Re: CVE-2020-15180: MariaDB
Hello! I just realized Emilio represents the LTS team and he already took care of this. ke 21. lokak. 2020 klo 11.25 Otto Kekäläinen (o...@debian.org) kirjoitti: > > Hello Debian LTS team! > > Regarding CVE-2020-15180 I have prepared updates for Ubuntu Trusty > (5.5), Ubuntu Bionic (10.1), Focal (10.3), Groovy (10.3) and Debian > Stretch (10.1), Buster (10.3) and Sid (10.5). > > The Debian and Ubuntu security teams have already processed these and > DSA and USN are in the works. > > Last thing remaining is the coordination with the Debian LTS team > about the Stretch update. > > Is there somebody in the LTS team who would like to review and approve > a mariadb-10.1 1:10.1.45-0+debu1 for Stretch? > > Stretch changes: > https://salsa.debian.org/mariadb-team/mariadb-10.1/-/compare/debian%2F10.1.45-0+deb9u1...stretch > QA: https://salsa.debian.org/mariadb-team/mariadb-10.1/-/pipelines/185587 > > Unfortunately I don't have much more info about the security issue > itself. The source diff shows some changes to the WSREP-API (Galera > cluster code). There will be more info from secur...@mariadb.org at > the end of the month as there is an embargo now to allow time for > mysql-galera to ship an update. MariaDB and Percona have already > released fixes. > > Release notes for reference: > - https://mariadb.com/kb/en/mariadb-1056-release-notes/ > - https://mariadb.com/kb/en/mariadb-10325-release-notes/ > - https://mariadb.com/kb/en/mariadb-10147-release-notes/ > > > - Otto -- - Otto
CVE-2020-15180: MariaDB
Hello Debian LTS team! Regarding CVE-2020-15180 I have prepared updates for Ubuntu Trusty (5.5), Ubuntu Bionic (10.1), Focal (10.3), Groovy (10.3) and Debian Stretch (10.1), Buster (10.3) and Sid (10.5). The Debian and Ubuntu security teams have already processed these and DSA and USN are in the works. Last thing remaining is the coordination with the Debian LTS team about the Stretch update. Is there somebody in the LTS team who would like to review and approve a mariadb-10.1 1:10.1.45-0+debu1 for Stretch? Stretch changes: https://salsa.debian.org/mariadb-team/mariadb-10.1/-/compare/debian%2F10.1.45-0+deb9u1...stretch QA: https://salsa.debian.org/mariadb-team/mariadb-10.1/-/pipelines/185587 Unfortunately I don't have much more info about the security issue itself. The source diff shows some changes to the WSREP-API (Galera cluster code). There will be more info from secur...@mariadb.org at the end of the month as there is an embargo now to allow time for mysql-galera to ship an update. MariaDB and Percona have already released fixes. Release notes for reference: - https://mariadb.com/kb/en/mariadb-1056-release-notes/ - https://mariadb.com/kb/en/mariadb-10325-release-notes/ - https://mariadb.com/kb/en/mariadb-10147-release-notes/ - Otto
Re: Question regarding security issues in LTS/Extended LTS packages
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Antoine, On 19/10/20 6:50 pm, Antoine Cervoise wrote: > Hi, > > > I'm not familiar with how to report security issues regarding > packages under LTS/Extended LTS support. I've reported this issue on > poppler-utils (included in poppler package, listed here: > > https://deb.freexian.com/extended-lts/docs/supported-packages/) few > months ago: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942391. > > Is this security issue supported by Extended LTS program? ELTS has a separate contact point. > If I found other security issues (such as this one > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944979 which is not > supported by Extended LTS), If you found security issues in jessie and unsupported by ELTS, it is very unlikely anyone fix it. shall I report the issue on the Debian bug > tracker or send it here (or both)? You can send it here or lts-secur...@debian.org (private alias) for reporting security issues in stretch. - --abhijith -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl+RJQUACgkQhj1N8u2c KO+Dkw//RqRTKiz2RdcM//Wheg7oJoZmnGK+MKt/TOoPE2WwPwrqwDoZHfmr9G97 fq6KYi4KOsv6lEL7JQOVSE/lzu+ewKuIZyHZjNC9cR/PKv1ZFPe9nZMIPXjs2x5N SSVANM4M79J966h7YhxYasLbqGUio32k/+H/DqlKg/aO0WnYjFbaT/6QFK0Qihyy r4nYL6365sT3lZuiKM+E3ONJrqtTWU4W6mRASIElR0fLRRw8McWES7TkaiXTD/Nz 7+w3n7tlCmERmxRQ27qDgRogWmnf4wWQicNDqo3mMUN88XYnnw22STOGCx/CHImU 6N2XlyvlsZknHQZAp3Xjbdq91KwosJLuZ4+lPMEHobfkoEfiEHdD6913WlgyYqLe sm4Md+KBmzwy0z/r4mtKrSN73m+ocGtgPEaiDM0Bb1ESUIW5C65JRvdbHvCxGmSw Tciy1EbGGZXdCQ8QdmKTxylPM8fcg8ScFtxocYW1d2Fycg0aV4Rq7102C3hv6vKK nbJjfC6GGjMarUNFaHAm5og+q0Oj2c+glI2lYjpa20Rgyrc72DWVMWOtxO7VI7gk 4BUkuG9FniJcCRWMjV18SRknPxi/E97KddInzpAWi79RhUzRAQf/SOG+Bnok6YLd IAcrSZQQNUBdC4SoJc/RKf3xdObfs6OD3OexWSB/fGg7/pKQKa8= =7oC0 -END PGP SIGNATURE-
