Hi,
FYI I prepared a patch for jessie, see:
https://lists.debian.org/debian-lts/2019/02/msg00164.html
For stretch, it is worth noting that the fix depends on whether mysql or
mysqli is enabled, whether open_basedir is in effect, and whether we're
protecting against user SQL queries or phpmyadmin-
Uploaded to jessie-security.
msi_dirent_new()
Fix more fuzzer errors
etc.
so most probably there isn't a single clean patch to apply :/
We might want to just bump to buster and bullseye to 2.3, there's only
one rdep AFAICS.
Cheers!
Sylvain Beucler
Debian LTS Team
(this week's Front-Desk person)
Hi,
On Sat, 10 Oct 2020 09:45:42 +0300 "Stefan Hornburg (Racke)"
wrote:
On 10/7/20 3:03 PM, Sylvain Beucler wrote:
> I noticed this local root escalation yesterday and I'm working on a
> Stretch LTS update.
> See also https://salsa.debian.org/sympa-team/sympa/-/merge_r
On 07/12/2020 12:06, Stefan Hornburg (Racke) wrote:
On 12/7/20 10:52 AM, Sylvain Beucler wrote:
This high-severity issue was marked with:
[buster] - sympa (Will be fixed via point release)
Consequently I am surprised that it wasn't part of last week's Debian 10.7
point rele
s/27
https://gitlab.gnome.org/GNOME/evolution-ews/issues/36
https://bugzilla.redhat.com/show_bug.cgi?id=1678313
Note: depends on evolution-data-server patch
Cheers!
Sylvain Beucler / Debian LTS
elog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-11065
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11065
https://github.com/gradle/gradle/pull/8927
Cheers!
Sylvain Beucler
control: severity -1 important
thanks
Hi,
Note that jessie-elts is not part of the official Debian project, see
https://wiki.debian.org/LTS/Extended
So using Debian-specific resources (the BTS) for elts-specific issues
may be considered an abuse.
Cheers!
Sylvain Beucler
Debian LTS Team
On Thu, 12 Aug 2021 00:17:36 +0200 Andreas
l authPriv -u testuser -a SHA -A
testpass -x AES -X testpass 127.0.0.1 1.3.6.1.2.1.1.5 1.3.6.1.2.1.1.7
Error in packet.
Reason: (genError) A general failure occured
Cheers!
Sylvain Beucler
Debian LTS Team
Hi,
On 06/07/2020 19:11, Sylvain Beucler wrote:
> Do we have definite info on what versions are affected?
>
> I cannot reproduce the issue in jessie/stretch/buster (5.7.x).
>
> Incidentally Salvatore's test now yields an error in bullseye
> (5.8dfsg-3), though I susp
Hi,
On 07/07/2020 17:07, Sylvain Beucler wrote:
> On 06/07/2020 19:11, Sylvain Beucler wrote:
>> Do we have definite info on what versions are affected?
>>
>> I cannot reproduce the issue in jessie/stretch/buster (5.7.x).
>>
>> Incidentally Salvatore'
the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-11724
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11724
Cheers!
Syl
Hi,
On Tue, 6 Aug 2019 08:28:43 +0200 Salvatore Bonaccorso wrote:
> Thanks for keeping track and following up.
>
> On Tue, Aug 06, 2019 at 08:05:11AM +0200, Bastian Blank wrote:
> > Moin
> >
> > On Tue, Jul 02, 2019 at 01:38:10PM +0200, Moritz Muehlenhoff wrote:
> > > On Tue, Jul 02, 2019 at 01:
Hi,
I noticed this local root escalation yesterday and I'm working on a
Stretch LTS update.
See also https://salsa.debian.org/sympa-team/sympa/-/merge_requests/1
Are there plans to update buster?
Cheers!
Sylvain
In case this helps, here's some documentation to test the issue with the
new upstream test cases:
https://wiki.debian.org/LTS/TestSuites/nginx
and my planned stretch package:
https://www.beuc.net/tmp/debian-lts/nginx/
Cheers!
Sylvain Beucler
Debian LTS Team
diff -Nru nginx-1.10.3/d
Control: fixed -1 2.7.4-1+deb11u2
thanks
> For the latter, it would be cool if
> the maintainers of the affected packages,
> Vincent for latex-make
> Sylvain and David for page-crunch
> the Zope guys and Andreas and Fabio for zope-textindexng3
> could weigh in here. I'll look at your packages, but if you already know
> w
Package: iceweasel
Version: 3.0.5-1
Severity: grave
Tags: security
Justification: user security hole
Since Debian stable is a "frozen" distro, it's not uncommon to install
the official Firefox binaries when the next version of Firefox is
released, and isn't packaged in stable or backported yet. I
Package: php5-xapian
Version: 1.0.7-3.1
Severity: serious
Justification: Policy 2.3
The PHP license is incompatible with the GNU GPL license due to
strong restrictions on the usage of the term 'PHP'.
Thus combining PHP and Xapian through the php5-xapian module is
not permitted and cannot be redis
Package: gnome
Version: 1:2.14.3.5
Severity: grave
Justification: renders package unusable
Steps to reproduce:
- put CD in drive
- click on the computer icon
- click on the cdrom drive
You get something like "impossible to mount the selected volume", and in the
detailed log there is:
libhal-sto
> tla 1.3.5+dfsg-2 fails to build from source on arm, sparc, ia64 and
> hppa[1].
Actually it builds, but the test suite fails on those architectures. I
reported that upstream and they're working on it.
http://lists.gnu.org/archive/html/gnu-arch-users/2006-08/msg6.html
Maybe we can drop the te
Hi,
I know this may come as a shock, given how often this isn't the case,
but the contrib status is dutifully documented in the copyright file:
https://metadata.ftp-master.debian.org/changelogs//contrib/c/cytadela/cytadela_1.1.0-4_copyright
;)
Please review and revise severity / close accordi
ackages.
-- no debconf information
--- automake1.10-1.10.1/debian/changelog
+++ automake1.10-1.10.1/debian/changelog
@@ -1,3 +1,11 @@
+automake1.10 (1:1.10.1-4) stable-security; urgency=high
+
+ [ Sylvain Beucler ]
+ * Fix CVE-2009-4029, which created world-writable directories in
+distri
Note: the patch comes from:
http://lists.gnu.org/archive/html/automake-patches/2009-11/msg00017.html
--
Sylvain
signature.asc
Description: Digital signature
Hi,
Any progress?
--
Sylvain
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Hi,
Any progress on that RC issue?
For the record, I saw that there were commits towards v2.0 (9/2009):
http://svn.debian.org/wsvn/debtorrent/debtorrent/trunk/debian/changelog
but they do not reference this particular bug.
--
Sylvain
@BSP2010
signature.asc
Description: Digital signature
Hi,
The 'lam' package uses the AC_LIBLTDL_CONVENIENCE macro, which forces
the use of the bundled copy. It only supports
--disable-ltdl-convenience which just produces an error ("this package
needs a convenience libltdl"). Note that this is a libtool 1.5
feature, not libtool 2 (where it's depreca
Package: slapd
Severity: normal
When you use:
slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d/
slapd converts slapd.conf to /etc/ldap/slapd.d/ .
So it's possible that both are not desync'd on your system, and that
only slapd.conf is a valid configuration.
Can you precise what errors yo
I'm having a look at this.
I had worked on this package a while ago, and I'm currently doing a NM
Tasks&Skills, so it's a pleasure ;)
--
Sylvain
signature.asc
Description: Digital signature
Patched package available at:
http://mentors.debian.net/cgi-bin/sponsor-pkglist?action=details;package=tla
--
Sylvain
signature.asc
Description: Digital signature
On Tue, Dec 15, 2009 at 01:31:30PM +0100, Sylvain Beucler wrote:
> Patched package available at:
> http://mentors.debian.net/cgi-bin/sponsor-pkglist?action=details;package=tla
Ben noticed that part of the bundled libexpat was still used.
I missed 2 "-I ../lib/expat" occurrence
n_expat.dpatch by Sylvain Beucler
##
## All lines beginning with `## DP:' are a description of the patch.
-## DP: use system expat to address CVE-2009-3560 and CVE-2009-3720 DoS
-## DP: see also debian/rules, target 'clean'
+## DP: No description.
tla-1.3.5+dfsg.orig/src/tl
OK, so as far as I understand, we'd better pass '-dSAFER -P-' to
'ps2pdf' (which is AFAICS the only ghostscript script that's used in
page-crunch).
David, what do you think?
- Sylvain
On Tue, Jun 01, 2010 at 11:14:06AM +1000, Paul Szabo wrote:
> Package: page-crunch
> Severity: grave
> Tags: sec
The idea to place it in _contrib_ (not in 'non-free') makes sense to
me.
Placing it in 'main' encourages DDs to add more non-modifiable data
there.
If the tools to modify were lost, then users are locked anyway.
Similarly we wouldn't place executable binaries in 'main' if people
had lost the cor
Package: libsfml-dev
Version: 1.6+dfsg1-2+b1
Severity: serious
Justification: Policy 2.2.1
Hi,
In the SFML fonts tutorial, it is mentioned that "SFML provides a
default built-in one, which is Arial with a character size of 30."
http://sfml-dev.org/tutorials/1.6/graphics-fonts.php
The file is ind
Thanks, I already identified the bug and I think I'll make a new
upstream release.
- Sylvain
- Forwarded message from Bruno Haible -
Date: Tue, 20 Apr 2010 00:29:29 +0200
From: Bruno Haible
To: bug-gnu...@gnu.org
Cc: Sylvain Beucler
Subject: Re: install-reloc error on Debian-hur
1h too late - I actually just uploaded 1.0.1 which uses newer libvlc,
please test when it's built for your architecture :)
- Sylvain
On Fri, Jul 02, 2010 at 06:09:50PM -0400, Chris wrote:
> Package: cytadela
> Version: 1.0.0-2
> Severity: grave
> Justification: renders package unusable
>
>
> cy
> Tested, new package 1.0.1-1 that uses libvlc5 works fine. Closing bug. :-)
Neat, thanks for testing.
Enjoy the game :)
--
Sylvain
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Package: libnss-mysql-bg
Version: 1.5-3+b1
Followup-For: Bug #729986
Confirmed here, I just lost two evenings tracing down a weird rsync
issue at Gna(.org) down to this.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=641404 sheds some
light on the patch's purpose.
I guess it was tested with (
jupyterlab to 4.2.5, hinting the actual vulnerability is only in jupyterlab.
Though, perhaps the same code is present directly in jupyter-notebook<7?
I'm not sure how exactly jupyter-notebook and the trixie-specific
jupyterlab packages interact with each others, so I'd welcome insights
in that regard :)
Cheers!
Sylvain Beucler
Debian LTS Team
ommit from fork" :
https://github.com/jupyterlab/jupyterlab/commit/88e24baac551196f9cb3de16bd060a7ab1597674
https://github.com/jupyterlab/jupyterlab/commit/06ad9de836f155add7d3d651ef936cc4c5ea8093
which does seem related to HTML filtering and DOM clobbering.
Do you concur?
Cheers!
Sylvain Beucler
Debian LTS Team
Hello Julian,
Thanks for the fast answer, I added a note in
security-tracker:data/dla-needed.txt stating that we'll wait until the
next PU.
Cheers!
Sylvain Beucler
Debian LTS Team
d.
Cheers!
Sylvain Beucler
Debian LTS Team
On Tue, 30 Apr 2024 15:56:07 +0100 "Barak A. Pearlmutter"
wrote:
I just made a debian-bookworm-proposed-updates branch rooted there and
tried to cherry-pick the fix,
https://fossil-scm.org/home/info/f4ffefe708793b03 but it does not
apply cleanly. O
acker/-/blob/master/data/packages/lts-do-call-me
Also, we're not familiar with the Debian signing service. Are there
additional steps or tests to perform? Is it setup for
security-master:oldstable?
Last, let us know if we can help with the bookworm update :)
Cheers!
Sylvain Beucler
Debia
Hi,
On 04/05/2025 19:46, Sylvain Beucler wrote:
Attached is a debdiff for bookworm.
I'd like to send a PU very soon (like, tomorrow) since the deadline for
the next point release is next week-end
Notes for the bookworm PU:
Minimal backport of upstream changes, that make the HTTP c
obably need to backport a few pre-requisites that hardens
constant-time operations.
Backporting 3.23 could be another option. AFAICS the only reverse
dependency is tpm-tools.
What do you think?
Cheers!
Sylvain Beucler
Debian LTS Team
ll cases cloning is now fixed.
Binaries available at:
https://salsa.debian.org/lts-team/packages/fossil/-/pipelines/861000
https://salsa.debian.org/lts-team/packages/fossil/-/jobs/7535062/artifacts/browse/debian/output/
Can you review/test? :)
Cheers!
Sylvain Beucler
Debian LTS Teamdiff -Nru fossil-
Hi,
I'm working on minimal bullseye bookworm debdiffs, I'll test it some
more and get back to you.
Cheers!
Sylvain Beucler
Debian LTS Team
Control:
forwarded 1042715
https://salsa.debian.org/horde-team/php-horde-editor/-/merge_requests/1
thanks
Hello Paulo,
Do you have an opinion on this? :)
Cheers!
Sylvain Beucler
Debian LTS Team
On Mon, 5 May 2025 13:10:13 +0200 Sylvain Beucler wrote:
Package: opencryptoki
X-Debbugs-CC: t...@security.debian.org, debian-...@lists.debian.org
Severity: grave
Tags: security
Hi,
I'm part o
/395149956d696e6e3099d8b76d797437f94a6942#diff-88a43083a0af8a34f1f0839670eea79d7b201bad3e5662e97159075880cbL1905-R1941
Cheers!
Sylvain Beucler
Debian LTS Team
On 19/07/2025 12:15, Sylvain Beucler wrote:
The My_ZeroMemory logic appears to have been introduced in the 24.05
import:
https://github.com/ip7z/7zip/
commit/395149956d696e6e3099d8b76d797437f94a6942#diff-88a43083a0af8a34f1f0839670eea79d7b201bad3e5662e97159075880cbL1905-R1941
Correction
53 matches
Mail list logo
