Debian LTS and ELTS - June 2024

2024-07-01 Thread Sylvain Beucler
Here is my public monthly report. Thanks to our sponsors for making this possible, and to Freexian for handling the offering. https://www.freexian.com/lts/debian/#sponsors LTS - Front-Desk (week 25) - Mark 1 package for update - Triage or precise triage for 10+ CVEs - Check tryton-client

Re: Packages to add back to dla-needed (?)

2024-07-01 Thread Daniel Leidert
Hi Ola, Am Montag, dem 01.07.2024 um 12:49 +0200 schrieb Ola Lundqvist: > Hi Santiago, Thorsten, all > > Santiago have now removed all packages from dla-needed with is good > considering buster is now EOL. > > As a help to Thorsten I have gone through the entries we had and > checked whether bul

Re: Packages to add back to dla-needed (?)

2024-07-01 Thread Ola Lundqvist
Hi Emilio Good point. Cheers // Ola On Mon, 1 Jul 2024 at 13:35, Emilio Pozuelo Monfort wrote: > > On 01/07/2024 12:49, Ola Lundqvist wrote: > > Hi Santiago, Thorsten, all > > > > Santiago have now removed all packages from dla-needed with is good > > considering buster is now EOL. > > > > As

Re: Packages to add back to dla-needed (?)

2024-07-01 Thread Emilio Pozuelo Monfort
On 01/07/2024 12:49, Ola Lundqvist wrote: Hi Santiago, Thorsten, all Santiago have now removed all packages from dla-needed with is good considering buster is now EOL. As a help to Thorsten I have gone through the entries we had and checked whether bullseye is considered vulnerable. My conclusi

Packages to add back to dla-needed (?)

2024-07-01 Thread Ola Lundqvist
Hi Santiago, Thorsten, all Santiago have now removed all packages from dla-needed with is good considering buster is now EOL. As a help to Thorsten I have gone through the entries we had and checked whether bullseye is considered vulnerable. My conclusion is that we should add back: - bind9 - dn

Re: SSH vulnerability

2024-07-01 Thread Ola Lundqvist
Hi I have checked the source code and I can confirm that the code pointed to https://security-tracker.debian.org/tracker/CVE-2024-6387 as "introduced with" (https://github.com/openssh/openssh-portable/commit/752250caabda3dd24635503c4cd689b32a650794) is not in the source, and therefore must have be

SSH vulnerability

2024-07-01 Thread Marc SCHAEFER
Hello, Regarding https://security-tracker.debian.org/tracker/CVE-2024-6387 I guess *buster* is not affected either, because it did not integrate the patchset from 2020? I ask this even if buster LTS support stopped ... yesterday. I still have one server (upgrading today) which has a fully access

Re: varnish question

2024-07-01 Thread Abhijith PA
On 01/07/24 08:18 AM, Ola Lundqvist wrote: > Hi Abhijith > > Thank you. I have marked CVE-2024-30156 as ignored now for buster. Thank you. --a