e additional Gradle repository, which I cannot find
right now. But I had to downgrade its version manually as the Gradle
devs hadn't uploaded their newest version to a public registry yet when
I was working on it. But it was also built with Gradle.
Best,
Moritz
On 17.03.2025 10:42, J
s.
Best,
Moritz
ala for a new arch, why can't this happen on a buster
system?
Cheers,
Moritz
h, so
> that fits with the Bookworm release timeline.
That's fine with me (if doko continues to update it in unstable) (and if we
again only have 17 as the default + 21 preview/secondary JRE). And 11 not in
testing.
Cheers,
Moritz
y (along with proper testing), we can also omit a note
for src:debian-security-support.
Cheers,
Moritz
On Wed, Nov 25, 2020 at 08:55:35AM -0800, tony mancill wrote:
> On Wed, Nov 25, 2020 at 09:26:13AM +0100, Moritz Muehlenhoff wrote:
> > On Tue, Nov 24, 2020 at 03:05:26PM -0800, tony mancill wrote:
> > > Hello Matthias, Tiago, and other members of the OpenJDK team,
> > &g
anuary, fixing this
via the upcoming 10.7 point release is an option:
https://lists.debian.org/debian-live/2020/11/msg0.html
https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions
Cheers,
Moritz
e wants to run
which requires 17 as the next LTS.
Cheers,
Moritz
On Wed, Nov 18, 2020 at 12:20:37PM +0100, Matthias Klose wrote:
> [removed the Python 2 bits]
>
> On 11/17/20 11:08 PM, Moritz Muehlenhoff wrote:
> > Package: debian-security-support
> > Severity: normal
> > X-Debbugs-Cc: d...@debian.org, t...@security.debian.or
en able to test it more yet).
Yeah, I wanted to let it settle in unstable for a few days, but a
stretch-security build is already running and should appear in the
next days.
Cheers,
Moritz
P assistants is objecting to the upload
> to unstable, apparently because somebody (security team, Moritz?) asked to
> restore these packages in experimental instead of unstable. Otoh, we still
> need
> these packages in unstable to bootstrap kotlin (yes we can bootstrap in
> experimental,
tself, buster must not be released with it. Please don't let random
init system discussions derail this.
Cheers,
Moritz
that's fine (we also
do that for openjdk-X to stage updates in stable/oldstable), but let's remove
it from unstable/testing in any case.
Cheers,
Moritz
On Fri, Feb 03, 2017 at 10:06:19AM +0100, Sebastiaan Couwenberg wrote:
> Fixed versions:
>
> * jessie: 0~svn95-1+deb8u1
> * wheezy: 0~svn95-1+deb7u1
>
> Are these changes OK for upload to security-master?
Thanks. Please upload.
Cheers,
Moritz
r Jessie again.
But we don't generall mix bugfix and security updates. There are a few
exceptions - when when something was acked by stable release managers
and then a security update happened before the release of the point
update - but generally all non-security changes should to be acked by the
stable release managers.
Cheers,
Moritz
On Wed, Jun 22, 2016 at 06:19:08PM +0200, Markus Koschany wrote:
> On 22.06.2016 08:47, Moritz Mühlenhoff wrote:
> > On Wed, Jun 22, 2016 at 01:01:14AM +0200, Markus Koschany wrote:
> >> On 22.06.2016 00:43, Emmanuel Bourg wrote:
> >>> Le 22/06/2016 à
we have two options:
> Patching 5.1.39 and make it compatible for Jessie /Wheezy or use 5.1.34
> directly.
I'd prefer to make 5.1.39 compatible, there might an additional
mysql-connector-java
security issue in the future, for which 5.1.34 will be insufficient and then we
already have the java 7 compat sorted out.
Cheers,
Moritz
s CVE as a minor issue. Any thoughts?
Agreed. I already discussed briefly with ebourg who suggested the same.
Can you prepare an update for jessie-security?
Cheers,
Moritz
s /var/lib/tomcat8/lib
>
> I don't feel comfortable fixing #825786 directly in a stable security
> update. It would be safer to test it in unstable/testing first, we may
> have missed some important use cases.
Agreed, let's fix the remaining ones for now and have this cook in sid/stretch
first.
Cheers,
Moritz
On Tue, Mar 29, 2016 at 11:23:30PM +0200, Markus Koschany wrote:
> Am 29.03.2016 um 23:01 schrieb Moritz Mühlenhoff:
> > On Tue, Mar 29, 2016 at 10:03:56PM +0200, Markus Koschany wrote:
> >> The Security Team decided to mark the issues in Jessie as no-dsa because
> >> w
On Wed, Mar 16, 2016 at 02:21:06PM +0100, Markus Koschany wrote:
> Am 14.03.2016 um 23:06 schrieb Moritz Mühlenhoff:
> > On Sat, Feb 27, 2016 at 11:45:45PM +0100, Markus Koschany wrote:
> >> Hi,
> >>
> >> as you know Tomcat 6 is affected by new security vu
ibxstream-java package. Otherwise the patch is
> identical to the one I already sent to you. I think this is a better
> solution and I hope you agree.
Thanks, please upload both to security-master.
Cheers,
Moritz
upload version
> 6.0.41 instead, which is more tested, and prepare another upload
> afterwards. I wouldn't mind this incremental approach but I could also
> merge 6.0.45 into Wheezy right now.
Sorry for the late reply. Let's move to 6.0.45 rightaway.
Cheers,
Moritz
to upgrade the package
> > when they take over the maintenance in April we could ask the Security
> > Team to do this upgrade earlier.
>
> I am in favor of this solution, especially because we haven't heard
> anything negative about this approach for Squeeze-LTS. If the Security
> Team agrees I am going ahead and backport this release to Wheezy, test
> the package and send the debdiff to them.
Ok, please go ahead.
Cheers,
Moritz
the versions in
wheezy and jessie have the same tarball, please build jessie-security with
"-sa",
upload to security-master and then upload a wheezy-security build w/o
"-sa". (That's due bugs in dak on security master)
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-java-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150628120138.GA7105@pisco.westfalen.local
illa.redhat.com/show_bug.cgi?id=CVE-2014-0225
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-java-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20141126114130.ga3...@inutil.org
On Sat, Oct 25, 2014 at 09:29:16AM -0700, tony mancill wrote:
> On 10/25/2014 06:43 AM, Moritz Mühlenhoff wrote:
> > On Thu, Oct 23, 2014 at 08:33:38PM -0700, tony mancill wrote:
> >> On 10/23/2014 01:28 PM, Moritz Mühlenhoff wrote:
> >>> On Wed, Oct 22, 2014 at 02
On Thu, Oct 23, 2014 at 08:33:38PM -0700, tony mancill wrote:
> On 10/23/2014 01:28 PM, Moritz Mühlenhoff wrote:
> > On Wed, Oct 22, 2014 at 02:41:55PM +0200, Emmanuel Bourg wrote:
> >> Hi all,
> >>
> >> I've just uploaded an update of the tomcat6 pack
to the version 2.x to fix the build failure.
>
> All the other packages which were relying on tomcat6 have been updated
> to use tomcat7 or tomcat8.
Thanks, but wasn't the outcome of the discussion in April "Subject:
Tomcat version for jessie" to only ship tomcat8?
Che
;
> thanks for the heads-up. I forgot about this change. I cannot upload the
> package myself but Miguel Landaeta is willing to sponsor it. I just
> wanted to check with the security team if this vulnerability warrants a
> DSA before we upload axis to wheezy-security.
Thanks for getting i
n or similar is sufficient,
after all such migrations happen for a lot of components in Debian
and if anyone would install Tomcat from source she would face the
same migration problems.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-java-requ...@lists.debian.org
with
On Mon, Apr 28, 2014 at 04:37:41PM +0200, Salvatore Bonaccorso wrote:
> Hi,
>
> On Mon, Apr 28, 2014 at 02:16:13PM +0200, Emmanuel Bourg wrote:
> > Le 28/04/2014 13:22, Moritz Muehlenhoff a écrit :
> > > Hi,
> > > I noticed that tomcat8 was uploaded in
es or both?
Are there currently security fixes missing in unstable in comparison to
experimental?
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-java-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/slrnkkp7h5.4ug@inutil.org
Matthias Klose schrieb:
> Am 01.03.2013 04:35, schrieb Moritz Mühlenhoff:
>> Backporting security fixes with Java has turned out to be more of less
>> unfeasible. I tried this once with DSA 2507 and I think that amounted to at
>> least
>> two man days of work for that
u has shipped
backports to all suites in USN-1724 and AFAICS the world hasn't stopped.
After all, everyone using Oracle Java will be exposed to the same
behaviourial changes.
So we should proceed with providing backports for openjdk in the future.
If Matthias keeps the Debian/Ubuntu pac
on the Java side, but I am not able to do it.
>
> I committed all my changes to the Git repository.
Please note that the initial fix was incomplete, CVE-2012-5920 was assigned for
that: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5920
Cheers,
Moritz
--
even
for a single package (huge size, weird upstream situation with
bits of icectea mixed in).
An alternative would be to exclude it from security support
as we do for some web browsers, but that's a non-optimal
solution IMHO.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian
On Thu, Jan 05, 2012 at 02:53:41PM -0430, Miguel Landaeta wrote:
> On Thu, Jan 5, 2012 at 1:43 PM, Moritz Muehlenhoff wrote:
> > currently there's Tomcat 6 and Tomcat 7 in Wheezy. Will 6 be dropped
> > before the Wheezy relese? It would be good to only have one version
> &g
decision.
bsh code copies don't strike me as a security-relevant overhead,
personally I don't have any objections.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-java-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20100408220221.gc3...@galadriel.inutil.org
39 matches
Mail list logo
