On Tue, Aug 09, 2016 at 06:24:40PM +1000, Brian May wrote:
> Salvatore Bonaccorso writes:
>
> > Hi,
> >
> > Just a quick comment on:
> >
> > On Mon, Aug 08, 2016 at 06:29:30PM +1000, Brian May wrote:
> >> I am inclined to say that no version of twisted, by itself, has this
> >> vulnerability. How
On Tue, Aug 09, 2016 at 06:50:47PM +0100, Chris Lamb wrote:
> > try:
> > import requests
> > except ImportError:
> > sys.stderr.puts("You need to install python3-requests")
> > sys.exit(1)
>
> This seems unnecessary; ``requests`` was always required, it would make
> the behaviour incon
Hi,
On Tue, Aug 09, 2016 at 06:24:40PM +1000, Brian May wrote:
> But there is a reference to twisted/web/twcgi.py in ./ChangeLog.Old -
> and twisted/web/twcgi.py is in the upstream git repository for the
> twisted-12.0.0 tag.
>
> Oh, I see, it looks like the source was split up for the Debian
> p
Oh. I was not aware . had precedence over +. I'll make a new upload and a
new DLA.
Sent from a phone
Den 9 aug 2016 18:47 skrev "Adam D. Barratt" :
> On 2016-08-08 10:52, Ola Lundqvist wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>
>> Package: mongodb
>> Version
Em Terça-feira, 9 de Agosto de 2016 11:09, Emilio Pozuelo Monfort
escreveu:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package : fontconfig
Version : 2.9.0-7.1+deb7u1
CVE ID : CVE-2016-5384
Debian Bug : 833570
A possible double free vulnerability was fou
> try:
> import requests
> except ImportError:
> sys.stderr.puts("You need to install python3-requests")
> sys.exit(1)
This seems unnecessary; ``requests`` was always required, it would make
the behaviour inconsistent with all the other scripts which also have
dependencies that are in
On Tue, Aug 09, 2016 at 01:13:23PM +0200, Ola Lundqvist wrote:
> Hi Chris
>
> After fiddling with this for a while I realize that there is a
> python-requests package but there is also a phyton3-requests package.
> After installing that it works just fine.
>
> I have now committed a change docume
On 2016-08-08 10:52, Ola Lundqvist wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: mongodb
Version: 2.0.6-1+deb7u1
wheezy already has 2.0.6-1.1, which is a higher version.
Regards,
Adam
Em Terça-feira, 9 de Agosto de 2016 7:21, Balint Reczey
escreveu:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package : libreoffice
Version : 3.5.4+dfsg2-0+deb7u8
CVE ID : CVE-2016-1513
An OpenDocument Presentation .ODP or Presentation Template .OTP file
can
Em Terça-feira, 9 de Agosto de 2016 4:39, Brian May
escreveu:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package : python-django
Version : 1.4.22-1
The release team recently approved rebasing jessie on latest
python-django 1.7.x (see #807654). For similiar reasons,
Ola Lundqvist writes:
> However I was referring to the side-channel problem that was reported
> in the CVE and not to the unintended side-effect of the correction.
I see.
> Do you know a way to trigger the problem reported in the CVE, please
> let me know.
I'm afraid it's not so easy.
One app
Hi Niels
Thank you for the information.
// Ola
On Tue, Aug 9, 2016 at 3:32 PM, Niels Möller wrote:
> Ola Lundqvist writes:
>
>> However I was referring to the side-channel problem that was reported
>> in the CVE and not to the unintended side-effect of the correction.
>
> I see.
>
>> Do you kn
Hi Niels
Thank you for this instruction. Yes the modulo check is rather easy to
check. Definitely easier with your instruction than without.
However I was referring to the side-channel problem that was reported
in the CVE and not to the unintended side-effect of the correction.
Do you know a way
Ola Lundqvist writes:
> I have not tried to reproduce the potential side-channel issue as that one
> is rather hard to trigger. If anyone know about a tool for that, please let
> me know.
One basically has to patch a valid private key and clear the least
significant bit of p or q.
With lsh, se
Whoops! Now I understand the confusion. :-) Sorry about that.
Cut and paste error from my part.
// Ola
On Tue, Aug 9, 2016 at 2:12 PM, Julien Cristau wrote:
> On Tue, Aug 9, 2016 at 13:37:44 +0200, Ola Lundqvist wrote:
>
>> Hi chris
>>
>> I pasted all traceback I had. :)
>
> No you didn't, you
On Tue, Aug 9, 2016 at 13:37:44 +0200, Ola Lundqvist wrote:
> Hi chris
>
> I pasted all traceback I had. :)
No you didn't, you excluded the most important part:
ImportError: No module named 'requests'
Cheers,
Julien
> He did post the entire traceback.
Nope, or at least not in my MTA.. http://i.imgur.com/VD7Xmpb.jpg
*shrugs*
--
Chris Lamb
chris-lamb.co.uk / @lolamby
> I pasted all traceback I had. :)
That's .. very odd. You should have seen (at least!) "ImportError:
No module named requests" which would have pointed out the problem
quite quickly.
(I was also confused that you pointed to a commit about encoding
issues, rather than one moving to Python 3..)
A
Hi chris
I pasted all traceback I had. :)
If you know a way to get more then please let me know.
/ Ola
Sent from a phone
Den 9 aug 2016 13:23 skrev "Chris Lamb" :
> > After fiddling with this for a while I realize that there is a
> > python-requests package but there is also a phyton3-requests
He did post the entire traceback. Without python3-requests, this is all
that happens:
Traceback (most recent call last):
File "./find-work", line 7, in
import requests
ImportError: No module named 'requests'
That is the entirety of it; there is nothing more.
In any event, I am happy that
On Tue, Aug 09, 2016 at 08:57:24PM +1000, Brian May wrote:
> > ah, CVE-2016-6186! :-) That "magic string" should have been part of your
> > announcement and of course thats very easy to say now.
> ... except CVE-2016-6186 had already been fixed by DLA 555-1 for Django
> version 1.4.5-1+deb7u17 - so
> After fiddling with this for a while I realize that there is a
> python-requests package but there is also a phyton3-requests package.
Oh, that simple? That should have been pretty obvious if you had pasted
the traceback..
Anyway, I'm glad I could fix the locale issue for myself.
Regards,
--
Hi Chris
After fiddling with this for a while I realize that there is a
python-requests package but there is also a phyton3-requests package.
After installing that it works just fine.
I have now committed a change documenting this requirement at the top
of the script.
Best regards
// Ola
On Tu
Holger Levsen writes:
> ah, CVE-2016-6186! :-) That "magic string" should have been part of your
> announcement and of course thats very easy to say now.
... except CVE-2016-6186 had already been fixed by DLA 555-1 for Django
version 1.4.5-1+deb7u17 - so it seemed pointless referring to a CVE th
Hi Ben
Thank you for this information. Very good to know.
/ Ola
Sent from a phone
Den 8 aug 2016 23:29 skrev "Ben Hutchings" :
> On Mon, 2016-08-08 at 11:52 +0200, Ola Lundqvist wrote:
> > Package: mongodb
> > Version: 2.0.6-1+deb7u1
> > CVE ID : CVE-2016-6494
> > Debia
Hi Brian,
(replying to your two mails in one.)
On Tue, Aug 09, 2016 at 08:18:53PM +1000, Brian May wrote:
> No, the upload did not include any new vulnerabilites that I know
> of. Otherwise I would have listed them.
>
> See https://lists.debian.org/debian-lts/2016/07/msg00069.html for the
> reas
Holger Levsen writes:
> https://www.debian.org/security/2016/dsa-3622 says django-python 1.7 is
> prone to a cross-site scripting vulnerability in the admin's add/change
> related popup - is this the issue this DLA is addressing?
No, the upload did not include any new vulnerabilites that I know
Holger Levsen writes:
> IMO a DLA should always explain why an update was done, at least
> very briefly. More pointers are good, but just a numeric pointer alone
> is a bit too little.
I asked for help here on the wording of the DLA, but got none. So I had
to make do with the best I could come u
Hi OpenSSH Maintainers and LTS team
I have prepared an update for wheezy now.
You can find the debdiff here:
http://apt.inguza.net/wheezy-security/openssh/openssh.debdiff
And the prepared package here:
http://apt.inguza.net/wheezy-security/openssh/
I have regression tested the package by instal
Hi,
On Tue, Aug 09, 2016 at 06:38:46PM +1000, Brian May wrote:
> Package: python-django
> Version: 1.4.22-1
>
> The release team recently approved rebasing jessie on latest
> python-django 1.7.x (see #807654). For similiar reasons, it makes sense
> to rebase wheezy on latest 1.4.x
Salvatore Bonaccorso writes:
> You need to either reupload the dsc and orig.tar.gz as long the other
> files are still keept in the upload directory, or alternatively remove
> the upload from the SecurtiyUploadQueue on security-master with dcut,
> resign the changes and then reupload.
No, I can'
Salvatore Bonaccorso writes:
> Hi,
>
> Just a quick comment on:
>
> On Mon, Aug 08, 2016 at 06:29:30PM +1000, Brian May wrote:
>> I am inclined to say that no version of twisted, by itself, has this
>> vulnerability. However like I said earlier it is possible that
>> applications that use twisted
32 matches
Mail list logo
