Re: [SECURITY] [DSA 797-2] Updated zsync i386 packages fix build error
Michael Stone <[EMAIL PROTECTED]> wrote: > Package: zsync [...] > There was a build error for the sarge i386 proftpd packages released in ^^^ > DSA 797-1. A new build, zsync_0.3.3-1.sarge.1.2, has been prepared to ^ > correct this error. Typos like this are becoming more and more common in security announcements. Don't want to complain; I know how much good work you do and how comparably irrelevant this is. I just wanted to make you aware of this - maybe you do not only need more people, but also some clever DSA-generation script. Regards, Frank -- Frank Küster Inst. f. Biochemie der Univ. Zürich Debian Developer
Re: [SECURITY] [DSA 875-1] New OpenSSL packages fix cryptographic weakness
[EMAIL PROTECTED] (Martin Schulze) wrote: > The following matrix explains which version in which distribution has > this problem corrected. > > oldstable (woody) stable (sarge) unstable (sid) > openssl 0.9.6c-2.woody.8 0.9.7e-3sarge1 0.9.8-3 > openssl 094 0.9.4-6.woody.4 n/a n/a > openssl 095 0.9.5a-6.woody.6n/a n/a > openssl 096 n/a 0.9.6m-1sarge1n/a > openssl 097 n/an/a0.9.7g-5 This is confusing - openssl 097 is marked as "n/a" for sarge, while in fact the openssl package has version 0.9.7. It is only logical if you know the names of the source packages, but you shouldn't expect that From every one reading that advisory. > Debian GNU/Linux 3.0 alias woody > Furthermore, it would be great if these mails would state somewhere in the actual text for which distributions an update is already available (and possibly for which arches). I read the mail cursory, decided that I did not need to know the details, just upgrade, and was surprised that aptitude had nothing to upgrade. I had to read the mail again, scrolling along the list of woody packages, to learn that there is nothing but woody packages. Thanks for considering, Frank -- Frank Küster Inst. f. Biochemie der Univ. Zürich Debian Developer pgpdzRSPNxVcZ.pgp Description: PGP signature
Re: [SECURITY] [DSA 1259-1] New fetchmail packages fix information disclosure
Moritz Muehlenhoff <[EMAIL PROTECTED]> wrote: > For the upcoming stable distribution (etch) this problem has been > fixed in version 6.3.6~rc5-1. > > For the unstable distribution (sid) this problem has been fixed in > version 6.3.6~rc5-1. According to the changelog, it was not fixed in this version, but in 6.3.6-1. Since this is the version in etch, there's no practical difference, but in case you keep some statistics... Thanks for your work! Frank -- Dr. Frank Küster Single Molecule Spectroscopy, Protein Folding @ Inst. f. Biochemie, Univ. Zürich Debian Developer (teTeX/TeXLive)
Re: [SECURITY] [DSA 1266-1] New gnupg packages fix signature forgery
Moritz Muehlenhoff <[EMAIL PROTECTED]> wrote: > For the upcoming stable distribution (etch) these problems have been > fixed in version 1.4.6-2. However, etch still has 1.4.6-1, and no freeze exception has been requested. I'm not sure about the policy for security updates in etch, but it doesn't seem proper to announce the availability in a DSA if it's not yet true... Regards, Frank -- Dr. Frank Küster Single Molecule Spectroscopy, Protein Folding @ Inst. f. Biochemie, Univ. Zürich Debian Developer (teTeX/TeXLive)
Re: [SECURITY] [DSA 1266-1] New gnupg packages fix signature forgery
Steve Langasek <[EMAIL PROTECTED]> wrote: > On Wed, Mar 14, 2007 at 11:43:40AM +0100, Frank Küster wrote: >> Moritz Muehlenhoff <[EMAIL PROTECTED]> wrote: > >> > For the upcoming stable distribution (etch) these problems have been >> > fixed in version 1.4.6-2. > >> However, etch still has 1.4.6-1, and no freeze exception has been >> requested. > > But it has been granted. Ah, thanks - this had not been propagated to http://bjorn.haxx.se/debian/testing.pl?package=gnupg when I wrote the mail. Regards, Frank -- Dr. Frank Küster Single Molecule Spectroscopy, Protein Folding @ Inst. f. Biochemie, Univ. Zürich Debian Developer (teTeX/TeXLive)
Embedded xpdf code: new incarnation found
Hi, is there some publically available list of packages which contain xpdf code? I think I have found a new one: , ipe-6.0pre28/debian/copyright | Ipe uses [...], as well as some code | from Xpdf by Derek B. Noonburg (www.foolabs.com/xpdf). ` Regards, Frank -- Frank Küster Single Molecule Spectroscopy, Protein Folding @ Inst. f. Biochemie, Univ. Zürich Debian Developer (teTeX/TeXLive)
Embedded ICU copy in texlive-bin (was: [SECURITY] [DSA 1889-1] New icu packages correct multibyte sequence parsing)
Hi, This DSA made me aware that there might be a problem in texlive. It contains a changed copy of libicu; the changes are needed by xetex, and xetex upstream intends to have them merged. But for the time being, the code copy is there. I fear I won't have time to work on a security update of texlive right now, and Norbert is busy as well. I have added the information to embedded-code-copies, a diff (which also includes some more TeXLive-related corrections) is attached. Regards, Frank -- Dr. Frank Küster Debian Developer (TeXLive) VCD Aschaffenburg-Miltenberg, ADFC Miltenberg B90/Grüne KV Miltenberg --- embedded-code-copies.orig 2009-09-17 11:26:34.0 +0200 +++ embedded-code-copies 2009-09-17 11:32:57.0 +0200 @@ -98,9 +98,8 @@ [etch] - pdftohtml <unfixed> NOTE: has been replaced by poppler-utils - kdegraphics 4:4.2.2-1 (embed; bug #436164) -- texlive-base 3.0-12 (embed) - texlive-bin 2007-1 (embed) -NOTE: links to poppler +NOTE: unused code, links to poppler instead - koffice <unfixed> (embed; bug #436163) - libextractor 0.5.12-1 (embed) NOTE: libextractor is using its own pdf decoder now @@ -577,7 +576,9 @@ t1lib - tetex-bin 2.0.2-1 (embed) -- texlive-bin <unknown> (embed) +- texlive-bin <not-affected> (embed) +NOTE: completely unused code (configured with +--with-system-t1lib, but no Build-dep on t1) guichan - boswars <unfixed> (embed) @@ -996,6 +997,11 @@ pidgin - gaim <old-version> +icu +- texlive-bin <unfixed> (embed) +NOTE: The embedded copy is kind-of-a-fork, +upstream is working with icu to get changes +merged back.
