Re: Fixing src:ucf environmnent variable insecurity in [old]stable

d in bookworm. Many thanks. I will backport/apply this to LTS (and ELTS) presently. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: ceph 14.2.22 for bullseye

individually patch it. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: Fixing src:ucf environmnent variable insecurity in [old]stable

veryone! And the same to you! Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: ceph 14.2.22 for bullseye

will review. Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: bullseye-security upload queue open (was: [SECURITY] [DLA 3856-1] python-html-sanitizer security update)

Chris Lamb wrote: > Hi Santiago et al., > >> Chris, are you able to upload python-html-sanitizer (or libtommath)? It >> would help to verify that everything is OK. > > Sure thing. I'll upload libtommath 1.1.0-3+deb10u1 presently as it > contains both arch:all and

Re: bullseye-security upload queue open (was: [SECURITY] [DLA 3856-1] python-html-sanitizer security update)

. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: [SECURITY] [DLA 3856-1] python-html-sanitizer security update

debian-lts-announce list. :( Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: Guidance for CVE triage and listing packages in dla-needed.txt

ive. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: Guidance for CVE triage and listing packages in dla-needed.txt

0 updates (see > https://lists.debian.org/debian-lts-announce/2024/03/threads.html for > example). Mmm, I highly suspect some counting mishap here. A quick, dirty (and likely inexact) grep across my last 12 LTS reports indicates I alone have addressed over 40. Regards, -- ,

Re: Python review request, CVE-2022-22817 & CVE-2023-50447 in pillow

… which also has a lot of details that expose just enough info about Python's evaluation model to be interesting. Curiously , it also demonstrates how to use compile(…) in pretty much the same way that the patch for CVE-2022-22817 performs its check. Regards, -- ,''`.

Re: opendmarc 1.3.2-6+deb10u3 postinst hangs

arts) did not surface this issue. Could it be different debconf frontends? If so, we should of course broaden our testing surface. Regards, -- o ⬋ ⬊ Chris Lamb o o reproducible-builds.org 💠 ⬊ ⬋ o

Re: Bug#1037178: puppet does not sync files anymore after recent ruby2.5 security upload

No, please go ahead and do both: my availability is spotty for the next 18 hours. :) (on mobile) Utkarsh Gupta wrote: > Hi Chris, > > On Wed, Jun 7, 2023 at 9:01 PM Chris Lamb wrote: >> I see your 2.5.5-3+deb10u6 update on the debian/buster branch which >> fixes the b

Re: Bug#1037178: puppet does not sync files anymore after recent ruby2.5 security upload

t. Although you mentioned you were going to wait a bit more, I'm just 100%-checking you aren't waiting on anything from me to upload that? Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: [Git][security-tracker-team/security-tracker][master] Reserve DLA-3389-1 for lldpd

ommand, re-entering all the information again which might get a bit annoying. Maybe this would be good logic to introduce if we scripted the rebase at the very top of gen-DLA, but that is not entirely unproblematic either. Thoughts welcome. Regards, -- ,''`. : :&#

Re: LTS upload of ruby-loofah

today and > tomorrow and finish this. Ah, great. I see that you've taken it the claim back and have requested feedback in a separate thread — thanks for the quick reply. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

LTS upload of ruby-loofah

Hi Daniel, After being unclaimed through inactivity, I took over the claim for ruby-loofah in data/dla-needed.txt. However, I've just noticed that you have already authored and prepared some patches in the Git repo, which clearly took some time and effort. If you had not committed anything, I wou

Re: Accepted python-cryptography 2.6.1-3+deb10u4 (source amd64 all) into oldstable

Does this still needs a follow-up DLA to DLA 3331-1? Yes, indeed. This has been announced as DLA 3331-2. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: Using Salsa-CI as pre-upload QA for Bullseye and Buster uploads: Lintian and Piuparts

A packages before upload to _any_ Debian release? When I was maintaining Lintian, that was my intention. But it was never perfect in that regard. Hope this helps. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: Using Salsa-CI as pre-upload QA for Bullseye and Buster uploads: Lintian and Piuparts

alsa.debian.org/salsa-ci-team/pipeline#changing-the-debian-release … variable? Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: clickhouse - Please review

true" instead of not running any of it. If you are using the autopkgtest facility, this can be achieved by marking the test as "flaky". (Replying for the edification of the list at large; pretty sure Anton shares this view & knowledge.) Best wishes, -- ,''

Re: Updating the LTS/ELTS instructions on freexian.com

s will help. Thanks. -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-+++ type = "docs" title = "How to use Extended LTS" date = 2018-05-30T12:13:12+02:00 weight = 100 draft = false bref = "To ben

Updating the LTS/ELTS instructions on freexian.com

uot;a)" simply needs updating to the latest version (freexian-archive-keyring_2022.06.08_all.deb), but I'm not sure what to do with "b)", as well as how to update these instructions in the first place. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: Accepted knot-resolver 3.2.1-3+deb10u1 (source amd64 all) into oldstable

e uploads from the LTS tree, as well as fixed it on the Debian website. Thanks for pointing it out. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: [SECURITY] [DLA 3107-1] sqlite3 security update

block announcements until the package appears in the archive as you suggest; previously I was merely waiting an arbitrary amount of time. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: [SECURITY] [DLA 3107-1] sqlite3 security update

Chris Lamb wrote: >> Did you forget to upload this? I don't see any sqlite3 update in >> buster-security (or maybe it was rejected or something). > > I didn't forget. Rather, it was REJECTED late last night and I re- > uploaded first thing this morning.

Re: [SECURITY] [DLA 3107-1] sqlite3 security update

I mistook the "2" suffix of "+deb10u2" to assume that the orig tarball was already in the archive and, as such, so I did not append dpkg-genchanges' -sa flag. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: [SECURITY] [DLA 3077-1] ruby-tzinfo security update

t? I was programmatically generating the text myself, yes. I've updated my script accordingly though; thanks for pointing out the rather subtle s/"Stretch"/stretch/ change. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: [SECURITY] [DLA 3077-1] ruby-tzinfo security update

7-1 within the security-tracker Git working tree. What am I missing? // Chris >> - >> Debian LTS Advisory DLA-3077-1debian-lts@lists.debian.org >> https://www.debian.org/lts/security/

Re: DLA needed for NBD 1:3.15.2-3

Hi Wouter, > Sure, that makes sense. Thanks for checking, but go right ahead and run > autogen.sh :-) Sure thing. So I've just gone ahead and released/uploaded this as DLA-2944-1 — thanks for helping to prepare this update. :) Best wishes, -- ,''`. :

Re: DLA needed for NBD 1:3.15.2-3

[[[ Just a quick administrative follow-up to this thread: to avoid any potential duplicated effort, I've gone ahead and claimed the nbd entry in dla-needed.txt. ]]] Chris Lamb wrote: >> I've prepared an update and pushed it to my repository at >> https://salsa.debian

Re: DLA needed for NBD 1:3.15.2-3

tive, especially when doing security releases.) Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: privoxy stretch package 3.0.26-3+deb9u3 prepared

bsequent update. The second CVE (CVE-2021-44543) looks like it might, in some configurations, be remotely exploitable. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: Semi-automatic unclaim of packages with more than 2 weeks being inactive

Jeremiah C. Foster wrote: > DLA 2791-1 (23 Oct 2021) (mailman) This has now been published; thanks for spotting. :) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: Lintian changes for LTS development?

ut between before and after applying a fix for relevant CVE(s)? Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Lintian changes for LTS development?

is on the basis that if I automatically ignore some of them, I might be inadvertently 'training' myself to ignore other, more serious, ones. However, I'm sure there is more low-hanging fruit that might prevent potential regressions. Thoughts welcome. Regards, -- ,''

Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)

egards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: Bug#993129: redis-tools 3:3.2.6-3+deb9u6 has broken dependencies

Utkarsh Gupta wrote: > Could you take a look at this bug report (#993129), please? Already fixed, just in the upload/archive pipeline... (was successfully ACCEPTED 30+ mins ago, for example.) Regards, -- ,''`. : :' : Chris Lamb `. `'` la

Re: packages in *-lts newer than in subsequent releases

gs like these, I'll take this one as well. Ah, I saw "jessie" and quickly added it so it didn't get lost in the archive. Can you move the entry to the correct file? Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: packages in *-lts newer than in subsequent releases

elease. * Add IBPB support for family 17h AMD processors (CVE-2017-5715) (since version 3.20180515.1). Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: packages in *-lts newer than in subsequent releases

, your mail had not landed on the list by the time I replied to Andreas. Luckily, I had not started on libpam-tacplus.) Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: packages in *-lts newer than in subsequent releases

Andreas Beckmann wrote: > libpam-tacplus https://bugs.debian.org/962830 > pyxdg https://bugs.debian.org/930099 Will resolve these two. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)

ended up on the website. I've merged the commit from my fork of the webwml.git repository and it should appear on the website in due course. Thanks for the pointers. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)

ty | source, all $ Am I missing something? Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: CVE-2021-32642 in radsecproxy

upload if FD believes the vulnerability does warrant an update, mind you. (Thanks either way, of course.) Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: CVE-2021-32642 in radsecproxy

nce, I would be happy to upload it. Just to 100% check though: you are not in a position to upload it, create and publish a DLA, update the website, etc.? (Just avoiding duplicate work.) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: libgetdata

the package to you. I couldn't easily find the patch for CVE-2021-20204 to confirm that the version in LTS is vulnerable, but from your message I will assume that you have access. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: Adding python-django to dla-needed.txt

h ongoing and new contributors) for little, if any, benefit. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: Adding python-django to dla-needed.txt

ar oversight nd does not realise they are on FD this week.) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: Adding python-django to dla-needed.txt

e? Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Adding python-django to dla-needed.txt

Hi Emilio, Glancing at lts-frontdesk.2021.txt, it seems like you are on LTS duty this week. Would you object if I added and claimed python-django to address CVE-2021-28658? I am the maintainer in unstable. (The same goes for ela-needed.txt too.) Regards, -- ,''`. : :

Re: DLA 2550-1: CVE-2020-27844: Patch present in source but not applied?

> Thanks for the analysis! And thanks for removing it from data/dla-needed.txt - I thought I should add it so the issue could not somehow get lost. Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: CVE-2020-36193 php-pear vs drupal7

of triage. After all, the code copy of Tar.php (in "system.tar.inc") is very slightly hidden. I would go ahead and add drupal7 as well -- a very quick glance suggests that it is, indeed, vulnerable. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: Update of OpenVSwitch in Stretch

anges. Can you vouch for upstream making sensible/reasonable decisions between these minor releases? That would be necessary for a hypothetical 2.6.11 too. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: How to backport test binaries?

Hi Utkarsh, > On several occasions, I've seen that fixing commits of CVEs have some > sort of binaries (either an image or some compressed file or whatever) > added as a test to ensure that the fix is indeed working as expected. > > And whilst trying to backport, the patches don't seem to like git

Re: Incomplete fix for CVE-2019-20218/sqlite3

: Fix integer overflow in sqlite3_str_vappendf. 27 28 -- Roberto C. Sanchez Tue, 04 Aug 2020 19:07:43 -0400 Roberto, can you follow-up on this? Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: IRC meeting this Thursday 24th - Agenda

ong), but a confirmation would be really appreciated. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: golang-1.7 / CVE-2019-9514 / CVE-2019-9512

(Minor issue) Good spot. I'm not quite sure why either — I might first guess that it was something to do with the ordering of the entries, but not at all certain. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: [Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Triage python-django for stretch LTS.

Chris Lamb wrote: > > > Don't the new Django vulnerabilities only apply when running with Python > > 3.7 or > > newer? > > Replying quickly — possibly, have not looked into the (E)LTS angle yet. > > I was just ensuring that there was no duplicated effort

Re: [Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Triage python-django for stretch LTS.

27; maintainer of Django. Will adjust the situation when I return to this, either later today or early tomorrow. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: kernel updates

egards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: jruby support

Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: drafted bits about the LTS survey

obably > want to do another survey in 2020... > - neither I'm unsure whether to include an email address for private > feedback and if so which. press@? me? utkarsh? buxy? (No strong feelings.) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

fwupd_0.7.4-2+deb9u1 (was: "Re: Debian 9 (Stretch) LTS: archive side should be done")

n my 0.7.4-2+deb9u1. I therefore conclude that this is fine *this* time. Please let me know if this is incorrect and, if so, what I can do to remedy it. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: DLA template and user signatures

o if it gets resolved off-list or this is really minor, I'm totally fine with that. 👍 Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: [Git][security-tracker-team/security-tracker][master] Triage CVE-2020-12675, CVE-2020-12691, CVE-2020-12690 and CVE-2020-12689 for stretch LTS.

ou as it is a kind of 'meta' process question, feel free to poke it on. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: DLA template and user signatures

potentially- important security release? (Oh, almost entirely unrelated but I don't want to start a new thread for this: but don't forget to upload any LTS/ELTS entries in your ~/.dput.cf or similar.) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: Draft: Debian 8 Long Term Support reaching end-of-life

addition we are > pleased to announce, for the first time support will be extended to > include the arm64 architecture. Perfect. :) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: Draft: Debian 8 Long Term Support reaching end-of-life

these architectures are new to this support cycle? (i.e. "diff") Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: jquery / CVE-2020-7656

make my language clearer. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: jquery / CVE-2020-7656

) so I would not be able to look at this before you would. In any case, I only know enough Javascript to know to avoid it anyway. Sorry I cannot be of more direct help here, but you have my moral support. Regards, -- ,''`. : :' : Chris Lamb `. `'`

Re: jquery / CVE-2020-7656

Brian, > Do we only need to filter out javascript if a selector is provided for > some reason? Yes. Javascript development is fun. (As I added in the notes, I do not know how we are meant to cleanly fix this issue in jessie's version of jQuery.) Regards, -- ,''`.

Re: How to handle back-to-back firefox-esr uploads

too. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: What to do about DLA-2176-1

is can be ameliorated by, for example, appending a supplementary message that explicitly mentions and explains the delay in the mail. Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Jessie update of freerdp?

nd/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of freerdp updates for the LTS releases. Thank you very much. Chris Lamb, on behalf of the Debian LTS team. PS: A member of th

Re: Triage of CVE-2020-9489/tika

dsa here, did you consider upgrading the entire package to a newer version? (Is it even compatible? Is this critical enough of a package? etc.) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: Apache's mod_remoteip: IP address spoofing via X-Forwarded-For when mod_rewrite rule is triggered

of severity then by that very fact it won't be worth fixing in Jessie LTS. (Getting a CVE is somewhat easier than you think and my the first CVE I was assigned was actually a nice little badge of honour.) Regards, -- ,''`. : :' : Chris Lamb `. `&#

Re: Refreshing mysql-connector-java

oblems by refreshing this package without knowing much about it. (Do we have an idea of how big the debdiff would be for this initial upload? Have we had issues in the past? Is there another metric we can use?) Best wishes, -- ,''`. : :' : Chris Lamb `. `'`

Re: keystone support in Jessie

ity-support/-/merge_requests/3 Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: nginx / CVE-2020-11724

nvasive". Fixed in bcc6ceb1c0... Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: keystone support in Jessie

me know and I will go ahead with that. I have removed keystone from dla-needed.txt in 18c3371ddc. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: dla-needed.txt: Add note on CVE-2020-1769 in otrs2.

-- https://bugzilla.mozilla.org/show_bug.cgi?id=1353035#c2 Regardless and unrelated to the merits of this argument, I am now more and more inclined to believe this is a no-dsa issue. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: CVE-2020-1957 in shiro (#955018)

this in the meantime? Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Jessie update of ceph?

r test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of ceph updates for the LTS releases. Thank you very much. Chris Lamb, on behalf of the Debian LTS team. PS: A member of the LTS team m

CVE-2020-1957 in shiro (#955018)

g and I just sent a followup the bug (as message #17) to that effect but perhaps someone reading this list will know the right switch to flip. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: CVE-2020-10938/graphicsmagick and additional upstream change

maximum of clarity to our users with the minimum of soul-searching & ontological debate regarding what ought to be included or not by the security team(s). :) Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: Bug#953950: python-twisted: twisted version 14.0.2-3+deb8u1 in jessie (security) is broken

Chris Lamb wrote: > I will take charge of fixing this in jessie with the utmost urgency. I have just uploaded 14.0.2-3+deb8u2 and DLA-2145-2 will be announced after sending this email. Thank you again for raising this issue. Best wishes, -- ,''`. : :'

Re: Bug#953950: python-twisted: twisted version 14.0.2-3+deb8u1 in jessie (security) is broken

Hi all, > Please, can you […] revert this patch and re-publish the working (but > security flawed) 14.0.2-3 twisted version ? I will take charge of fixing this in jessie with the utmost urgency. Thank you for raising this issue. Regards, -- ,''`. : :&#x

Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)

.* Ah, I had looked for exactly this but somehow these files escaped me. I have submitted a MR now: https://salsa.debian.org/webmaster-team/webwml/-/merge_requests/385 Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)

Hi Holger et al., > ERROR: .data or .wml file missing for DLA 2115-2 (reserved by Chris Lamb) __^__ How does we announce a regression (ie. -2, -3) via the website? The namespacing used here (captured in the filenames such as 2020/ dla-2115.wml

Re: [SECURITY] [DLA 2115-1] proftpd-dfsg security update

st wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: security upload imposing load on other parts of Debian

en I have not been as precise as I would have liked on the distinction between and , incorrectly thinking them to be essentially synonymous. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: RFC - mark CVE-2017-18641/lxc as or ?

ailed analysis of the situation. I would agree with your conclusion. I would only add that it is a shame that this issue was known for many years. Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: paid LTS work imposing load on volunteers and other side effects (Re: zsh_5.0.7-5+deb8u1_amd64.changes REJECTED)

everybody, what do you think of the Debian LTS initiative?". In contrast, being made aware of things that we do not already know (such as quietly imposing workloads on other teams) would be highly valuable to learn given the social implications of doing this. Regards, -- ,''

Re: Support of lua-cgi

don't feel like we can infer anything at all as lua-cgi is exactly the kind of library that would be found on smaller systems that would be extremely unlikely to submit popcon data in the first place (eg. as embedded router web interfaces). Regards, -- ,''`.

Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)

Hi all, > And, thanks to Emilio's patch showing the authors here, we got significantly > less DLAs missing on www.debian.org: [..] > ERROR: .data or .wml file missing for DLA 1985-1 (reserved by Chris Lamb) Thanks for your dilegence. Another one with a local commit but I neglecte

Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)

Dear all. > > The attached patch allows that script to also print author information when > > using a local copy of the security-tracker repo with the --list option. This is extremely useful, thank you. > > ERROR: .data or .wml file missing for DLA 2083-1 (reserved by Chris La

Re: [SECURITY] [DLA 2069-1] cacti security update

sent in cacti 0.8.8b and (unless I missing any other commits I therefore conclude that this CVE to be resolved in jessie LTS. I have accordingly removed it from the dla-needed.txt file. Thanks for your diligence on this. :) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: [SECURITY] [DLA 2069-1] cacti security update

[adding Dylan Aïssi to CC] Chris Lamb wrote: > > a followup patch was just published for CVE-2020-7106[0]. If you want to > > release a regression update, I'd recommend to wait a few days. > > Thanks for spotting this and for your sage advice — I have added it to my >

Re: [SECURITY] [DLA 2069-1] cacti security update

low-up then. Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-

Re: Unable to announce the updates

st to me that the mailing list software is not treating this key as authorised; did you perhaps do some Debian keyring changes recently? It may take some time to propagate, perhaps after a keyring update (usually once a month IIRC). Best wishes, -- ,''`. : :' : Chris L

  1   2   3   4   5   >