Re: Bug#1102554: xmlrpc-c: bundles a (very old and) vulnerable copy of libexpat

2025-07-05 Thread Adrian Bunk
fixing one distribution should get us fixes for all distributions from stretch to bookworm. > Cheers! > Sylvain Beucler > Debian LTS Team cu Adrian [1] http://blog.alteholz.eu/2025/05/my-debian-activities-in-april-2025/ [2] http://blog.alteholz.eu/2025/06/my-debian-activities-in-may-2025

Security tracker suggestions

2025-06-25 Thread Adrian Bunk
Hi, below are some items I have for security tracker development. No commitment from me to work on any of these, but if this is considered useful I can turn them into salsa issues. 1. gen-DSA interprets the package name as regex The 'k+' in 'gtk+3.0' is interpreted as "one or more 'k'". 2.

Re: Tooling for rebuilding outdated Built-Using

2025-06-19 Thread Adrian Bunk
init. The more general point is that it would be wrong to assume that Built-Using would be the same on all architectures, in the supermin case static linking happens with either musl or glibc depending on the architecture. > On 18/06/2025 19:31, Adrian Bunk wrote: > > Note that in LTS

Re: Tooling for rebuilding outdated Built-Using

2025-06-18 Thread Adrian Bunk
On Wed, Jun 18, 2025 at 04:13:12PM +0200, Sylvain Beucler wrote: >... > On 27/05/2025 14:06, Sean Whitton wrote: > > Hello release team, > > > > How do you detect packages that need rebuilding in stable releases > > because they have outdated Built-Using? Sylvain Beucler of the LTS team > > noted

Re: How much no-dsa is too much no-dsa?

2025-05-28 Thread Adrian Bunk
On Tue, May 27, 2025 at 04:08:00PM -0400, Roberto C. Sánchez wrote: >... > I am > also interested to know whether people think that our more clearly > defined "(un)stable-first" approach to package updates might make this > less of a pressing issue going forward (because we would be landing > fixes

Re: Debian (E)LTS report for April 2025

2025-05-13 Thread Adrian Bunk
On Tue, May 13, 2025 at 01:02:30PM +0200, Lee Garrett wrote: >... > I also prepared an update for Thunderbird fixing the following issues: > - CVE-2025-2817 > - CVE-2025-4082 > - CVE-2025-4083 > - CVE-2025-4087 > - CVE-2025-4091 > - CVE-2025-4093 > - CVE-2025-3523 > - CVE-2025-3522 > - CVE-2025-283

Re: Test uploads for bookworm-security on debusine.debian.net

2025-05-08 Thread Adrian Bunk
On Thu, May 08, 2025 at 02:09:18PM -0300, Santiago Ruano Rincón wrote: > El 08/05/25 a las 18:45, Adrian Bunk escribió: > > On Wed, May 07, 2025 at 01:26:32PM -0300, Santiago Ruano Rincón wrote: > > Hi Adrian Hi Santiago, > > > Currently, debusine.d.n helps to verify

Re: Test uploads for bookworm-security on debusine.debian.net

2025-05-08 Thread Adrian Bunk
On Wed, May 07, 2025 at 01:26:32PM -0300, Santiago Ruano Rincón wrote: > Hello all, Hi Santiago, >... > Currently, debusine.d.n helps to verify how a packages builds on > different architectures, to run autopkgest (contrary to Salsa CI, > debusine also includes autopkgtest for reverse dependencie

Re: angular.js: EOL?

2025-05-07 Thread Adrian Bunk
On Tue, May 06, 2025 at 08:58:36PM +0200, László Böszörményi (GCS) wrote: >... > Please note OpenStack in Debian is even more vulnerable to AngularJS > issues: python-xstatic-angular and python-xstatic-angular-* in general > even using an older, v1.8.2 version of it. >... Unless I misunderstand th

Re: CVE-2025-27773 / #1100595 / Re: simplesamlphp 2.x for trixie? (Re: Bug#1088816: Current version not supported)

2025-04-28 Thread Adrian Bunk
On Mon, Apr 28, 2025 at 09:07:51AM +0200, Joost van Baal-Ilić wrote: > Hi, > > As you're probably aware, issue > https://security-tracker.debian.org/tracker/CVE-2025-27773 has been open since > March 11, 2025. Is anybody working on fixing this? I could probably help out > with testing prerelease

Re: Review libsoup2.4 for bullseye

2025-04-26 Thread Adrian Bunk
On Sat, Apr 26, 2025 at 06:35:19PM +0200, Andreas Henriksson wrote: > Hello again, Hi Andreas, >... > The most interesting finding is what I already spotted last time, that > the debian security-tracker links fixing commits that are sometimes not merged > and in for example CVE-2025-32049 it's ju

Re: Review libsoup2.4 for bullseye

2025-04-26 Thread Adrian Bunk
On Sat, Apr 26, 2025 at 02:47:12PM +0200, Andreas Henriksson wrote: > Hello Adrian, Hi Andreas, > Thanks for your feedback! Thoughts below. > > On Tue, Apr 22, 2025 at 08:20:35PM +0300, Adrian Bunk wrote: > > On Tue, Apr 22, 2025 at 01:31:07PM +0200, Andreas Henriksson

Re: What pain points exist in the current security-tracker structure?

2025-04-26 Thread Adrian Bunk
On Wed, Apr 23, 2025 at 09:38:47PM +0200, Sylvain Beucler wrote: >... > On 06/04/2025 09:25, Roberto C. Sánchez wrote: > > As you go about tasks which require interacting with the security > > tracker, what pain points exist for you? > > One pain point that happened again today is the confusing te

Re: Review libsoup2.4 for bullseye

2025-04-22 Thread Adrian Bunk
On Tue, Apr 22, 2025 at 01:31:07PM +0200, Andreas Henriksson wrote: > Hello, Hi Andreas, >... > I've also pulled additional > commits adding testcases (but some are still disabled, because they need > porting to the older libsoup 2.74 APIs), and I'm now at a published > building package. >... > I

Re: Bug#1102554: xmlrpc-c: bundles a (very old and) vulnerable copy of libexpat

2025-04-12 Thread Adrian Bunk
On Thu, Apr 10, 2025 at 12:57:14PM +0200, Salvatore Bonaccorso wrote: >... > Triggered by the oss-security post from the expat upstream maintainer: > https://www.openwall.com/lists/oss-security/2025/04/09/4 > > It might be worth to use similar patch to make xmlrpc-c switch to use > the system expa

Re: security-tracker git-blame for CVEs

2025-04-09 Thread Adrian Bunk
On Tue, Apr 08, 2025 at 07:24:07PM +0200, Sylvain Beucler wrote: > Hi, Hi Sylvain, > On 07/04/2025 13:06, Adrian Bunk wrote: > > On Sun, Apr 06, 2025 at 07:33:22PM +0200, Bastien Roucaries wrote: > > > Le dimanche 6 avril 2025, 09:25:58 heure d’été d’Europe cent

Re: What pain points exist in the current security-tracker structure?

2025-04-07 Thread Adrian Bunk
On Sun, Apr 06, 2025 at 07:33:22PM +0200, Bastien Roucaries wrote: > Le dimanche 6 avril 2025, 09:25:58 heure d’été d’Europe centrale Roberto C. > Sánchez a écrit : >... > > As one example, some time ago I encountered the issue of the size of > > data/CVE/list, specifically in the context of a git

Re: Bug#1082927: flatpak [LTS]: CVE-2024-42472: sandbox escape for apps with --persist=DIR permission

2025-03-31 Thread Adrian Bunk
On Mon, Mar 31, 2025 at 04:40:37PM +0100, Simon McVittie wrote: >... > LTS team members are welcome to push those changes and their tags to the > debian/bullseye branches in and > if that would be helpful. >...

Re: bson CVEs in (E)LTS

2025-03-31 Thread Adrian Bunk
On Mon, Mar 31, 2025 at 04:42:59PM +0200, Sylvain Beucler wrote: >... > Do we want to update data/embedded-code-copies to reference libbson-xs-perl? > > e.g. > diff --git a/data/embedded-code-copies b/data/embedded-code-copies > index 19611b261b..77696af1af 100644 > --- a/data/embedded-code-copies

bson CVEs in (E)LTS

2025-03-31 Thread Adrian Bunk
Hi, mongo-c-driver was added to *la-needed.txt yesterday, and someone already claimed it to fix the 4 bson CVEs (and a non-bson CVE) in bullseye and buster. Copies of the bson code are also in the (E)LTS supported packages libbson/stretch and libbson-xs-perl/bullseye. Front Desk / Security Te

Re: vim CVE-2021-4187

2025-03-24 Thread Adrian Bunk
On Wed, Mar 19, 2025 at 01:06:42PM +0800, Sean Whitton wrote: > Hello, Hi Sean, > I have attempted to backport upstream's fix for this CVE in vim in > d/patches/CVE-2021-4137.patch 4173 > on the debian/bullseye branch under > lts-team on salsa. > > My backporting is not correct, and causes a s

Re: LTS version > stable or wait?

2025-01-20 Thread Adrian Bunk
On Sun, Jan 19, 2025 at 03:58:11PM -0500, Roberto C. Sánchez wrote: > On Sun, Jan 19, 2025 at 03:28:49PM +0100, Emilio Pozuelo Monfort wrote: > > On 19/01/2025 11:55, Adrian Bunk wrote: > > > Hi, > > > > > > libtar | 1.2.20-8 | oldstable

Re: LTS version > stable or wait?

2025-01-20 Thread Adrian Bunk
On Mon, Jan 20, 2025 at 10:05:31AM +, Holger Levsen wrote: > On Sun, Jan 19, 2025 at 12:55:48PM +0200, Adrian Bunk wrote: > > libtar | 1.2.20-8 | oldstable| source > > libtar | 1.2.20-8 | stable | source > > I have two options regarding releasin

LTS version > stable or wait?

2025-01-19 Thread Adrian Bunk
Hi, libtar | 1.2.20-8 | oldstable| source libtar | 1.2.20-8 | stable | source I have two options regarding releasing this for LTS: 1. Have a version LTS > stable until the next point release, or 2. Prepare the update and release after the point release in March/April

PHP ReDoS question

2024-12-20 Thread Adrian Bunk
Hi, could someone with more knowledge about PHP look at the following: https://security-tracker.debian.org/tracker/CVE-2024-22640 https://github.com/zunak/CVE-2024-22640 https://security-tracker.debian.org/tracker/CVE-2024-22641 https://github.com/zunak/CVE-2024-22641 Changing the PoCs to requ

Re: following or getting ahead of Stable

2024-12-11 Thread Adrian Bunk
On Wed, Dec 11, 2024 at 02:35:00PM -0500, Roberto C. Sánchez wrote: >... > The > first includes things like "I am fixing 4 of the 7 open CVEs, and after > releasing the DLA I will immediately restore that package to Xla-needed" >... On Wed, Dec 11, 2024 at 04:33:17PM -0500, Roberto C. Sánchez wrot

Re: Revisiting some old DLAs

2024-12-11 Thread Adrian Bunk
On Wed, Dec 11, 2024 at 07:19:50PM -0500, Roberto C. Sánchez wrote: >... > We can look at our various tasks as follows: > > - creation of a DLA (requires preparing the update, uploading the > package, and making the announcement) >... > - additional work in support of stable (-sec or -pu) >...

Re: following or getting ahead of Stable

2024-12-11 Thread Adrian Bunk
On Wed, Dec 11, 2024 at 04:33:17PM -0500, Roberto C. Sánchez wrote: >... > So, what can we do? > > I have spoken to the debusine team and this is actually something that > debusine will enable us to manage better. We will eventually be able to > use debusine to have our own simulated proposed-upda

Re: Revisiting some old DLAs

2024-12-11 Thread Adrian Bunk
On Wed, Dec 11, 2024 at 02:35:00PM -0500, Roberto C. Sánchez wrote: > On Tue, Dec 10, 2024 at 01:45:49AM +0200, Adrian Bunk wrote: > > On Mon, Dec 09, 2024 at 07:22:30PM -0300, Santiago Ruano Rincón wrote: > > > > > > To be discussed. The issue with dla-neede

Re: following or getting ahead of Stable

2024-12-11 Thread Adrian Bunk
On Wed, Dec 11, 2024 at 05:10:54PM +0100, Sylvain Beucler wrote: > Hi, > > On 11/12/2024 16:17, Adrian Bunk wrote: > > On Wed, Dec 11, 2024 at 11:05:10AM +0100, Sylvain Beucler wrote: > > > On 09/12/2024 18:55, Sylvain Beucler wrote: > > > > On 07/12/

Re: following or getting ahead of Stable

2024-12-11 Thread Adrian Bunk
On Wed, Dec 11, 2024 at 11:05:10AM +0100, Sylvain Beucler wrote: > Hi, > > On 09/12/2024 18:55, Sylvain Beucler wrote: > > On 07/12/2024 04:10, Roberto C. Sánchez wrote: > > > The Security Team has supplied a list of packages/CVEs which were fixed > > > by DLA (some in bullseye and some in buster)

Re: Revisiting some old DLAs

2024-12-09 Thread Adrian Bunk
On Mon, Dec 09, 2024 at 07:22:30PM -0300, Santiago Ruano Rincón wrote: >... > El 08/12/24 a las 07:30, Adrian Bunk escribió: > > On Fri, Dec 06, 2024 at 10:10:19PM -0500, Roberto C. Sánchez wrote: >... > > > I have done my best to carefully document for each package th

(E)LTS report for November 2024

2024-12-08 Thread Adrian Bunk
LTS: apr: - Determined that CVE-2023-49582 (sole unfixed CVE) does not affect the binary package in bullseye. ghostscript: - Determined that CVE-2024-46952 does not affect <= bullseye. - Released DLA-3965-1, fixing CVE-2024-46951, CVE-2024-46953, CVE-2024-46955 and CVE-2024-46956. glib2.0: -

Re: Revisiting some old DLAs

2024-12-07 Thread Adrian Bunk
On Fri, Dec 06, 2024 at 10:10:19PM -0500, Roberto C. Sánchez wrote: > Hello everyone, Hi Roberto, > The Security Team has supplied a list of packages/CVEs which were fixed > by DLA (some in bullseye and some in buster) but which remain unfixed in > bookworm (and which are tagged no-dsa, indicatin

(E)LTS report for October 2024

2024-11-11 Thread Adrian Bunk
LTS: e2fsprogs: - Enabled the upstream tests during the build. - Released DLA-3910-1, fixing CVE-2022-1304. fcgiwrap: - Discussed and documented that the CVE-2024-32004/git regression does not affect <= bullseye. ikiwiki-hosting: - Discussed and documented that the CVE-2024-32004/git regress

(E)LTS report for September 2024

2024-10-03 Thread Adrian Bunk
LTS: booth: - Released DLA-3894-1, fixing CVE-2024-3049. - Provided the package for DSA-5777-1, fixing CVE-2024-3049 in bookworm. nghttp2: - Released DLA-3898-1, fixing CVE-2024-28182. - Submitted a package fixing CVE-2024-28182 in the next bookworm point release. php-twig: - Released DLA-38

Re: bullseye-security arm64 buildds seem to be broken

2024-09-12 Thread Adrian Bunk
On Thu, Sep 12, 2024 at 12:46:08AM +0200, Ben Hutchings wrote: > Building linux-6.1 in the bullseye-security suite for arm64 has been > attempted and failed on 4 different buildds today, with the messages: > > E: /srv/chroot/bullseye_arm64.tar.gz: Failed to stat file: No such file or > directory

(E)LTS report for August 2024

2024-09-10 Thread Adrian Bunk
LTS: amanda: - Released DLA-3880-1, fixing CVE-2022-37703, CVE-2022-37704, CVE-2022-37705 and CVE-2023-30577. aom: - Released DLA-3881-1, fixing CVE-2024-5171. bluez: - Released DLA-3879-1, fixing CVE-2021-3658, CVE-2021-41229, CVE-2021-43400, CVE-2022-0204, CVE-2022-39176, CVE-2022-39177,

Re: bullseye-security upload queue open (was: [SECURITY] [DLA 3856-1] python-html-sanitizer security update)

2024-09-03 Thread Adrian Bunk
Hi Aurelien, On Tue, Sep 03, 2024 at 07:17:08PM +0200, Aurelien Jarno wrote: > On 2024-08-31 11:29, Santiago Ruano Rincón wrote: > > El 31/08/24 a las 16:43, Adrian Bunk escribió: > > > On Sat, Aug 31, 2024 at 10:12:19AM -0300, Santiago Ruano Rincón wrote: > > > >...

Re: bullseye-security upload queue open (was: [SECURITY] [DLA 3856-1] python-html-sanitizer security update)

2024-08-31 Thread Adrian Bunk
On Sat, Aug 31, 2024 at 10:12:19AM -0300, Santiago Ruano Rincón wrote: >... > It seems the bullseye-security upload queue is finally open (now that > the point release has been published). >... Are you talking only about the ftp side, or also about the buildd side? https://buildd.debian.org/ stil

Re: [SECURITY] [DLA 3856-1] python-html-sanitizer security update

2024-08-26 Thread Adrian Bunk
Hi, where has the binary package been built, and where is it available for our users to download? Except for this announcement, I have not seen traces of it anywhere. cu Adrian On Mon, Aug 26, 2024 at 04:55:35PM +0100, Chris Lamb wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > >

wb: bullseye-security still configured for all architectures?

2024-08-26 Thread Adrian Bunk
Hi, looking at [1], bullseye-security still lists all architectures for bullseye-security. Intended[2] is the same architecture list as was for buster-security (all amd64 arm64 armhf i386). cu Adrian [1] https://buildd.debian.org/ [2] https://wiki.debian.org/LTS

ELTS report for July 2024

2024-08-10 Thread Adrian Bunk
aom: - Released ELA-1143-1, fixing CVE-2024-5171 in buster. binutils: - Released ELA-1130-1, fixing CVE-2018-12934 and CVE-2018-1000876 in jessie, stretch and buster. krb5: - Determined that CVE-2024-26462 does not affect <= bullseye. - Released ELA-1141-1, fixing CVE-2024-26458, CVE-2024-26461

(E)LTS report for June 2024

2024-07-10 Thread Adrian Bunk
LTS: cyrus-imapd: - Marked CVE-2024-34055 (sole unfixed CVE) as ignored due to being too intrusive to backport, following upstream and bullseye. dcmtk: - Determined that CVE-2024-27628 does not affect <= bullseye - Released DLA-3847-1, fixing CVE-2021-41687, CVE-2021-41688 CVE-2021-41689, CVE

Re: Opencryptoki fixes for CVE-2024-0914

2024-06-22 Thread Adrian Bunk
On Sat, Jun 22, 2024 at 11:04:49AM +, Bastien Roucariès wrote: > Hi, Hi Bastien, > After a few hours I get the impression that fixing CVE-2024-0914 even for > bookworm will be extremly hard (lack of constant time operation, massive code > change...) > > I suppose the best way is to a full

(E)LTS report for May 2024

2024-06-10 Thread Adrian Bunk
LTS: glibc: - Released DLA-3807-1, fixing CVE-2024-2961. - Fixed and enabled the build tests and autopkgtest. gst-plugins-base1.0: - Released DLA-3824-1, fixing CVE-2024-4453. libkf5ksieve: - Released DLA-3809-1, fixing CVE-2023-52723. ELTS: glibc: - Released ELA-1087-11, fixing CVE-2024-2961

(E)LTS report for April 2024

2024-05-10 Thread Adrian Bunk
LTS: glibc: - First part of work released as DLA-3807-1 in May. gtkwave: - DLA-3785-1 and DSA-5653-1 were released in April, but the actual work was done and submitted for review in March. pillow: - Determined that CVE-2021-25291 does not affect buster. - Released DLA-3786-1, fixing CVE-2024-2

Re: bind9 LTS

2024-04-13 Thread Adrian Bunk
On Sun, Mar 31, 2024 at 10:12:34PM +0800, Sean Whitton wrote: >... > - looks like backporting the old branches is what's done in bullseye and > bookworm; do you know of some reason we're not doing this for buster too? bind9 in buster provides shared libraries, with soversion changes in every rel

Re: How to handle freeimage package

2024-04-11 Thread Adrian Bunk
On Thu, Apr 11, 2024 at 09:34:00PM +0200, Ola Lundqvist wrote: >... > On Thu, 11 Apr 2024 at 15:34, Santiago Ruano Rincón > wrote: > ... > > Taking one of the recent changes to data/CVE/list: > > > > @@ -6999,6 +7000,7 @@ CVE-2024-28579 (Buffer Overflow vulnerability in open > > source FreeImage

Re: How to handle freeimage package

2024-04-11 Thread Adrian Bunk
On Thu, Apr 11, 2024 at 10:34:13AM -0300, Santiago Ruano Rincón wrote: >... > El 11/04/24 a las 08:25, Ola Lundqvist escribió: >... > > The ones I have now postponed are of the "local DoS" class. I'm here > > interpreting that "local DoS" is the same as DoS after human > > interaction. It is not en

Re: How to handle freeimage package

2024-04-10 Thread Adrian Bunk
On Wed, Apr 10, 2024 at 10:08:51PM +0200, Ola Lundqvist wrote: > Hi all Hi Ola, > Sorry for late reply. It took me too long today to answer the CVE > triaging discussion. Now to this issue. > > Regarding the fedora patches. The patches seem to help for those > specific issues they solve. > > My

Re: How to handle freeimage package

2024-04-10 Thread Adrian Bunk
On Wed, Apr 10, 2024 at 12:17:33PM -0400, Roberto C. Sánchez wrote: > On Mon, Apr 08, 2024 at 07:56:40PM +0300, Adrian Bunk wrote: > > On Mon, Apr 08, 2024 at 05:34:47PM +0200, Moritz Muehlenhoff wrote: > > > > > > So a useful next step would be to break those reports d

(E)LTS report for March 2024

2024-04-09 Thread Adrian Bunk
LTS: cpio: - Added note that upstream considers CVE-2023-7216 (sole unfixed CVE) normal behavior. fontforge: - Released DLA-3754-1, fixing CVE-2020-5395, CVE-2020-5496, CVE-2024-25081 and CVE-2024-25082. - Fixed CVE-2024-25081 and CVE-2024-25082 in sid. - Fixed CVE-2024-25081 and CVE-2024-250

Re: How to handle freeimage package

2024-04-08 Thread Adrian Bunk
On Mon, Apr 08, 2024 at 05:34:47PM +0200, Moritz Muehlenhoff wrote: > On Mon, Apr 08, 2024 at 01:59:55PM +0200, Sylvain Beucler wrote: > > Hi, > > > > I think this requires a bit of coordination: > > - the package is basically dead upstream, there hasn't been a fix in the > > official repos, neith

Re: How to handle freeimage package

2024-04-08 Thread Adrian Bunk
On Mon, Apr 08, 2024 at 12:06:25AM +0200, Ola Lundqvist wrote: > Hi again > > Today I looked at the freeimage package that we have in dla-needed. > My conclusion is that we have 19 CVEs postponed with motivation "revisit > when fixed upstream" and 23 CVEs that are in bullseye declared as no-dsa >

Re: gtkwave update for {bookworm,bullseye,buster}-security

2024-04-04 Thread Adrian Bunk
On Thu, Apr 04, 2024 at 11:21:21AM +0200, Emilio Pozuelo Monfort wrote: > On 29/03/2024 00:06, Adrian Bunk wrote: >... > > As already mentioned in #1060407, the ghwdump tool (and manpage) was > > dropped in 3.3.110 from the upstream sources, and is now in ghdl-tools. > > Fo

Re: gtkwave update for {bookworm,bullseye,buster}-security

2024-04-02 Thread Adrian Bunk
On Sun, Mar 31, 2024 at 01:52:40PM +0200, Moritz Mühlenhoff wrote: > Hi Adrian, Hi Moritz, >... > > debdiffs contain only changes to debian/ > > The bookworm/bullseye debdiffs looks good, please upload to security-master, > thanks! both are now uploaded. > Note that both need -sa, but dak nee

Re: Guidance for CVE triage and listing packages in dla-needed.txt

2024-03-25 Thread Adrian Bunk
On Mon, Mar 18, 2024 at 09:40:45PM +0100, Moritz Muehlenhoff wrote: > Emilio Pozuelo Monfort wrote: > > Small nitpick: a CVE 'ignored' for (old)stable can still be fixed via point > > release. The sec-team could be contacted to update that triaging, but that's > > only ignored for (old)stable-secur

Re: Expanding the scope (slightly) of dla-needed.txt

2024-03-25 Thread Adrian Bunk
On Thu, Mar 14, 2024 at 04:47:57PM -0400, Roberto C. Sánchez wrote: > Hello everyone, > > I have discussed with Santiago the idea of whether we need to somewhat > expand the scope of dla-needed.txt. > > In essence, we need to continue tracking packages as in-work in some > cases even after a DLA

(E)LTS report for February 2024

2024-03-03 Thread Adrian Bunk
LTS: gsoap: - Released DLA-3745-1, fixing CVE-2020-13574, CVE-2020-13575, CVE-2020-13576, CVE-2020-13577 and CVE-2020-13578. wireshark: - Determined that CVE-2023-2906/wireshark does not affect <= buster. - Determined that CVE-2023-5371 does not affect <= bullseye. - Determined that CVE-2023-61

(E)LTS report for December 2023

2024-01-15 Thread Adrian Bunk
LTS: curl: - Determined that CVE-2022-32207 does not affect <= buster. - Found and documented a regression in CVE-2023-27534. - CVE-2022-32207 does not affect <= buster - Released DLA 3692-1, fixing CVE-2023-28322 and CVE-2023-46218, also including 2 non-security fixes from contributors. ELTS:

Re: curl: CVE-2023-28322 and CVE-2023-27534

2023-12-18 Thread Adrian Bunk
On Sat, Dec 16, 2023 at 10:39:08PM -0300, Samuel Henrique wrote: >... > On Thu, 30 Nov 2023 at 06:36, Markus Koschany wrote: > > I have recently triaged CVE-2023-28322 and CVE-2023-27534 for curl as > > ignored > > for Buster because I believe those are minor issues. Since you expressed > > inter

(E)LTS report for November 2023

2023-12-10 Thread Adrian Bunk
LTS: trafficserver: - Released DLA-3645-1, fixing CVE-2023-41752 and CVE-2023-44487. galera-3: - Determined that CVE-2023-5157 in galera-4 does not affect galera-3. gimp: - Released DLA-3659-1, fixing CVE-2022-30067, CVE-2023-2 and CVE-2023-4. - Determined that CVE-2023-3 does not

(E)LTS report for October 2023

2023-11-04 Thread Adrian Bunk
LTS: poppler: - Confirmed that CVE-2020-18839 is a duplicate of CVE-2020-27778 - Released DLA-3620-1, fixing CVE-2020-23804 CVE-2022-37050 CVE-2022-37051 - PoCs for all 3 CVEs were confirmed to be present in the unfixed version and fixed in the fixed version krb: - Released DLA-3626-1, fixing

(E)LTS report for September 2023

2023-10-04 Thread Adrian Bunk
DLAs released: DLA-3593-1 gerbv CVE-2021-40393 CVE-2021-40394 CVE-2023-4508 DLA-3595-1 trafficserver CVE-2022-47185 CVE-2023-33934 ELAs released: ELA-942-2 qpdf (stretch) regression update ELA-972-1 exempi (stretch) CVE-2020-18651 CVE-2020-18652 ELA-974-1 ghostscript (jessie+stretch) CVE-202

binNMUs needed for new pandoc in *stable

2023-10-01 Thread Adrian Bunk
On Tue, Jul 25, 2023 at 11:39:38PM +0200, Guilhem Moulin wrote: >... > The Security Team decided not to issue a DSA for that CVE, but it's now fixed > in > buster-security (2.2.1-3+deb10u1) as well as sid (2.17.1.1-2), so it makes > sense > to fix it via (o)s-pu too. >... In all 3 distributions

Re: suricata

2023-09-28 Thread Adrian Bunk
On Mon, Sep 25, 2023 at 09:26:10PM +0200, Tobias Frost wrote: > Hi Adrian, Hi Tobi, >... > This sounds it's almost ready, so I think the best thing is if you > complete the work, so if this is ok with you, please take oever and > complete the package! thanks, I've taken it back and will make a r

Re: suricata

2023-09-25 Thread Adrian Bunk
On Sun, Sep 24, 2023 at 11:34:55AM +0200, Tobias Frost wrote: > Hi Adrian, Hi Tobias, > I've just claimed "suricata" for LTS, and the log says that you've > already worked on the package. Unfortunatly I could not find any > repository for your LTS changes, if there are some already, can you > ad

Re: (E)LTS report for August 2023

2023-09-10 Thread Adrian Bunk
On Sun, Sep 10, 2023 at 09:22:03PM +0300, Adrian Bunk wrote: > DLAs released: >... > DLA-3552-1 gst-plugins-ugly1.0 > 2 vulnerabilities without CVE numbers assigned > > > ELAs released: >... > ELA-941-1 gst-plugins-ugly1.0 (stretch) > 2 vulnerabilitie

(E)LTS report for August 2023

2023-09-10 Thread Adrian Bunk
DLAs released: DLA-3517-1 pdfcrack CVE-2020-22336 DLA-3519-1 ghostscript CVE-2023-38559 DLA-3528-1 poppler CVE-2020-36023 CVE-2020-36024 DLA-3552-1 gst-plugins-ugly1.0 2 vulnerabilities without CVE numbers assigned ELAs released: ELA-928-1 poppler (jessie+stretch) CVE-2020-36023 CVE-2020-36

(E)LTS report for July 2023

2023-08-03 Thread Adrian Bunk
DLAs released: DLA-3497-1 pypdf2 CVE-2023-36810 DLA-3513-1 tiff CVE-2023-2908 CVE-2023-3316 CVE-2023-3618 CVE-2023-25433 CVE-2023-26965 CVE-2023-26966 CVE-2023-38288 CVE-2023-38289 ELAs released: ELA-893-1 pypdf2 (stretch) CVE-2023-36810 ELA-909-1 tiff (jessie+stretch) CVE-2023-2908 CVE-2023

Re: WebKit 2.40 update for buster

2023-07-06 Thread Adrian Bunk
On Thu, Jul 06, 2023 at 01:19:51PM +, Alberto Garcia wrote: >... > Bear in mind that supporting older distros means refraining from using > newer versions of the libraries and build dependencies that Webkit > uses. This is already complicated, but there's a bigger problem than > that: it also m

(E)LTS report for June 2023

2023-07-03 Thread Adrian Bunk
DLAs released: DLA-3443-1 wireshark CVE-2023-2856 CVE-2023-2858 CVE-2023-2879 CVE-2023-2952 DLA 3445-1 cpio CVE-2019-14866 CVE-2021-38185 DLA-3470-1 owslib CVE-2023-27476 DLA-3472-1 libx11 CVE-2023-3138 DLA-3474-1 systemd CVE-2022-3821 DLA-3475-1 trafficserver CVE-2022-47184 CVE-2023-30631 CV

(E)LTS report for April 2023

2023-05-03 Thread Adrian Bunk
DLAs released: DLA-3402-1 wireshark CVE-2023-1161 CVE-2023-1992 CVE-2023-1993 CVE-2023-1994 DLA-3407-1 jackson-databind CVE-2020-10650 DLA-3408-1 jruby CVE-2017-17742 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255 CVE-2020-25613 CVE-2021-31810 CVE-2021-32066 CVE-2023-28755 CVE-2023-28756 DLA-3409

LTS report for March 2023

2023-04-01 Thread Adrian Bunk
DLA released: DLA-3377-1 systemd CVE-2023-26604 cu Adrian

(E)LTS report for February 2023

2023-03-03 Thread Adrian Bunk
DLAs released: DLA-3332-1 apr-util CVE-2022-25147 DLA-3334-1 sofia-sip CVE-2022-47516 DLA-3339-1 binwalk CVE-2022-4510 DLA-3341-1 curl CVE-2023-23916 DLA-3343-1 mono CVE-2023-26314 A DLA for emacs was prepared, but is waiting for confirmation that a regression that was discovered in bullseye-

LTS report for January 2023

2023-02-03 Thread Adrian Bunk
DLAs released: DLA-3292-1 sofia-sip CVE-2023-22741 DLA-3304-1 fig2dev CVE-2020-21529 CVE-2020-21531 CVE-2020-21532 CVE-2020-21676 CVE-2021-32280 DLA-3305-1 libstb CVE-2018-16981 CVE-2019-13217 CVE-2019-13218 CVE-2019-13219 CVE-2019-13220 CVE-2019-13221 CVE-2019-13222 CVE-2019-13223 CVE-2021-2802

LTS report for December 2021

2021-12-31 Thread Adrian Bunk
Hours worked: 70.75 hours DLAs released: DLA-2849-1 wireshark CVE-2021-22207 CVE-2021-22235 CVE-2021-39921 CVE-2021-39922 CVE-2021-39923 CVE-2021-39924 CVE-2021-39925 CVE-2021-39928 CVE-2021-39929 DLA-2850-1 libpcap CVE-2019-15165 DLA-2851-1 libextractor CVE-2019-15531 DLA-2855-1 monit CVE-201

Re: postgis 2.3.1+dfsg-2+deb9u1 update broken

2021-12-29 Thread Adrian Bunk
On Wed, Dec 29, 2021 at 07:46:39PM +0200, Adrian Bunk wrote: > On Wed, Dec 29, 2021 at 05:04:29PM +0100, Peter De Wachter wrote: > > In postgis LTS update 2.3.1+dfsg-2+deb9u1, the package > > postgresql-9.6-postgis-2.3-scripts is empty (containing only > > /usr/share/doc fi

Re: postgis 2.3.1+dfsg-2+deb9u1 update broken

2021-12-29 Thread Adrian Bunk
On Wed, Dec 29, 2021 at 05:04:29PM +0100, Peter De Wachter wrote: > In postgis LTS update 2.3.1+dfsg-2+deb9u1, the package > postgresql-9.6-postgis-2.3-scripts is empty (containing only > /usr/share/doc files). The scripts are missing. Without the scripts, I > believe it's not possible to create ne

LTS report for November 2021

2021-12-01 Thread Adrian Bunk
Hours worked: 62 hours DLAs released: DLA-2828-1 libvorbis CVE-2017-14160 CVE-2018-10392 CVE-2018-10393 DLA-2829-1 libvpx CVE-2020-0034 DLA-2830-1 tar CVE-2018-20482 DLA-2831-1 libntlm CVE-2019-17455 DLA-2832-1 opensc CVE-2019-15945 CVE-2019-15946 CVE-2019-19479 CVE-2020-26570 CVE-2020-26571

CVE-2021-38595 incorrectly marked as not affecting Qt 5?

2021-11-28 Thread Adrian Bunk
On Tue, Aug 31, 2021 at 09:15:15AM +, Raphaël Hertzog (@hertzog) wrote: >... > Commits: > 63957298 by Neil Williams at 2021-08-31T10:11:30+01:00 > CVE-2021-38593/qt vulnerable code introduced later >... > Changes: > > = > data/CVE/list >

Re: Bug#994405: libgmp10:i386: buffer overflow due to integer overflow in mpz/inp_raw.c on 32-bit machines

2021-11-13 Thread Adrian Bunk
On Fri, Sep 17, 2021 at 07:02:48AM +0200, Anton Gladky wrote: > Thanks, Vincent, for the information. I would still wait for CVE, > so we can apply a patch and track vulnerability for other > Debian versions (stable/oldstable/o-o-stable etc.). Hi Anton, did you manage to get a CVE assigned for th

LTS report for October 2021

2021-11-03 Thread Adrian Bunk
Hours worked: 40.5 hours DLAs released: DLA 2795 gpsd CVE-2018-17937 DLA 2801 cron CVE-2017-9525 CVE-2019-9704 CVE-2019-9705 CVE-2019-9706 DLA 2802 elfutils CVE-2018-16062 CVE-2018-16402 CVE-2018-18310 CVE-2018-18520 CVE-2018-18521 CVE-2019-7150 CVE-2019-7665 DLA 2803 libsdl2 CVE-2017-2888 CVE

Re: Change in libcrypt1 prevents upgrades from Buster to Bookworm

2021-10-10 Thread Adrian Bunk
On Sat, Oct 09, 2021 at 07:41:03PM -0700, Otto Kekäläinen wrote: > Hello! Hello Otto! >... > This makes LTS kind of moot, as systems that want to stay on LTS and > "skip" at least one release can no longer do so. What is your take > here? If the issue is not fixed, then at least LTS should docume

Re: Accepted krb5 1.15-1+deb9u3 (source) into oldoldstable

2021-10-01 Thread Adrian Bunk
On Fri, Oct 01, 2021 at 11:58:17AM +0100, Dameon Wagner wrote: > > Hi, Hi Dameon, > Apologies if this isn't the correct list to flag this, but it appears > that the upload for this DLA was missing the two all-architecture > binary packages: krb5-doc and krb5-locales. > > Running `apt-cache poli

(E)LTS report for September 2021

2021-10-01 Thread Adrian Bunk
LTS Hours worked: 19.5 hours DLA 2770-1 weechat CVE-2020-8955 CVE-2020-9759 CVE-2020-9760 CVE-2021-40516 DLA 2771-1 krb5 CVE-2018-5729 CVE-2018-5730 CVE-2018-20217 CVE-2021-37750 DLA 2772-1 taglib CVE-2017-12678 CVE-2018-11439 ELTS hours worked: 3 hours ELA-489-1 weechat CVE-2021-40516

Re: stretch-security buildd builds are now broken (after 2021-10-01; le cert issue?)

2021-10-01 Thread Adrian Bunk
On Fri, Oct 01, 2021 at 01:21:38AM -0400, Boyuan Yang wrote: > (Please cc me when needed) > > Dear LTS folks, > > I'd like to raise the issue that buildd stretch-security builds are now > completely broken after 2021-10-01. For example, see > https://buildd.debian.org/status/architecture.php?a=al

Re: Lintian changes for LTS development?

2021-09-28 Thread Adrian Bunk
On Mon, Sep 27, 2021 at 04:58:02PM -, Chris Lamb wrote: > Hi, > > Whilst I think of it, are there any changes to Lintian that folks > here might consider particularly useful when doing LTS development? To which lintian? Running stretch lintian tends to give more useful information for packa

(E)LTS report for August 2021

2021-09-05 Thread Adrian Bunk
LTS Hours worked: 11 hours DLA-2734-1 curl CVE-2021-22898 CVE-2021-22924 Non-DLA LTS work: - debugged ledger issue that caused non-zero leftover time in past months - fixed bin/give-back-hours when run in August/September ELTS hours worked: 3 hours ELA-470-1 curl CVE-2021-22898

Re: packages in *-lts newer than in subsequent releases

2021-08-03 Thread Adrian Bunk
On Tue, Aug 03, 2021 at 09:37:57AM +0100, Chris Lamb wrote: > Sylvain Beucler wrote: > > > >> Will resolve these two. > > > > > > Um, I just uploaded libpam-tacplus. Maybe take care of pyxdg, > > > please? Thank you! > > > > How about you add these 6 packages to data/dla-needed.txt? > > Good idea

LTS report for January 2021

2021-01-31 Thread Adrian Bunk
Hours worked: 14 hours DLA-2513 p11-kit CVE-2020-29361 CVE-2020-29362 DLA-2514 flac CVE-2017-6888 CVE-2020-0499 DLA-2538 mariadb-10.1 CVE-2020-14765 CVE-2020-14812 wireshark - will be released on 6.2.2021 after 2.6.20-0+deb10u1 with the same changes is in the buster point release CVE-2019-1361

LTS report for December 2020

2021-01-10 Thread Adrian Bunk
Hours worked: 3 hours DLA-2502 postsrsd CVE-2020-35573

Re: Advice for DLA needed entry

2021-01-05 Thread Adrian Bunk
On Tue, Jan 05, 2021 at 02:08:40PM +0100, Ola Lundqvist wrote: >... > Den tis 5 jan. 2021 13:45Adrian Bunk skrev: >... > >NOTE: 20201129: buster-pu in #975932, will backport when in buster (bunk) >... > > Before you've added your notes a month later this was the last note, > > and if you did n

Re: Advice for DLA needed entry

2021-01-02 Thread Adrian Bunk
On Sun, Jan 03, 2021 at 12:03:05AM +0100, Ola Lundqvist wrote: > Hi Adrian Hi Ola, >... > If we keep it in dla-needed we will constantly have people like me who > think that something should be done when it is not claimed. >... > Should we write your name on the claim (because you do in practice

Re: Advice for DLA needed entry

2020-12-31 Thread Adrian Bunk
On Wed, Dec 30, 2020 at 11:33:12PM +0100, Ola Lundqvist wrote: > Hi > > Today I worked some on wireshark and concluded that all CVEs were postponed > for buster. So I did some research to check if they were applicable to > stretch as well and added quite a few notes about this in the tracker. The

Re: pluxml issues are questionable, request for advice

2020-12-16 Thread Adrian Bunk
On Wed, Dec 16, 2020 at 07:36:19AM +0100, Ola Lundqvist wrote: > Hi LTS team > > I have checked two of the pluxml issues > CVE-2020-18184 > This vulnerability is questioned upstream. >... > The question is how this should be marked: > - no-dsa minor issue? > - ignored? >... "not a vulnerability"

(E)LTS report for November 2020

2020-12-09 Thread Adrian Bunk
LTS: Hours worked: 13 hours DLA 2452 libdatetime-timezone-perl Updated timezone data DLA 2462 cimg CVE-2020-25693 DLA 2472 mutt CVE-2020-28896 DLA 2473 vips CVE-2020-20739 ELTS: Hours worked: 2 hours libdatetime-timezone-perl Updated timezone data

Re: Bug#974899: libdatetime-timezone-perl: Inconsistent Olson versions within Timezone data

2020-11-16 Thread Adrian Bunk
Version: 1:2.09-1+2020d+1 On Mon, Nov 16, 2020 at 09:35:02AM +, Ben Smithurst wrote: >... > Loaded DateTime::TimeZone::Europe::London, which is from a different version > (2020d) of the Olson database than this installation of DateTime::TimeZone > (2019c). >... Apologies for the breakage, I

Re: Fwd: Bug#974899: libdatetime-timezone-perl: Inconsistent Olson versions within Timezone data

2020-11-16 Thread Adrian Bunk
On Mon, Nov 16, 2020 at 04:29:05PM +0100, Florian Schlichting wrote: > Hi Adrian, > > are you aware of this regression in stretch-security, can you fix this > soonish (it leaves several hundred lines in my log every hour) and/or > leave a comment in the bug? Yes, I've seen the bug and already loo

  1   2   >