Re: Bug#1102554: xmlrpc-c: bundles a (very old and) vulnerable copy of libexpat

fixing one distribution should get us fixes for all distributions from stretch to bookworm. > Cheers! > Sylvain Beucler > Debian LTS Team cu Adrian [1] http://blog.alteholz.eu/2025/05/my-debian-activities-in-april-2025/ [2] http://blog.alteholz.eu/2025/06/my-debian-activities-in-may-2025

Security tracker suggestions

Hi, below are some items I have for security tracker development. No commitment from me to work on any of these, but if this is considered useful I can turn them into salsa issues. 1. gen-DSA interprets the package name as regex The 'k+' in 'gtk+3.0' is interpreted as "one or more 'k'". 2.

Re: Tooling for rebuilding outdated Built-Using

init. The more general point is that it would be wrong to assume that Built-Using would be the same on all architectures, in the supermin case static linking happens with either musl or glibc depending on the architecture. > On 18/06/2025 19:31, Adrian Bunk wrote: > > Note that in LTS

Re: Tooling for rebuilding outdated Built-Using

On Wed, Jun 18, 2025 at 04:13:12PM +0200, Sylvain Beucler wrote: >... > On 27/05/2025 14:06, Sean Whitton wrote: > > Hello release team, > > > > How do you detect packages that need rebuilding in stable releases > > because they have outdated Built-Using? Sylvain Beucler of the LTS team > > noted

Re: How much no-dsa is too much no-dsa?

On Tue, May 27, 2025 at 04:08:00PM -0400, Roberto C. Sánchez wrote: >... > I am > also interested to know whether people think that our more clearly > defined "(un)stable-first" approach to package updates might make this > less of a pressing issue going forward (because we would be landing > fixes

Re: Debian (E)LTS report for April 2025

On Tue, May 13, 2025 at 01:02:30PM +0200, Lee Garrett wrote: >... > I also prepared an update for Thunderbird fixing the following issues: > - CVE-2025-2817 > - CVE-2025-4082 > - CVE-2025-4083 > - CVE-2025-4087 > - CVE-2025-4091 > - CVE-2025-4093 > - CVE-2025-3523 > - CVE-2025-3522 > - CVE-2025-283

Re: Test uploads for bookworm-security on debusine.debian.net

On Thu, May 08, 2025 at 02:09:18PM -0300, Santiago Ruano Rincón wrote: > El 08/05/25 a las 18:45, Adrian Bunk escribió: > > On Wed, May 07, 2025 at 01:26:32PM -0300, Santiago Ruano Rincón wrote: > > Hi Adrian Hi Santiago, > > > Currently, debusine.d.n helps to verify

Re: Test uploads for bookworm-security on debusine.debian.net

On Wed, May 07, 2025 at 01:26:32PM -0300, Santiago Ruano Rincón wrote: > Hello all, Hi Santiago, >... > Currently, debusine.d.n helps to verify how a packages builds on > different architectures, to run autopkgest (contrary to Salsa CI, > debusine also includes autopkgtest for reverse dependencie

Re: angular.js: EOL?

On Tue, May 06, 2025 at 08:58:36PM +0200, László Böszörményi (GCS) wrote: >... > Please note OpenStack in Debian is even more vulnerable to AngularJS > issues: python-xstatic-angular and python-xstatic-angular-* in general > even using an older, v1.8.2 version of it. >... Unless I misunderstand th

Re: CVE-2025-27773 / #1100595 / Re: simplesamlphp 2.x for trixie? (Re: Bug#1088816: Current version not supported)

On Mon, Apr 28, 2025 at 09:07:51AM +0200, Joost van Baal-Ilić wrote: > Hi, > > As you're probably aware, issue > https://security-tracker.debian.org/tracker/CVE-2025-27773 has been open since > March 11, 2025. Is anybody working on fixing this? I could probably help out > with testing prerelease

Re: Review libsoup2.4 for bullseye

On Sat, Apr 26, 2025 at 06:35:19PM +0200, Andreas Henriksson wrote: > Hello again, Hi Andreas, >... > The most interesting finding is what I already spotted last time, that > the debian security-tracker links fixing commits that are sometimes not merged > and in for example CVE-2025-32049 it's ju

Re: Review libsoup2.4 for bullseye

On Sat, Apr 26, 2025 at 02:47:12PM +0200, Andreas Henriksson wrote: > Hello Adrian, Hi Andreas, > Thanks for your feedback! Thoughts below. > > On Tue, Apr 22, 2025 at 08:20:35PM +0300, Adrian Bunk wrote: > > On Tue, Apr 22, 2025 at 01:31:07PM +0200, Andreas Henriksson

Re: What pain points exist in the current security-tracker structure?

On Wed, Apr 23, 2025 at 09:38:47PM +0200, Sylvain Beucler wrote: >... > On 06/04/2025 09:25, Roberto C. Sánchez wrote: > > As you go about tasks which require interacting with the security > > tracker, what pain points exist for you? > > One pain point that happened again today is the confusing te

Re: Review libsoup2.4 for bullseye

On Tue, Apr 22, 2025 at 01:31:07PM +0200, Andreas Henriksson wrote: > Hello, Hi Andreas, >... > I've also pulled additional > commits adding testcases (but some are still disabled, because they need > porting to the older libsoup 2.74 APIs), and I'm now at a published > building package. >... > I

Re: Bug#1102554: xmlrpc-c: bundles a (very old and) vulnerable copy of libexpat

On Thu, Apr 10, 2025 at 12:57:14PM +0200, Salvatore Bonaccorso wrote: >... > Triggered by the oss-security post from the expat upstream maintainer: > https://www.openwall.com/lists/oss-security/2025/04/09/4 > > It might be worth to use similar patch to make xmlrpc-c switch to use > the system expa

Re: security-tracker git-blame for CVEs

On Tue, Apr 08, 2025 at 07:24:07PM +0200, Sylvain Beucler wrote: > Hi, Hi Sylvain, > On 07/04/2025 13:06, Adrian Bunk wrote: > > On Sun, Apr 06, 2025 at 07:33:22PM +0200, Bastien Roucaries wrote: > > > Le dimanche 6 avril 2025, 09:25:58 heure d’été d’Europe cent

Re: What pain points exist in the current security-tracker structure?

On Sun, Apr 06, 2025 at 07:33:22PM +0200, Bastien Roucaries wrote: > Le dimanche 6 avril 2025, 09:25:58 heure d’été d’Europe centrale Roberto C. > Sánchez a écrit : >... > > As one example, some time ago I encountered the issue of the size of > > data/CVE/list, specifically in the context of a git

Re: Bug#1082927: flatpak [LTS]: CVE-2024-42472: sandbox escape for apps with --persist=DIR permission

On Mon, Mar 31, 2025 at 04:40:37PM +0100, Simon McVittie wrote: >... > LTS team members are welcome to push those changes and their tags to the > debian/bullseye branches in and > if that would be helpful. >...

Re: bson CVEs in (E)LTS

On Mon, Mar 31, 2025 at 04:42:59PM +0200, Sylvain Beucler wrote: >... > Do we want to update data/embedded-code-copies to reference libbson-xs-perl? > > e.g. > diff --git a/data/embedded-code-copies b/data/embedded-code-copies > index 19611b261b..77696af1af 100644 > --- a/data/embedded-code-copies

bson CVEs in (E)LTS

Hi, mongo-c-driver was added to *la-needed.txt yesterday, and someone already claimed it to fix the 4 bson CVEs (and a non-bson CVE) in bullseye and buster. Copies of the bson code are also in the (E)LTS supported packages libbson/stretch and libbson-xs-perl/bullseye. Front Desk / Security Te

Re: vim CVE-2021-4187

On Wed, Mar 19, 2025 at 01:06:42PM +0800, Sean Whitton wrote: > Hello, Hi Sean, > I have attempted to backport upstream's fix for this CVE in vim in > d/patches/CVE-2021-4137.patch 4173 > on the debian/bullseye branch under > lts-team on salsa. > > My backporting is not correct, and causes a s

Re: LTS version > stable or wait?

On Sun, Jan 19, 2025 at 03:58:11PM -0500, Roberto C. Sánchez wrote: > On Sun, Jan 19, 2025 at 03:28:49PM +0100, Emilio Pozuelo Monfort wrote: > > On 19/01/2025 11:55, Adrian Bunk wrote: > > > Hi, > > > > > > libtar | 1.2.20-8 | oldstable

Re: LTS version > stable or wait?

On Mon, Jan 20, 2025 at 10:05:31AM +, Holger Levsen wrote: > On Sun, Jan 19, 2025 at 12:55:48PM +0200, Adrian Bunk wrote: > > libtar | 1.2.20-8 | oldstable| source > > libtar | 1.2.20-8 | stable | source > > I have two options regarding releasin

LTS version > stable or wait?

Hi, libtar | 1.2.20-8 | oldstable| source libtar | 1.2.20-8 | stable | source I have two options regarding releasing this for LTS: 1. Have a version LTS > stable until the next point release, or 2. Prepare the update and release after the point release in March/April

PHP ReDoS question

Hi, could someone with more knowledge about PHP look at the following: https://security-tracker.debian.org/tracker/CVE-2024-22640 https://github.com/zunak/CVE-2024-22640 https://security-tracker.debian.org/tracker/CVE-2024-22641 https://github.com/zunak/CVE-2024-22641 Changing the PoCs to requ

Re: following or getting ahead of Stable

On Wed, Dec 11, 2024 at 02:35:00PM -0500, Roberto C. Sánchez wrote: >... > The > first includes things like "I am fixing 4 of the 7 open CVEs, and after > releasing the DLA I will immediately restore that package to Xla-needed" >... On Wed, Dec 11, 2024 at 04:33:17PM -0500, Roberto C. Sánchez wrot

Re: Revisiting some old DLAs

On Wed, Dec 11, 2024 at 07:19:50PM -0500, Roberto C. Sánchez wrote: >... > We can look at our various tasks as follows: > > - creation of a DLA (requires preparing the update, uploading the > package, and making the announcement) >... > - additional work in support of stable (-sec or -pu) >...

Re: following or getting ahead of Stable

On Wed, Dec 11, 2024 at 04:33:17PM -0500, Roberto C. Sánchez wrote: >... > So, what can we do? > > I have spoken to the debusine team and this is actually something that > debusine will enable us to manage better. We will eventually be able to > use debusine to have our own simulated proposed-upda

Re: Revisiting some old DLAs

On Wed, Dec 11, 2024 at 02:35:00PM -0500, Roberto C. Sánchez wrote: > On Tue, Dec 10, 2024 at 01:45:49AM +0200, Adrian Bunk wrote: > > On Mon, Dec 09, 2024 at 07:22:30PM -0300, Santiago Ruano Rincón wrote: > > > > > > To be discussed. The issue with dla-neede

Re: following or getting ahead of Stable

On Wed, Dec 11, 2024 at 05:10:54PM +0100, Sylvain Beucler wrote: > Hi, > > On 11/12/2024 16:17, Adrian Bunk wrote: > > On Wed, Dec 11, 2024 at 11:05:10AM +0100, Sylvain Beucler wrote: > > > On 09/12/2024 18:55, Sylvain Beucler wrote: > > > > On 07/12/

Re: following or getting ahead of Stable

On Wed, Dec 11, 2024 at 11:05:10AM +0100, Sylvain Beucler wrote: > Hi, > > On 09/12/2024 18:55, Sylvain Beucler wrote: > > On 07/12/2024 04:10, Roberto C. Sánchez wrote: > > > The Security Team has supplied a list of packages/CVEs which were fixed > > > by DLA (some in bullseye and some in buster)

Re: Revisiting some old DLAs

On Mon, Dec 09, 2024 at 07:22:30PM -0300, Santiago Ruano Rincón wrote: >... > El 08/12/24 a las 07:30, Adrian Bunk escribió: > > On Fri, Dec 06, 2024 at 10:10:19PM -0500, Roberto C. Sánchez wrote: >... > > > I have done my best to carefully document for each package th

(E)LTS report for November 2024

LTS: apr: - Determined that CVE-2023-49582 (sole unfixed CVE) does not affect the binary package in bullseye. ghostscript: - Determined that CVE-2024-46952 does not affect <= bullseye. - Released DLA-3965-1, fixing CVE-2024-46951, CVE-2024-46953, CVE-2024-46955 and CVE-2024-46956. glib2.0: -

Re: Revisiting some old DLAs

On Fri, Dec 06, 2024 at 10:10:19PM -0500, Roberto C. Sánchez wrote: > Hello everyone, Hi Roberto, > The Security Team has supplied a list of packages/CVEs which were fixed > by DLA (some in bullseye and some in buster) but which remain unfixed in > bookworm (and which are tagged no-dsa, indicatin

(E)LTS report for October 2024

LTS: e2fsprogs: - Enabled the upstream tests during the build. - Released DLA-3910-1, fixing CVE-2022-1304. fcgiwrap: - Discussed and documented that the CVE-2024-32004/git regression does not affect <= bullseye. ikiwiki-hosting: - Discussed and documented that the CVE-2024-32004/git regress

(E)LTS report for September 2024

LTS: booth: - Released DLA-3894-1, fixing CVE-2024-3049. - Provided the package for DSA-5777-1, fixing CVE-2024-3049 in bookworm. nghttp2: - Released DLA-3898-1, fixing CVE-2024-28182. - Submitted a package fixing CVE-2024-28182 in the next bookworm point release. php-twig: - Released DLA-38

Re: bullseye-security arm64 buildds seem to be broken

On Thu, Sep 12, 2024 at 12:46:08AM +0200, Ben Hutchings wrote: > Building linux-6.1 in the bullseye-security suite for arm64 has been > attempted and failed on 4 different buildds today, with the messages: > > E: /srv/chroot/bullseye_arm64.tar.gz: Failed to stat file: No such file or > directory

(E)LTS report for August 2024

LTS: amanda: - Released DLA-3880-1, fixing CVE-2022-37703, CVE-2022-37704, CVE-2022-37705 and CVE-2023-30577. aom: - Released DLA-3881-1, fixing CVE-2024-5171. bluez: - Released DLA-3879-1, fixing CVE-2021-3658, CVE-2021-41229, CVE-2021-43400, CVE-2022-0204, CVE-2022-39176, CVE-2022-39177,

Re: bullseye-security upload queue open (was: [SECURITY] [DLA 3856-1] python-html-sanitizer security update)

Hi Aurelien, On Tue, Sep 03, 2024 at 07:17:08PM +0200, Aurelien Jarno wrote: > On 2024-08-31 11:29, Santiago Ruano Rincón wrote: > > El 31/08/24 a las 16:43, Adrian Bunk escribió: > > > On Sat, Aug 31, 2024 at 10:12:19AM -0300, Santiago Ruano Rincón wrote: > > > >...

Re: bullseye-security upload queue open (was: [SECURITY] [DLA 3856-1] python-html-sanitizer security update)

On Sat, Aug 31, 2024 at 10:12:19AM -0300, Santiago Ruano Rincón wrote: >... > It seems the bullseye-security upload queue is finally open (now that > the point release has been published). >... Are you talking only about the ftp side, or also about the buildd side? https://buildd.debian.org/ stil

Re: [SECURITY] [DLA 3856-1] python-html-sanitizer security update

Hi, where has the binary package been built, and where is it available for our users to download? Except for this announcement, I have not seen traces of it anywhere. cu Adrian On Mon, Aug 26, 2024 at 04:55:35PM +0100, Chris Lamb wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > >

wb: bullseye-security still configured for all architectures?

Hi, looking at [1], bullseye-security still lists all architectures for bullseye-security. Intended[2] is the same architecture list as was for buster-security (all amd64 arm64 armhf i386). cu Adrian [1] https://buildd.debian.org/ [2] https://wiki.debian.org/LTS

ELTS report for July 2024

aom: - Released ELA-1143-1, fixing CVE-2024-5171 in buster. binutils: - Released ELA-1130-1, fixing CVE-2018-12934 and CVE-2018-1000876 in jessie, stretch and buster. krb5: - Determined that CVE-2024-26462 does not affect <= bullseye. - Released ELA-1141-1, fixing CVE-2024-26458, CVE-2024-26461

(E)LTS report for June 2024

LTS: cyrus-imapd: - Marked CVE-2024-34055 (sole unfixed CVE) as ignored due to being too intrusive to backport, following upstream and bullseye. dcmtk: - Determined that CVE-2024-27628 does not affect <= bullseye - Released DLA-3847-1, fixing CVE-2021-41687, CVE-2021-41688 CVE-2021-41689, CVE

Re: Opencryptoki fixes for CVE-2024-0914

On Sat, Jun 22, 2024 at 11:04:49AM +, Bastien Roucariès wrote: > Hi, Hi Bastien, > After a few hours I get the impression that fixing CVE-2024-0914 even for > bookworm will be extremly hard (lack of constant time operation, massive code > change...) > > I suppose the best way is to a full

(E)LTS report for May 2024

LTS: glibc: - Released DLA-3807-1, fixing CVE-2024-2961. - Fixed and enabled the build tests and autopkgtest. gst-plugins-base1.0: - Released DLA-3824-1, fixing CVE-2024-4453. libkf5ksieve: - Released DLA-3809-1, fixing CVE-2023-52723. ELTS: glibc: - Released ELA-1087-11, fixing CVE-2024-2961

(E)LTS report for April 2024

LTS: glibc: - First part of work released as DLA-3807-1 in May. gtkwave: - DLA-3785-1 and DSA-5653-1 were released in April, but the actual work was done and submitted for review in March. pillow: - Determined that CVE-2021-25291 does not affect buster. - Released DLA-3786-1, fixing CVE-2024-2

Re: bind9 LTS

On Sun, Mar 31, 2024 at 10:12:34PM +0800, Sean Whitton wrote: >... > - looks like backporting the old branches is what's done in bullseye and > bookworm; do you know of some reason we're not doing this for buster too? bind9 in buster provides shared libraries, with soversion changes in every rel

Re: How to handle freeimage package

On Thu, Apr 11, 2024 at 09:34:00PM +0200, Ola Lundqvist wrote: >... > On Thu, 11 Apr 2024 at 15:34, Santiago Ruano Rincón > wrote: > ... > > Taking one of the recent changes to data/CVE/list: > > > > @@ -6999,6 +7000,7 @@ CVE-2024-28579 (Buffer Overflow vulnerability in open > > source FreeImage

Re: How to handle freeimage package

On Thu, Apr 11, 2024 at 10:34:13AM -0300, Santiago Ruano Rincón wrote: >... > El 11/04/24 a las 08:25, Ola Lundqvist escribió: >... > > The ones I have now postponed are of the "local DoS" class. I'm here > > interpreting that "local DoS" is the same as DoS after human > > interaction. It is not en

Re: How to handle freeimage package

On Wed, Apr 10, 2024 at 10:08:51PM +0200, Ola Lundqvist wrote: > Hi all Hi Ola, > Sorry for late reply. It took me too long today to answer the CVE > triaging discussion. Now to this issue. > > Regarding the fedora patches. The patches seem to help for those > specific issues they solve. > > My

Re: How to handle freeimage package

On Wed, Apr 10, 2024 at 12:17:33PM -0400, Roberto C. Sánchez wrote: > On Mon, Apr 08, 2024 at 07:56:40PM +0300, Adrian Bunk wrote: > > On Mon, Apr 08, 2024 at 05:34:47PM +0200, Moritz Muehlenhoff wrote: > > > > > > So a useful next step would be to break those reports d

(E)LTS report for March 2024

LTS: cpio: - Added note that upstream considers CVE-2023-7216 (sole unfixed CVE) normal behavior. fontforge: - Released DLA-3754-1, fixing CVE-2020-5395, CVE-2020-5496, CVE-2024-25081 and CVE-2024-25082. - Fixed CVE-2024-25081 and CVE-2024-25082 in sid. - Fixed CVE-2024-25081 and CVE-2024-250

Re: How to handle freeimage package

On Mon, Apr 08, 2024 at 05:34:47PM +0200, Moritz Muehlenhoff wrote: > On Mon, Apr 08, 2024 at 01:59:55PM +0200, Sylvain Beucler wrote: > > Hi, > > > > I think this requires a bit of coordination: > > - the package is basically dead upstream, there hasn't been a fix in the > > official repos, neith

Re: How to handle freeimage package

On Mon, Apr 08, 2024 at 12:06:25AM +0200, Ola Lundqvist wrote: > Hi again > > Today I looked at the freeimage package that we have in dla-needed. > My conclusion is that we have 19 CVEs postponed with motivation "revisit > when fixed upstream" and 23 CVEs that are in bullseye declared as no-dsa >

Re: gtkwave update for {bookworm,bullseye,buster}-security

On Thu, Apr 04, 2024 at 11:21:21AM +0200, Emilio Pozuelo Monfort wrote: > On 29/03/2024 00:06, Adrian Bunk wrote: >... > > As already mentioned in #1060407, the ghwdump tool (and manpage) was > > dropped in 3.3.110 from the upstream sources, and is now in ghdl-tools. > > Fo

Re: gtkwave update for {bookworm,bullseye,buster}-security

On Sun, Mar 31, 2024 at 01:52:40PM +0200, Moritz Mühlenhoff wrote: > Hi Adrian, Hi Moritz, >... > > debdiffs contain only changes to debian/ > > The bookworm/bullseye debdiffs looks good, please upload to security-master, > thanks! both are now uploaded. > Note that both need -sa, but dak nee

Re: Guidance for CVE triage and listing packages in dla-needed.txt

On Mon, Mar 18, 2024 at 09:40:45PM +0100, Moritz Muehlenhoff wrote: > Emilio Pozuelo Monfort wrote: > > Small nitpick: a CVE 'ignored' for (old)stable can still be fixed via point > > release. The sec-team could be contacted to update that triaging, but that's > > only ignored for (old)stable-secur

Re: Expanding the scope (slightly) of dla-needed.txt

On Thu, Mar 14, 2024 at 04:47:57PM -0400, Roberto C. Sánchez wrote: > Hello everyone, > > I have discussed with Santiago the idea of whether we need to somewhat > expand the scope of dla-needed.txt. > > In essence, we need to continue tracking packages as in-work in some > cases even after a DLA

(E)LTS report for February 2024

LTS: gsoap: - Released DLA-3745-1, fixing CVE-2020-13574, CVE-2020-13575, CVE-2020-13576, CVE-2020-13577 and CVE-2020-13578. wireshark: - Determined that CVE-2023-2906/wireshark does not affect <= buster. - Determined that CVE-2023-5371 does not affect <= bullseye. - Determined that CVE-2023-61

(E)LTS report for December 2023

LTS: curl: - Determined that CVE-2022-32207 does not affect <= buster. - Found and documented a regression in CVE-2023-27534. - CVE-2022-32207 does not affect <= buster - Released DLA 3692-1, fixing CVE-2023-28322 and CVE-2023-46218, also including 2 non-security fixes from contributors. ELTS:

Re: curl: CVE-2023-28322 and CVE-2023-27534

On Sat, Dec 16, 2023 at 10:39:08PM -0300, Samuel Henrique wrote: >... > On Thu, 30 Nov 2023 at 06:36, Markus Koschany wrote: > > I have recently triaged CVE-2023-28322 and CVE-2023-27534 for curl as > > ignored > > for Buster because I believe those are minor issues. Since you expressed > > inter

(E)LTS report for November 2023

LTS: trafficserver: - Released DLA-3645-1, fixing CVE-2023-41752 and CVE-2023-44487. galera-3: - Determined that CVE-2023-5157 in galera-4 does not affect galera-3. gimp: - Released DLA-3659-1, fixing CVE-2022-30067, CVE-2023-2 and CVE-2023-4. - Determined that CVE-2023-3 does not

(E)LTS report for October 2023

LTS: poppler: - Confirmed that CVE-2020-18839 is a duplicate of CVE-2020-27778 - Released DLA-3620-1, fixing CVE-2020-23804 CVE-2022-37050 CVE-2022-37051 - PoCs for all 3 CVEs were confirmed to be present in the unfixed version and fixed in the fixed version krb: - Released DLA-3626-1, fixing

(E)LTS report for September 2023

DLAs released: DLA-3593-1 gerbv CVE-2021-40393 CVE-2021-40394 CVE-2023-4508 DLA-3595-1 trafficserver CVE-2022-47185 CVE-2023-33934 ELAs released: ELA-942-2 qpdf (stretch) regression update ELA-972-1 exempi (stretch) CVE-2020-18651 CVE-2020-18652 ELA-974-1 ghostscript (jessie+stretch) CVE-202

binNMUs needed for new pandoc in *stable

On Tue, Jul 25, 2023 at 11:39:38PM +0200, Guilhem Moulin wrote: >... > The Security Team decided not to issue a DSA for that CVE, but it's now fixed > in > buster-security (2.2.1-3+deb10u1) as well as sid (2.17.1.1-2), so it makes > sense > to fix it via (o)s-pu too. >... In all 3 distributions

Re: suricata

On Mon, Sep 25, 2023 at 09:26:10PM +0200, Tobias Frost wrote: > Hi Adrian, Hi Tobi, >... > This sounds it's almost ready, so I think the best thing is if you > complete the work, so if this is ok with you, please take oever and > complete the package! thanks, I've taken it back and will make a r

Re: suricata

On Sun, Sep 24, 2023 at 11:34:55AM +0200, Tobias Frost wrote: > Hi Adrian, Hi Tobias, > I've just claimed "suricata" for LTS, and the log says that you've > already worked on the package. Unfortunatly I could not find any > repository for your LTS changes, if there are some already, can you > ad

Re: (E)LTS report for August 2023

On Sun, Sep 10, 2023 at 09:22:03PM +0300, Adrian Bunk wrote: > DLAs released: >... > DLA-3552-1 gst-plugins-ugly1.0 > 2 vulnerabilities without CVE numbers assigned > > > ELAs released: >... > ELA-941-1 gst-plugins-ugly1.0 (stretch) > 2 vulnerabilitie

(E)LTS report for August 2023

DLAs released: DLA-3517-1 pdfcrack CVE-2020-22336 DLA-3519-1 ghostscript CVE-2023-38559 DLA-3528-1 poppler CVE-2020-36023 CVE-2020-36024 DLA-3552-1 gst-plugins-ugly1.0 2 vulnerabilities without CVE numbers assigned ELAs released: ELA-928-1 poppler (jessie+stretch) CVE-2020-36023 CVE-2020-36

(E)LTS report for July 2023

DLAs released: DLA-3497-1 pypdf2 CVE-2023-36810 DLA-3513-1 tiff CVE-2023-2908 CVE-2023-3316 CVE-2023-3618 CVE-2023-25433 CVE-2023-26965 CVE-2023-26966 CVE-2023-38288 CVE-2023-38289 ELAs released: ELA-893-1 pypdf2 (stretch) CVE-2023-36810 ELA-909-1 tiff (jessie+stretch) CVE-2023-2908 CVE-2023

Re: WebKit 2.40 update for buster

On Thu, Jul 06, 2023 at 01:19:51PM +, Alberto Garcia wrote: >... > Bear in mind that supporting older distros means refraining from using > newer versions of the libraries and build dependencies that Webkit > uses. This is already complicated, but there's a bigger problem than > that: it also m

(E)LTS report for June 2023

DLAs released: DLA-3443-1 wireshark CVE-2023-2856 CVE-2023-2858 CVE-2023-2879 CVE-2023-2952 DLA 3445-1 cpio CVE-2019-14866 CVE-2021-38185 DLA-3470-1 owslib CVE-2023-27476 DLA-3472-1 libx11 CVE-2023-3138 DLA-3474-1 systemd CVE-2022-3821 DLA-3475-1 trafficserver CVE-2022-47184 CVE-2023-30631 CV

(E)LTS report for April 2023

DLAs released: DLA-3402-1 wireshark CVE-2023-1161 CVE-2023-1992 CVE-2023-1993 CVE-2023-1994 DLA-3407-1 jackson-databind CVE-2020-10650 DLA-3408-1 jruby CVE-2017-17742 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255 CVE-2020-25613 CVE-2021-31810 CVE-2021-32066 CVE-2023-28755 CVE-2023-28756 DLA-3409

LTS report for March 2023

DLA released: DLA-3377-1 systemd CVE-2023-26604 cu Adrian

(E)LTS report for February 2023

DLAs released: DLA-3332-1 apr-util CVE-2022-25147 DLA-3334-1 sofia-sip CVE-2022-47516 DLA-3339-1 binwalk CVE-2022-4510 DLA-3341-1 curl CVE-2023-23916 DLA-3343-1 mono CVE-2023-26314 A DLA for emacs was prepared, but is waiting for confirmation that a regression that was discovered in bullseye-

LTS report for January 2023

DLAs released: DLA-3292-1 sofia-sip CVE-2023-22741 DLA-3304-1 fig2dev CVE-2020-21529 CVE-2020-21531 CVE-2020-21532 CVE-2020-21676 CVE-2021-32280 DLA-3305-1 libstb CVE-2018-16981 CVE-2019-13217 CVE-2019-13218 CVE-2019-13219 CVE-2019-13220 CVE-2019-13221 CVE-2019-13222 CVE-2019-13223 CVE-2021-2802

LTS report for December 2021

Hours worked: 70.75 hours DLAs released: DLA-2849-1 wireshark CVE-2021-22207 CVE-2021-22235 CVE-2021-39921 CVE-2021-39922 CVE-2021-39923 CVE-2021-39924 CVE-2021-39925 CVE-2021-39928 CVE-2021-39929 DLA-2850-1 libpcap CVE-2019-15165 DLA-2851-1 libextractor CVE-2019-15531 DLA-2855-1 monit CVE-201

Re: postgis 2.3.1+dfsg-2+deb9u1 update broken

On Wed, Dec 29, 2021 at 07:46:39PM +0200, Adrian Bunk wrote: > On Wed, Dec 29, 2021 at 05:04:29PM +0100, Peter De Wachter wrote: > > In postgis LTS update 2.3.1+dfsg-2+deb9u1, the package > > postgresql-9.6-postgis-2.3-scripts is empty (containing only > > /usr/share/doc fi

Re: postgis 2.3.1+dfsg-2+deb9u1 update broken

On Wed, Dec 29, 2021 at 05:04:29PM +0100, Peter De Wachter wrote: > In postgis LTS update 2.3.1+dfsg-2+deb9u1, the package > postgresql-9.6-postgis-2.3-scripts is empty (containing only > /usr/share/doc files). The scripts are missing. Without the scripts, I > believe it's not possible to create ne

LTS report for November 2021

Hours worked: 62 hours DLAs released: DLA-2828-1 libvorbis CVE-2017-14160 CVE-2018-10392 CVE-2018-10393 DLA-2829-1 libvpx CVE-2020-0034 DLA-2830-1 tar CVE-2018-20482 DLA-2831-1 libntlm CVE-2019-17455 DLA-2832-1 opensc CVE-2019-15945 CVE-2019-15946 CVE-2019-19479 CVE-2020-26570 CVE-2020-26571

CVE-2021-38595 incorrectly marked as not affecting Qt 5?

On Tue, Aug 31, 2021 at 09:15:15AM +, Raphaël Hertzog (@hertzog) wrote: >... > Commits: > 63957298 by Neil Williams at 2021-08-31T10:11:30+01:00 > CVE-2021-38593/qt vulnerable code introduced later >... > Changes: > > = > data/CVE/list >

Re: Bug#994405: libgmp10:i386: buffer overflow due to integer overflow in mpz/inp_raw.c on 32-bit machines

On Fri, Sep 17, 2021 at 07:02:48AM +0200, Anton Gladky wrote: > Thanks, Vincent, for the information. I would still wait for CVE, > so we can apply a patch and track vulnerability for other > Debian versions (stable/oldstable/o-o-stable etc.). Hi Anton, did you manage to get a CVE assigned for th

LTS report for October 2021

Hours worked: 40.5 hours DLAs released: DLA 2795 gpsd CVE-2018-17937 DLA 2801 cron CVE-2017-9525 CVE-2019-9704 CVE-2019-9705 CVE-2019-9706 DLA 2802 elfutils CVE-2018-16062 CVE-2018-16402 CVE-2018-18310 CVE-2018-18520 CVE-2018-18521 CVE-2019-7150 CVE-2019-7665 DLA 2803 libsdl2 CVE-2017-2888 CVE

Re: Change in libcrypt1 prevents upgrades from Buster to Bookworm

On Sat, Oct 09, 2021 at 07:41:03PM -0700, Otto Kekäläinen wrote: > Hello! Hello Otto! >... > This makes LTS kind of moot, as systems that want to stay on LTS and > "skip" at least one release can no longer do so. What is your take > here? If the issue is not fixed, then at least LTS should docume

Re: Accepted krb5 1.15-1+deb9u3 (source) into oldoldstable

On Fri, Oct 01, 2021 at 11:58:17AM +0100, Dameon Wagner wrote: > > Hi, Hi Dameon, > Apologies if this isn't the correct list to flag this, but it appears > that the upload for this DLA was missing the two all-architecture > binary packages: krb5-doc and krb5-locales. > > Running `apt-cache poli

(E)LTS report for September 2021

LTS Hours worked: 19.5 hours DLA 2770-1 weechat CVE-2020-8955 CVE-2020-9759 CVE-2020-9760 CVE-2021-40516 DLA 2771-1 krb5 CVE-2018-5729 CVE-2018-5730 CVE-2018-20217 CVE-2021-37750 DLA 2772-1 taglib CVE-2017-12678 CVE-2018-11439 ELTS hours worked: 3 hours ELA-489-1 weechat CVE-2021-40516

Re: stretch-security buildd builds are now broken (after 2021-10-01; le cert issue?)

On Fri, Oct 01, 2021 at 01:21:38AM -0400, Boyuan Yang wrote: > (Please cc me when needed) > > Dear LTS folks, > > I'd like to raise the issue that buildd stretch-security builds are now > completely broken after 2021-10-01. For example, see > https://buildd.debian.org/status/architecture.php?a=al

Re: Lintian changes for LTS development?

On Mon, Sep 27, 2021 at 04:58:02PM -, Chris Lamb wrote: > Hi, > > Whilst I think of it, are there any changes to Lintian that folks > here might consider particularly useful when doing LTS development? To which lintian? Running stretch lintian tends to give more useful information for packa

(E)LTS report for August 2021

LTS Hours worked: 11 hours DLA-2734-1 curl CVE-2021-22898 CVE-2021-22924 Non-DLA LTS work: - debugged ledger issue that caused non-zero leftover time in past months - fixed bin/give-back-hours when run in August/September ELTS hours worked: 3 hours ELA-470-1 curl CVE-2021-22898

Re: packages in *-lts newer than in subsequent releases

On Tue, Aug 03, 2021 at 09:37:57AM +0100, Chris Lamb wrote: > Sylvain Beucler wrote: > > > >> Will resolve these two. > > > > > > Um, I just uploaded libpam-tacplus. Maybe take care of pyxdg, > > > please? Thank you! > > > > How about you add these 6 packages to data/dla-needed.txt? > > Good idea

LTS report for January 2021

Hours worked: 14 hours DLA-2513 p11-kit CVE-2020-29361 CVE-2020-29362 DLA-2514 flac CVE-2017-6888 CVE-2020-0499 DLA-2538 mariadb-10.1 CVE-2020-14765 CVE-2020-14812 wireshark - will be released on 6.2.2021 after 2.6.20-0+deb10u1 with the same changes is in the buster point release CVE-2019-1361

LTS report for December 2020

Hours worked: 3 hours DLA-2502 postsrsd CVE-2020-35573

Re: Advice for DLA needed entry

On Tue, Jan 05, 2021 at 02:08:40PM +0100, Ola Lundqvist wrote: >... > Den tis 5 jan. 2021 13:45Adrian Bunk skrev: >... > >NOTE: 20201129: buster-pu in #975932, will backport when in buster (bunk) >... > > Before you've added your notes a month later this was the last note, > > and if you did n

Re: Advice for DLA needed entry

On Sun, Jan 03, 2021 at 12:03:05AM +0100, Ola Lundqvist wrote: > Hi Adrian Hi Ola, >... > If we keep it in dla-needed we will constantly have people like me who > think that something should be done when it is not claimed. >... > Should we write your name on the claim (because you do in practice

Re: Advice for DLA needed entry

On Wed, Dec 30, 2020 at 11:33:12PM +0100, Ola Lundqvist wrote: > Hi > > Today I worked some on wireshark and concluded that all CVEs were postponed > for buster. So I did some research to check if they were applicable to > stretch as well and added quite a few notes about this in the tracker. The

Re: pluxml issues are questionable, request for advice

On Wed, Dec 16, 2020 at 07:36:19AM +0100, Ola Lundqvist wrote: > Hi LTS team > > I have checked two of the pluxml issues > CVE-2020-18184 > This vulnerability is questioned upstream. >... > The question is how this should be marked: > - no-dsa minor issue? > - ignored? >... "not a vulnerability"

(E)LTS report for November 2020

LTS: Hours worked: 13 hours DLA 2452 libdatetime-timezone-perl Updated timezone data DLA 2462 cimg CVE-2020-25693 DLA 2472 mutt CVE-2020-28896 DLA 2473 vips CVE-2020-20739 ELTS: Hours worked: 2 hours libdatetime-timezone-perl Updated timezone data

Re: Bug#974899: libdatetime-timezone-perl: Inconsistent Olson versions within Timezone data

Version: 1:2.09-1+2020d+1 On Mon, Nov 16, 2020 at 09:35:02AM +, Ben Smithurst wrote: >... > Loaded DateTime::TimeZone::Europe::London, which is from a different version > (2020d) of the Olson database than this installation of DateTime::TimeZone > (2019c). >... Apologies for the breakage, I

Re: Fwd: Bug#974899: libdatetime-timezone-perl: Inconsistent Olson versions within Timezone data

On Mon, Nov 16, 2020 at 04:29:05PM +0100, Florian Schlichting wrote: > Hi Adrian, > > are you aware of this regression in stretch-security, can you fix this > soonish (it leaves several hundred lines in my log every hour) and/or > leave a comment in the bug? Yes, I've seen the bug and already loo

  1   2   >