According to https://security-tracker.debian.org/tracker/CVE-2014-8127:
tiff 4.0.3-12.3+deb8u5 is vulnerable to CVE-2014-8127.
But according to the changelog CVE-2014-8127 was fixed in version
4.0.3-12.3+deb8u3:
tiff (4.0.3-12.3+deb8u3) jessie-security; urgency=high
* Backport fix for the fol
Hi Antoine
It is my fault that python developers were not contacted. I added the
package to dla-needed.txt yesterday (or possibly the day before) and
planned to contact the maintainers. But before I had the chance to do so
the package was already fixed and then it did not feel appropriate to
conta
On 2019-02-07 18:32:39, Markus Koschany wrote:
> Please do not CC me. I am subscribed.
>
> Am 07.02.19 um 18:23 schrieb Antoine Beaupré:
> [...]
>> Well, I don't think we should make such calls without announcing it and
>> documenting the new workflow clearly, first off.
>>
>> Second, I think I mo
Please do not CC me. I am subscribed.
Am 07.02.19 um 18:23 schrieb Antoine Beaupré:
[...]
> Well, I don't think we should make such calls without announcing it and
> documenting the new workflow clearly, first off.
>
> Second, I think I mostly agree with you, but we need to be certain we
> won't
On 2019-02-07 17:58:48, Markus Koschany wrote:
> Hello,
>
> Am 07.02.19 um 17:32 schrieb Antoine Beaupré:
> [...]
>> Am I missing something here? Did we change this practice, or is this an
>> oversight?
>
> I have been part of the team for three years now, from my experience
> almost all people are
Hello,
Am 07.02.19 um 17:32 schrieb Antoine Beaupré:
[...]
> Am I missing something here? Did we change this practice, or is this an
> oversight?
I have been part of the team for three years now, from my experience
almost all people are very happy when someone else fixes bugs in
oldstable. Most o
On 2019-02-07 16:48:56, Holger Levsen wrote:
> On Thu, Feb 07, 2019 at 11:44:45AM -0500, Antoine Beaupré wrote:
>> But maybe, instead, we should just mark it as unsupported in
>> debian-security-support and move on. There are few packages depending on
>> it, in jessie:
> [...]
>> in buster:
>> Note
On Thu, Feb 07, 2019 at 11:44:45AM -0500, Antoine Beaupré wrote:
> But maybe, instead, we should just mark it as unsupported in
> debian-security-support and move on. There are few packages depending on
> it, in jessie:
[...]
> in buster:
> Note that the list is (slowly) growing.
marking it it un
On 2019-02-07 11:44:45, Antoine Beaupré wrote:
> https://dev.gentoo.org/~mgorny/articles/evolution-uid-trust-extrapolation.html
> https://blogs.gentoo.org/mgorny/2019/01/29/identity-with-openpgp-trust-model/
Oops, that second link should have been:
https://dev.gentoo.org/~mgorny/articles/attack-o
Hi,
Recently, python-gnupg was triaged for maintenance in Debian LTS, which
brought my attention to this little wrapper around GnuPG that I'm
somewhat familiar with.
Debian is marked as "vulnerable" for CVE-2019-6690 in Jessie and Stretch
right now, with buster and sid marked as fixed, as you can
Hi,
I was under the impression that we were supposed to contact maintainers
when we add packages to dla-needed.txt, as part of the triage work. That
is, at least, the method documented here:
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
Confident that people doing the triage
Hi Steve,
On 07/02/2019 12:12, Steve McIntyre wrote:
> On Mon, Jan 28, 2019 at 12:26:54AM +, Steve McIntyre wrote:
>> On Sun, Jan 27, 2019 at 06:33:29PM +, Steve McIntyre wrote:
>>>
>>> I'll give it a try now...
>>
>> And that worked on the first attempt. Using this approach, I've done
>>
On Mon, Jan 28, 2019 at 12:26:54AM +, Steve McIntyre wrote:
>On Sun, Jan 27, 2019 at 06:33:29PM +, Steve McIntyre wrote:
>>
>>I'll give it a try now...
>
>And that worked on the first attempt. Using this approach, I've done
>jessie builds of the various LTS arches using casulana, the normal
Hi,
During the month of January, I spent 42.5 hours working on LTS on the following
tasks:
- thunderbird 60.4.0 ESR security update
- tzdata and libdatetime-timezone-perl new releases
- investigated symfony test failures
- policykit-1 security update
- investigated lua vulnerability, which didn'
On 06/02/2019 23:47, Antoine Beaupré wrote:
> On 2019-02-06 23:42:12, Chris Lamb wrote:
>> Hi Antoine,
>>
>>> all golang Debian packages are (as elsewhere) statically compiled
>>> and linked so we'd need to rebuild all the rdeps
>>
>> Hm. Can we avoid /all/ the rdeps? I mean, grep the rdeps for one
15 matches
Mail list logo
