claimed it in dla-needed. Should I take care of eol procedure or you will be doing it. --abhijith
Regression in X2Go Client caused by CVE-2019-14889/libssh fix
Hi all, the recent libssh fix for CVE-2019-14889 causes a regresion in X2Go Client: ``` Connection failed. Couldn't create remote file ~/.x2go/ssh/key.X18947 - SCP: Warning: status code 1 received: scp: ~/.x2go/ssh: No such file or directory" ``` The solution to this is a fix to be applied against X2Go Client (in jessie/stretch/buster/unstable): https://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=ce559d1 Thanks, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpy0PbLXCW3d.pgp Description: Digitale PGP-Signatur
Re: Jessie update of cyrus-sasl2?
Hi Roberto, On Fr 20 Dez 2019 16:36:05 CET, Roberto C. Sánchez wrote: On Fri, Dec 20, 2019 at 01:06:39PM +0100, Mike Gabriel wrote: Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of cyrus-sasl2: https://security-tracker.debian.org/tracker/CVE-2019-19906 Would you like to take care of this yourself? Hi Mike, I had intended to take care of this, but it seems you have already done it. Thanks for your help. Did you encounter any issues that might concern making the update or applying the patch in stretch or buster versions of cyrus-sasl? Regards, -Roberto In fact, I have upgrade my jessie-mailserver with the fix and it seems to be all good. However, I am not 100% sure, if my setup (cyrus-imap + postfix via saslauthd behind LDAP, etc.) hits the exact code path. Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpS79aKjkWJR.pgp Description: Digitale PGP-Signatur
Re: Regression in X2Go Client caused by CVE-2019-14889/libssh fix
Hi again, On Sa 21 Dez 2019 17:27:15 CET, Mike Gabriel wrote: Hi all, the recent libssh fix for CVE-2019-14889 causes a regresion in X2Go Client: ``` Connection failed. Couldn't create remote file ~/.x2go/ssh/key.X18947 - SCP: Warning: status code 1 received: scp: ~/.x2go/ssh: No such file or directory" ``` The solution to this is a fix to be applied against X2Go Client (in jessie/stretch/buster/unstable): https://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=ce559d1 Thanks, Mike See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947129 and https://bugs.launchpad.net/ubuntu/+source/libssh/+bug/1856795 Btw... if anyone with MOTU (Ubuntu maintainer) status is reading this, please follow-up and provide regression fixes (i.e. a patched X2Go Client, see LP:#1856795) to Ubuntu. Thanks+Greets, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgp1xlSFXmFzX.pgp Description: Digitale PGP-Signatur
Re: Regression in X2Go Client caused by CVE-2019-14889/libssh fix
Hi again, On Sa 21 Dez 2019 18:36:09 CET, Mike Gabriel wrote: Hi again, On Sa 21 Dez 2019 17:27:15 CET, Mike Gabriel wrote: Hi all, the recent libssh fix for CVE-2019-14889 causes a regresion in X2Go Client: ``` Connection failed. Couldn't create remote file ~/.x2go/ssh/key.X18947 - SCP: Warning: status code 1 received: scp: ~/.x2go/ssh: No such file or directory" ``` The solution to this is a fix to be applied against X2Go Client (in jessie/stretch/buster/unstable): https://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=ce559d1 Thanks, Mike See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947129 and https://bugs.launchpad.net/ubuntu/+source/libssh/+bug/1856795 Btw... if anyone with MOTU (Ubuntu maintainer) status is reading this, please follow-up and provide regression fixes (i.e. a patched X2Go Client, see LP:#1856795) to Ubuntu. Thanks+Greets, Mike I just dput x2goclient 4.0.3.1-4+deb8u1 to jessie-security shipping a fix for regression with CVE-2019-14889/libssh Does that need a DLA? If yes, shall it be a regression DLA for DLA-2038-1/libssh? Or a new DLA number? Appreciating feedback, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpzJLLSh7Gvn.pgp Description: Digitale PGP-Signatur
Re: Jessie update of nethack (minor security issues)?
Hi, On Sa 21 Dez 2019 15:42:08 CET, Abhijith PA wrote: Hi Markus and Mike On 21/12/19 3:26 am, Mike Gabriel wrote: On Fr 20 Dez 2019 15:35:01 CET, Markus Koschany wrote: Nethack is a game and I believe it should be added to our end-of-life list. +1 from me. Mike I claimed it in dla-needed. Should I take care of eol procedure or you will be doing it. --abhijith If no one objects within the next two days or so, please go ahead and take care of the eol procedure. Thanks+Greets, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpkqGPPDcK0Z.pgp Description: Digitale PGP-Signatur
Re: Regression in X2Go Client caused by CVE-2019-14889/libssh fix
Hi Mike, On Sat, Dec 21, 2019 at 05:47:25PM +, Mike Gabriel wrote: > Hi again, > > On Sa 21 Dez 2019 18:36:09 CET, Mike Gabriel wrote: > > > Hi again, > > > > On Sa 21 Dez 2019 17:27:15 CET, Mike Gabriel wrote: > > > > > Hi all, > > > > > > the recent libssh fix for CVE-2019-14889 causes a regresion in X2Go > > > Client: > > > > > > ``` > > > Connection failed. Couldn't create remote file > > > ~/.x2go/ssh/key.X18947 - SCP: Warning: status code 1 received: > > > scp: ~/.x2go/ssh: No such file or directory" > > > ``` > > > > > > The solution to this is a fix to be applied against X2Go Client (in > > > jessie/stretch/buster/unstable): > > > https://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=ce559d1 > > > > > > Thanks, > > > Mike > > > > See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947129 > > and https://bugs.launchpad.net/ubuntu/+source/libssh/+bug/1856795 > > > > Btw... if anyone with MOTU (Ubuntu maintainer) status is reading this, > > please follow-up and provide regression fixes (i.e. a patched X2Go > > Client, see LP:#1856795) to Ubuntu. > > > > Thanks+Greets, > > Mike > > I just dput x2goclient 4.0.3.1-4+deb8u1 to jessie-security shipping a fix > for regression with CVE-2019-14889/libssh > > Does that need a DLA? > > If yes, shall it be a regression DLA for DLA-2038-1/libssh? Or a new DLA > number? In this case I would use a DLA-2038-2 regression update advisory, with tracking the x2goclient source package and (important) not tracking the CVE id. Its bit of an unsual case, but that is how it's then usually handled. You can see DSA-4539-2 as re respective example. So your entry would look like (data/DLA/list): [$date] DLA-2038-2 x2goclient - regression update [jessie] - x2goclient $version Regards, Salvatore
