(semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
hi, today I unclaimed for LTS: - cacti (Abhijith PA) - freerdp (Mike Gabriel) - sqlite3 (Abhijith PA) - squid3 (Markus Koschany) and none for ELTS. Also, noone had claimed 4 or more packages. One DLA has been reserved but not yet been published on www.debian.org: - DLA 2230-1 (reserved by Mike Gabriel) -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
stretch EOL point release (9.13) and 10.5 planning
Hi, stretch transitions from oldstable-with-security-support to LTS support on Saturday July 4th. As usual, we should aim for the final point release to be soon after that, most likely pulling in any remaining updates from security.d.o that are still in oldstable-new. I think Saturday July 11th makes most sense (so freezing opu during the transition weekend), but we could potentially stretch (no pun intended) slightly further if need be. We also need to look at the next buster point release in a similar timeframe. Can anyone see a reason not to do the two at the same time, as usual? To get the ball rolling, please could you confirm your availability for: - July 11/12 - July 18/19 Thanks, Adam
Re: drupal7
Brian May writes:
> Drupal7, in Jessie has 3 security issues:
My proposed changes to drupal7 in Jessie:
diff -Nru drupal7-7.32/debian/changelog drupal7-7.32/debian/changelog
--- drupal7-7.32/debian/changelog 2019-05-20 20:05:42.0 +1000
+++ drupal7-7.32/debian/changelog 2020-06-15 07:30:19.0 +1000
@@ -1,3 +1,9 @@
+drupal7 (7.32-1+deb8u18) jessie-security; urgency=medium
+
+ * Fix CVE-2020-13662 / SA-CORE-2020-003: Fix Open Redirect vulnerability.
+
+ -- Brian May Mon, 15 Jun 2020 07:30:19 +1000
+
drupal7 (7.32-1+deb8u17) jessie-security; urgency=medium
* Non-maintainer upload by the LTS Security Team.
diff -Nru drupal7-7.32/debian/patches/CVE-2020-13662.patch
drupal7-7.32/debian/patches/CVE-2020-13662.patch
--- drupal7-7.32/debian/patches/CVE-2020-13662.patch1970-01-01
10:00:00.0 +1000
+++ drupal7-7.32/debian/patches/CVE-2020-13662.patch2020-06-15
07:30:19.0 +1000
@@ -0,0 +1,14 @@
+--- a/includes/common.inc
b/includes/common.inc
+@@ -684,7 +684,10 @@
+ // We do not allow absolute URLs to be passed via $_GET, as this can be an
attack vector.
+ if (isset($_GET['destination']) && !url_is_external($_GET['destination'])) {
+ $destination = drupal_parse_url($_GET['destination']);
+-$path = $destination['path'];
++// Double check the path derived by drupal_parse_url() is not external.
++if (!url_is_external($destination['path'])) {
++ $path = $destination['path'];
++}
+ $options['query'] = $destination['query'];
+ $options['fragment'] = $destination['fragment'];
+ }
diff -Nru drupal7-7.32/debian/patches/series drupal7-7.32/debian/patches/series
--- drupal7-7.32/debian/patches/series 2019-05-20 20:05:42.0 +1000
+++ drupal7-7.32/debian/patches/series 2020-06-15 07:24:44.0 +1000
@@ -25,3 +25,4 @@
SA-CORE-2019-004
SA-CORE-2019-006
SA-CORE-2019-007
+CVE-2020-13662.patch
--
Brian May
Re: unbound not supported
Holger Levsen writes: > for d-s-s in jessie i'm still unsure, which version number to use > (see https://lists.debian.org/debian-release/2020/06/msg00136.html > for a summary of the problem). allocating and issuing the DLA will > be easy once I'm clear about that version number... I have wondered if it even makes sense list of supported packages (which is somewhat dynamic) in a package in the distribution itself (which is suppose to be relatively stable and - apart from exceptions such as security updates - follow a strict order of unstable -> testing -> stable -> oldstable). Plus after the distribution is no longer supported, I imagine the d-s-s file in that distribution is no longer valid and should not be used (unless we update it at the time the distribution stops being supported). Wouldn't it be better to have, maybe a wiki page somewhere that lists unsupported packages? -- Brian May
