Re: Enable KGB notifications on #debian-lts for MRs and issues on debian-lts repositories

On 29/07/2025 04:30, Carlos Henrique Lima Melara wrote: Hi, I brought this proposal up in a previous meeting and would like to formalize it here in the mailing list. I'm proposing enabling KGB notifications for MRs and issues in lts-team.pages.debian.net. The rationale is not everyone is notifie

Re: atril: Atril crash when trying to open the print dialog

On 16/04/2025 16:45, Gianluca Renzi wrote: It should be great if I can reproduce the core-dump so it can be useful as post mortem debug. Do you know how to do this? If the crash is happening every time you open the print dialog, then it is reproducible for you. What Sylvain means is that it do

Re: What pain points exist in the current security-tracker structure?

On 06/04/2025 19:33, Bastien Roucaries wrote: Otehr pain point: NOTE syntax should be improved or better documented for fixed version I'm not sure I understand you here. The syntax for fixed versions should be: CVE-... - package fixed-version (...) Can you clarify what you mean there,

Re: Fwd: ucf_3.0043+deb11u1_amd64.changes REJECTED

On 20/01/2025 16:17, Bastian Blank wrote: On Mon, Jan 20, 2025 at 03:04:01PM +, Chris Lamb wrote: I just went to upload src:ucf, but received the rejection below. Now I've come across most dak messages in my time, but not this one. Does anyone know where this stray ucf_3.0043+deb11u1.dsc cou

Re: Review of ucf 3.0043+deb11u1

On 20/01/2025 12:21, Chris Lamb wrote: Hi -lts, Sending this for a quick review for a bunch of reasons, not least of all because this didn't get a CVE and thus has fewer eyeballs on it. (https://bugs.debian.org/1089015 is the bug in question.) This looks fine to me, though is there any reason w

Re: LTS version > stable or wait?

On 19/01/2025 11:55, Adrian Bunk wrote: Hi, libtar | 1.2.20-8 | oldstable| source libtar | 1.2.20-8 | stable | source I have two options regarding releasing this for LTS: 1. Have a version LTS > stable until the next point release, or 2. Prepare the update and relea

Re: Fixing src:ucf environmnent variable insecurity in [old]stable

On 31/12/2024 15:01, Chris Lamb wrote: Santiago Ruano Rincón wrote: JFTR, Mike proposed a bullseye pu: https://bugs.debian.org/1091198. Chris, you may want to coordinate with him, so this can be uploaded after the bookworm SUA. The updated bug number is https://bugs.debian.org/1091196 as this

Re: Fixing src:ucf environmnent variable insecurity in [old]stable

On 20/12/2024 03:53, Santiago Ruano Rincón wrote: Hi Mark, and thanks for the heads-up, CC'ing the LTS mailing list for visibility. BCC'ing debian-devel. El 19/12/24 a las 17:50, Mark Hindley escribió: Hello, I recently completed salvaging of src:ucf[1]. As part of code cleanup I discovered

Re: following or getting ahead of Stable

On 12/12/2024 11:42, Sean Whitton wrote: Hello, On Thu 12 Dec 2024 at 02:33am +02, Adrian Bunk wrote: Would it be possible to setup bullseye in the ELTS infrastructure for low-priority updates right now, the same way jessie, stretch and buster are already there? The simplest setup would be th

Re: Questions about Debian LTS git workflows

Hi Otto, On 18/11/2024 04:27, Otto Kekäläinen wrote: Hi! I was reading https://lts-team.pages.debian.net/git-workflow-lts.html and have a couple of questions: 1. Why use `debian/.gitlab-ci.yml` instead of `debian/salsa-ci.yml`? As Sylvain mentioned, that's for historical reasons, as an old s

Re: Testing webkit2gtk update on bullseye

On 06/11/2024 15:12, Emilio Pozuelo Monfort wrote: Hi, I have prepared an update of webkit to the new upstream series, 2.46. This required building using clang-16 and libc++-16 for C++23 support. I have built it for amd64 and i386 and uploaded it to:   https://people.debian.org/~pochu/lts

Testing webkit2gtk update on bullseye

Hi, I have prepared an update of webkit to the new upstream series, 2.46. This required building using clang-16 and libc++-16 for C++23 support. I have built it for amd64 and i386 and uploaded it to: https://people.debian.org/~pochu/lts/webkit/ I'd appreciate if anyone can give it a try wi

Re: Bug#1086602: bullseye-pu: package intel-microcode/3.20240910.1~deb11u1

On 03/11/2024 19:20, Henrique de Moraes Holschuh wrote: On Sun, Nov 3, 2024, at 08:06, Emilio Pozuelo Monfort wrote: Please feel free to upload to security-master targeting bullseye-security in d/changelog. I can take care of the announcement after that. Note that to avoid version skew (having

Re: Bug#1086602: bullseye-pu: package intel-microcode/3.20240910.1~deb11u1

Hi Henrique, (moving to debian-lts) On 02/11/2024 01:41, Henrique de Moraes Holschuh wrote: On Fri, Nov 1, 2024, at 21:34, Adam D. Barratt wrote: On Fri, 2024-11-01 at 21:17 -0300, Henrique de Moraes Holschuh wrote: As requested by the security team, I would like to bring the microcode update

Re: firefox-esr-115.12 failing to build from source

On 16/07/2024 00:56, Chris Frey wrote: On Mon, Jul 15, 2024 at 11:29:40AM +0200, Emilio Pozuelo Monfort wrote: I'm not sure what went on there. I see that dh_install got called from the override_dh_install-arch target, but it doesn't have a '-a' argument, which would be app

Re: firefox-esr-115.12 failing to build from source

On 15/07/2024 11:08, Chris Frey wrote: On Mon, Jul 15, 2024 at 10:53:37AM +0200, Emilio Pozuelo Monfort wrote: It might. If you upload it somewhere, I can try to take a quick look and see if I spot anything. Here: http://digon.foursquare.net/firefox-esr-115.12-dsc-buildlog.txt I

Re: firefox-esr-115.12 failing to build from source

On 15/07/2024 10:37, Chris Frey wrote: On Mon, Jul 15, 2024 at 10:12:25AM +0200, Emilio Pozuelo Monfort wrote: That's happened to me when my build fail midway, usually due to lack of disk space, and after freeing some and restarting it, that would happen. The reason is probably a bug in d

Re: firefox-esr-115.12 failing to build from source

On 15/07/2024 08:29, Chris Frey wrote: I'm trying to build the last firefox-esr source that was included with the now obsolete Debian Buster, 115.12. Using: apt-get source firefox-esr Expanding with (if necessary): dpkg-source -x firefox-esr_115.12.0esr-1~deb10u1.dsc Installi

Re: Packages to add back to dla-needed (?)

On 01/07/2024 12:49, Ola Lundqvist wrote: Hi Santiago, Thorsten, all Santiago have now removed all packages from dla-needed with is good considering buster is now EOL. As a help to Thorsten I have gone through the entries we had and checked whether bullseye is considered vulnerable. My conclusi

Re: gtkwave update for {bookworm,bullseye,buster}-security

On 29/03/2024 00:06, Adrian Bunk wrote: Hi, attached are proposed debdiffs for updating gtkwave to 3.3.118 in {bookworm,bullseye,buster}-security for review for a DSA (and as preview for buster). General notes: As suggested by the security team in #1060407, this is a backport of a new upstream

Re: c-ares, CVE-2023-31147, CVE-2023-31124

On 23/06/2023 10:21, Moritz Muehlenhoff wrote: But in fact the view in the Debian security is a little misleading, given that it displays "vulnerable" all over the place, e.g. https://security-tracker.debian.org/tracker/CVE-2023-31147 It would be nice if that "unimportant" issues it would instea

Re: Security releases for ecosystems that use static linking

[ Adding debian-dak@ to Cc ] On 22/12/2023 09:54, Moritz Muehlenhoff wrote: On Thu, Dec 21, 2023 at 07:30:51PM -0300, Santiago Ruano Rincón wrote: So let me ask you: are you interested in addressing the infrastructure limitations to handle those kind of packages? and having some help for that?

Re: Guidance for CVE triage and listing packages in dla-needed.txt

On 14/03/2024 21:36, Roberto C. Sánchez wrote: - if a CVE is 'fixed' in LTS but 'ignored' in (old)stable, then the security team should be contacted to see if they would be willing to change to 'no-dsa' so that a point release fix can be made Small nitpick: a CVE 'ignored' for (old)stable

Re: [SECURITY] [DLA 3735-1] runc security update

Hi, On 19/02/2024 07:11, Salvatore Bonaccorso wrote: Hi, On Mon, Feb 19, 2024 at 03:28:00AM +0100, Daniel Leidert wrote: - Debian LTS Advisory DLA-3735-1debian-lts@lists.debian.org https://www.debian.org/lt

Re: tinymce git repository

On 30/11/2023 09:29, Sean Whitton wrote: Hello Anton, Ola added tinymce to dla-needed.txt. I found . Could you let me know why the repository was archived? It's an empty repository, with no upstream sources or anything else. We dec

Policy queue in buster-security

Hi, We're in the process of setting up a policy queue for buster-security. That means that uploads to buster-security will end up in the policy queue, and get built there. Once things are ready (builds have happened, tests have been done, etc) the update can be released to buster-security and

Re: Question about the status of libclamunrar9/libclamunrar and CVE-2023-40477 in debian buster aka oldoldstable

On 13/11/2023 21:29, Markus Koschany wrote: Hi, Ist there any chance that the patched version (0.103.10) will be back- ported from bullseye? Thanks for the heads-up. We will update clamav in Buster to 0.103.10 as well to include the patches for libclamunrar. clamav is unaffected in Debian a

Re: Accepted libyang 0.16.105+really1.0-0+deb10u1 (source) into oldoldstable

On 27/09/2023 13:58, Markus Koschany wrote: Let me know if you want me to take care of the above. Feel free to take care of it. Done, libyang 1.0.225 uploaded and built, and frr rebuilt against it. I tested various upgrades and it all seems fine. Cheers, Emilio

Re: samba status update

Hi Lee, On 22/08/2023 13:10, Lee Garrett wrote: == (samba) functional test framework == In the context of the July 2023 Windows update that broke samba running as a AD DC [3] it became clear

Re: Accepted libyang 0.16.105+really1.0-0+deb10u1 (source) into oldoldstable

Hi, On 20/09/2023 15:22, Markus Koschany wrote: Hello, Am Mittwoch, dem 20.09.2023 um 10:17 +0200 schrieb Emilio Pozuelo Monfort: I'm unsure about the version here. I see buster/bullseye have: libyang    | 0.16.105-1+deb10u1 | oldoldstable   | source libyang    | 1.0.22

Re: Accepted libyang 0.16.105+really1.0-0+deb10u1 (source) into oldoldstable

Hi, On 19/09/2023 19:00, Debian FTP Masters wrote: Format: 1.8 Date: Tue, 19 Sep 2023 18:39:19 CEST Source: libyang Architecture: source Version: 0.16.105+really1.0-0+deb10u1 Distribution: buster-security Urgency: high Maintainer: David Lamparter Changed-By: Markus Koschany Checksums-Sha1: f

Re: Accepted thunderbird 1:102.14.0-1~deb10u1 (source) into oldoldstable

On 08/08/2023 12:00, Emilio Pozuelo Monfort wrote: Hi Sylvain, On 07/08/2023 11:46, Sylvain Beucler wrote: Hello Carsten, Thanks for updating Thunderbird for buster :) Do you want the LTS Team to take care of the DLA registration and announcement, or do you plan to do that yourself

Re: firefox on buster

Hi Chris, On 07/08/2023 23:57, Chris Frey wrote: I noticed firefox security updates for 102.14.x have been released for bullseye and bookworm, but not for buster (still on 102.13.x) Anything that an outsider can do to help with that? Given that the package is no longer in sid, I had a little

Re: Accepted thunderbird 1:102.14.0-1~deb10u1 (source) into oldoldstable

Hi Sylvain, On 07/08/2023 11:46, Sylvain Beucler wrote: Hello Carsten, Thanks for updating Thunderbird for buster :) Do you want the LTS Team to take care of the DLA registration and announcement, or do you plan to do that yourself? Please send it out, or I can do it if you want. (I assum

Re: WebKit 2.40 update for buster

On 27/06/2023 16:18, Alberto Garcia wrote: On Tue, Jun 27, 2023 at 10:53:40AM +0200, Emilio Pozuelo Monfort wrote: I have been testing it a bit using a buster VM but I don't think this is very stable. After removing ~/.cache/epiphany, ~/.local/share/epiphany and ~/.local/share/webkitgtk

Re: WebKit 2.40 update for buster

Hi Berto, On 19/06/2023 12:59, Alberto Garcia wrote: On Fri, Jun 02, 2023 at 02:17:37PM +0200, Emilio Pozuelo Monfort wrote: I have prepared a repository at deb [allow-insecure=yes] https://people.debian.org/~pochu/lts/webkit/ ./ I'd appreciate some testing of any webkit applica

Re: [SECURITY] [DLA 3452-1] thunderbird security update

On 12/06/2023 17:10, sko...@uns.ac.rs wrote: Hi, Hi, On 12/06/2023 13:35, Miroslav Skoric wrote: Although unrelated with the security issues above, may I ask something that I noticed for the first time in Thunderbird 102.11.0 (32-bit) that annoys me and what differs from some older versions i

Re: [SECURITY] [DLA 3452-1] thunderbird security update

Hi, On 12/06/2023 13:35, Miroslav Skoric wrote: Although unrelated with the security issues above, may I ask something that I noticed for the first time in Thunderbird 102.11.0 (32-bit) that annoys me and what differs from some older versions in the past, as I can remember:  In fact, a right c

WebKit 2.40 update for buster

Hi, With the release of WebKitGTK+ 2.40, the series currently in buster, 2.38, has become EOL. Unfortunately 2.40 bumped the compiler and other library requirements quite a bit, so a backport wasn't easy, but I've managed to do it. It requires clang++-13 to build (which is presently in buster)

Re: nvidia-graphics-drivers in DLA needed?

On 10/05/2023 11:42, Tobias Frost wrote: On Wed, May 10, 2023 at 10:00:11AM +0200, Emilio Pozuelo Monfort wrote: On 07/05/2023 10:20, Tobias Frost wrote: Hi, (this thread is linked in dla-needed.txt and such) I'm not sure about the status of the nvidia drivers in LTS, so I thought

Re: nvidia-graphics-drivers in DLA needed?

On 07/05/2023 10:20, Tobias Frost wrote: Hi, (this thread is linked in dla-needed.txt and such) I'm not sure about the status of the nvidia drivers in LTS, so I thought it is better to ask if or not we support nvidia-drivers Said that I've juse claimed them from dla-needed.txt and will work on

Re: (E)LTS improved salsa pipeline support

On 19/04/2023 18:16, Sylvain Beucler wrote: Hi, On 17/04/2023 21:36, Sylvain Beucler wrote: On 20/03/2023 09:40, Emilio Pozuelo Monfort wrote: On 17/03/2023 19:39, Raphael Hertzog wrote: On Thu, 16 Mar 2023, Emilio Pozuelo Monfort wrote: The result is an improved pipeline with better

Re: [Git][security-tracker-team/security-tracker][master] Reserve DLA-3389-1 for lldpd

Hi Chris, On 12/04/2023 10:16, Chris Lamb (@lamby) wrote: Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: d3d0edc1 by Chris Lamb at 2023-04-12T09:14:31+01:00 Reserve DLA-3389-1 for lldpd My previous reservation of DLA-3388-1 didn't successfully push

Re: (E)LTS improved salsa pipeline support

On 31/03/2023 06:19, Anton Gladky wrote: Hello Emilio, could you please provide an example, how the pipeline can be prepared? I set the value here [1], but it looks like the pipeline did not start. [1] https://salsa.debian.org/lts-team/packages/389-ds-base/-/pipelines The CI/CD configuration

Re: (E)LTS improved salsa pipeline support

On 17/03/2023 19:39, Raphael Hertzog wrote: Hi, On Thu, 16 Mar 2023, Emilio Pozuelo Monfort wrote: The result is an improved pipeline with better support for both LTS and ELTS. [1] Great work Emilio! It would be nice to have all this properly documented in https://lts-team.pages.debian.net

Re: (E)LTS improved salsa pipeline support

On 19/03/2023 07:50, Bastien Roucariès wrote: Le jeudi 16 mars 2023 09:34:17 UTC, vous avez écrit : Hi, Hi, I have been working in improving our Salsa pipeline support for LTS and ELTS. Right now builds were failing for jessie and while stretch builds were still somewhat working, they were boun

Re: (E)LTS improved salsa pipeline support

On 17/03/2023 06:39, Anton Gladky wrote: Hello Emilio, thanks for this update! I will test it on a couple of projects in the lts-team namespace and if everything is OK, we will switch all of them per batch-update. So, does it mean that we can drop the gitlab-ci.yml almost in all repos and let i

Re: Using Salsa-CI as pre-upload QA for Bullseye and Buster uploads: Lintian and Piuparts

Hi Otto, I do run lintian from the target release before upload (actually on every build). I don't think running lintian from sid for (old*)stable makes sense as I'm not interested in newly introduced warnings or errors that affect sid. I'm interested in having the most stable lintian warnings

Re: [SECURITY] [DLA 3357-2] imagemagick regression update

Hi Bastien, On 18/03/2023 18:56, Bastien Roucaries wrote: From: imagemagick <> To: debian-lts-annou...@lists.debian.org Subject: [SECURITY] [DLA 3357-2] imagemagick regression update - Debian LTS Advisory DLA-3357-2

(E)LTS improved salsa pipeline support

Hi, I have been working in improving our Salsa pipeline support for LTS and ELTS. Right now builds were failing for jessie and while stretch builds were still somewhat working, they were bound to break once the move to archive.debian.org happens, plus they were only building on a vanilla stret

Re: RFC: ruby-loofah 2.2.3-1+deb10u2

Hi Daniel, On 13/03/2023 23:18, Daniel Leidert wrote: Hi there, I prepared my first LTS update. You can find it here: https://salsa.debian.org/lts-team/packages/ruby-loofah When I ran some test cases to see if all the vulnerabilities are fixed, I discovered that there is a slight behavioral c

Re: Upload MariaDB 1:10.3.37-0+deb10u1 ?

Hi Otto, On 07/02/2023 07:47, Otto Kekäläinen wrote: Hi! On Mon, 26 Dec 2022 at 14:08, Otto Kekäläinen wrote: On Mon, 5 Dec 2022 at 01:18, Utkarsh Gupta wrote: Hi Otto, On Mon, Dec 5, 2022 at 5:33 AM Otto Kekäläinen wrote: I didn't get a reply to this, so asking again. I could take c

Re: Accepted dropbear 2018.76-5+deb10u2 (source) into oldstable

Hi Utkarsh, On 28/10/2022 14:30, Debian FTP Masters wrote: Format: 1.8 Date: Fri, 28 Oct 2022 17:29:39 +0530 Source: dropbear Architecture: source Version: 2018.76-5+deb10u2 Distribution: buster-security Urgency: high Maintainer: Guilhem Moulin Changed-By: Utkarsh Gupta Changes: dropbear (20

Re: Please push to salsa.debian.org/mariadb-team/mariadb-10.3

On 22/10/2022 01:32, Otto Kekäläinen wrote: Hi Emilio! Please try pushing now. I don't see any of your commits on https://salsa.debian.org/mariadb-team/mariadb-10.3/-/commits/buster yet. Pushed now. Sorry for the delay. I had the commits ready, but the deb10u1 commit didn't match what I had a

Re: Bug#1021648: buster-pu: package node-xmldom/0.1.27+ds-1+deb10u1

On 18/10/2022 10:23, Yadd wrote: On 18/10/2022 09:28, Emilio Pozuelo Monfort wrote: Hi Yadd, On 12/10/2022 18:38, Salvatore Bonaccorso wrote: +node-xmldom (0.1.27+ds-1+deb10u1) buster; urgency=medium + +  * Team upload +  * Fix prototype pollution (Closes: #1021618, CVE-2022-37616

Re: Bug#1021648: buster-pu: package node-xmldom/0.1.27+ds-1+deb10u1

Hi Yadd, On 12/10/2022 18:38, Salvatore Bonaccorso wrote: +node-xmldom (0.1.27+ds-1+deb10u1) buster; urgency=medium + + * Team upload + * Fix prototype pollution (Closes: #1021618, CVE-2022-37616) + + -- Yadd Wed, 12 Oct 2022 10:07:56 +0200 Thanks for preparing this. I wonder if a fix for

Re: [SECURITY] [DLA 3140-1] libpgjava security update

Hi Onny, On 10/10/2022 10:01, Onny van den Boom wrote: Best, Is it possible to change the subscription of gysb...@hippoline.nl in helpd...@hippoline.nl? You can subscribe or unsubscribe by filling the form in https://lists.debian.org/debian-lts-announce/ Note that you will get a confirmatio

Re: Please push to salsa.debian.org/mariadb-team/mariadb-10.3

On 26/09/2022 05:39, Otto Kekäläinen wrote: Hello Emilio! I see you uploaded: https://tracker.debian.org/news/1362643/accepted-mariadb-103-110336-0deb10u1-source-into-oldstable/ I don't see the commits at https://salsa.debian.org/mariadb-team/mariadb-10.3/-/commits/buster - please push there to

Re: What do do with bullseye minor issues?

On 28/09/2022 23:54, Ola Lundqvist wrote: Hi Sylvain Took me a month to get down here in the email backlog. I think your reasoning makes sense. I have added the following to the LTS/Development page. "If a CVE has been fixed in Debian Stable it should, in general, be fixed in LTS as well, or ma

Re: Bug#961654: buster-pu: package bzip2/1.0.6-9.2~deb10u1

Hi Santiago, On 15/09/2022 09:52, Emilio Pozuelo Monfort wrote: On 14/09/2022 15:42, Santiago R.R. wrote: El 14/09/22 a las 13:58, Emilio Pozuelo Monfort escribió: On 13/09/2022 16:46, Sylvain Beucler wrote: Hi, IIUC this is about fixing 2 non-security bugs, that were introduced prior to

Re: Bug#961654: buster-pu: package bzip2/1.0.6-9.2~deb10u1

On 14/09/2022 15:42, Santiago R.R. wrote: El 14/09/22 a las 13:58, Emilio Pozuelo Monfort escribió: On 13/09/2022 16:46, Sylvain Beucler wrote: Hi, IIUC this is about fixing 2 non-security bugs, that were introduced prior to buster's initial release. I personally don't think thi

Re: Bug#961654: buster-pu: package bzip2/1.0.6-9.2~deb10u1

On 13/09/2022 16:46, Sylvain Beucler wrote: Hi, IIUC this is about fixing 2 non-security bugs, that were introduced prior to buster's initial release. I personally don't think this fits the LTS project scope. Maybe other LTS members will have a different opinion. We've had bugfix updates fr

Re: Bug#961654: buster-pu: package bzip2/1.0.6-9.2~deb10u1

Hi Chris, On 14/09/2022 05:48, Chris Frey wrote: On the other hand, the fix has been known since 2019 and looks like a prime problem for an LTS newbie volunteer like me. I have created the fix based on the Debian/bzip2 repo, the fix is in the debian/buster branch. git clone http://digo

Re: Updating OpenStack compute (aka src:nova) in Buster

Hi Thomas, On 11/09/2022 12:50, Thomas Goirand wrote: Hi, In the OpenStack team git, there are updates for nova 2:18.1.0-6+deb10u1 (CVE-2019-14433/ OSSA-2019-003). Can someone pick it up and upload it to Buster? It was never accepted in Buster due to the difficulties communicating with the S

Re: [SECURITY] [DLA 3107-1] sqlite3 security update

Hi, On 13/09/2022 16:25, Chris Lamb wrote: - Debian LTS Advisory DLA-3107-1debian-lts@lists.debian.org https://www.debian.org/lts/security/ Chris Lamb September 13, 2022

Re: [SECURITY] [DLA 3077-1] ruby-tzinfo security update

Hi Chris, On 18/08/2022 19:46, Chris Lamb wrote: - Debian LTS Advisory DLA-3077-1debian-lts@lists.debian.org https://www.debian.org/lts/security/ Chris Lamb August 18, 2022

Re: updating debian-security-support(.limited) in buster and bullseye (Re: EOL candidates for security-support-ended.deb10 (recap))

On 17/08/2022 11:19, Holger Levsen wrote: On Sat, Aug 13, 2022 at 09:30:03AM +, Holger Levsen wrote: - today prepare buster branch for release (33% done, see below) - today until aug 23: possible further updates to the master branch which then get copied to the buster branch - aug 23: upl

webkit2gtk update in buster

Hi Berto, Thanks for the updated webkit2gtk package in buster! Since buster is now under LTS, it needs a separate announcement (DLA). Are you planning on releasing one yourself, or would you prefer if someone on the LTS team handled it? Cheers, Emilio

Re: postgresql-11 11.17-0+deb10u1

Hi Christoph, On 11/08/2022 14:10, Christoph Berg wrote: Hi, I just uploaded postgresql-11, if anyone wants to do the LTS paperwork for that: postgresql-11 (11.17-0+deb10u1) buster-security; urgency=medium * New upstream version. + Do not let extension scripts replace objects not alr

Re: EOL candidates for security-support-ended.deb10 (recap)

On 10/08/2022 17:10, Sylvain Beucler wrote: Hi, On 10/08/2022 11:47, Emilio Pozuelo Monfort wrote: On 09/08/2022 19:04, Sylvain Beucler wrote: Here's a little recap for security-support-ended.deb9 -> deb10 evaluation, following our discussion, also including dropped entries for comp

Re: EOL candidates for security-support-ended.deb10 (recap)

Hi Sylvain, On 09/08/2022 19:04, Sylvain Beucler wrote: Hi, Here's a little recap for security-support-ended.deb9 -> deb10 evaluation, following our discussion, also including dropped entries for completeness/transparency: Supported again in buster: - ansible - chromium chromium was alre

Re: EOL candidates for security-support-ended.deb10

On 05/08/2022 11:48, Raphael Hertzog wrote: Hello, On Wed, 03 Aug 2022, Sylvain Beucler wrote: OpenStack: we tend not to support openstack beyond upstream's support, but I'm having a hard time associating the components version with OpenStack's major version; possibly other openstack packages (

buster LTS open, don't conflict with OPU

Hi, The changes to transition buster to LTS have been implemented, and buster is now open for LTS uploads. I tested it with the xorg-server update and found a couple of issues on the wanna-build side, but those are solved now, and things should be fine. IMPORTANT: before preparing/releasing

Re: [Git][security-tracker-team/security-tracker][master] 8 commits: Wrote a script to bulk add EOL entries for LTS buster.

Hi, On 12/07/2022 13:51, Ola Lundqvist wrote: Hi Emilio Sorry for this. I used the lts-cve-triage.py script and noticed a ton of things to do. Heh. Salvatore predicted that that script would suggest triaging buster, and this would happen. I thought my emails would be enough, but as usual he

Re: [Git][security-tracker-team/security-tracker][master] 8 commits: Wrote a script to bulk add EOL entries for LTS buster.

Hi Ola, On 11/07/2022 23:24, Ola Lundqvist (@opal) wrote: Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 55001d9c by Ola Lundqvist at 2022-07-11T23:23:41+02:00 Wrote a script to bulk add EOL entries for LTS buster. - - - - - b4c0adda by Ola Lun

Closing stretch-security

Dear ftpmasters, Given stretch has now reached LTS EOL[1], can you close it for further uploads? Thanks, Emilio [1] https://lists.debian.org/debian-lts-announce/2020/07/msg3.html

EOL of stretch

Hi, stretch will go EOL today. Thus please refrain from doing any further uploads to it. buster will remain in the hands of the security team until August (exact date TBD). This list will be notified when it has moved into the LTS team and triaging and uploading is open again. Cheers, Emili

Re: ntp warnings with tzdata leap-seconds file

On 27/06/2022 16:33, Marc SCHAEFER wrote: On another subject, I still get the ntp warnings even after updating tzdata, and restarting ntpd manually, also with buster: Jun 27 16:31:40 virtual ntpd[17024]: leapsecond file ('/usr/share/zoneinfo/leap-seconds.list'): will expire in less than one day

Re: RFR: openscad update

On 23/06/2022 17:01, Helmut Grohne wrote: Hi, I've been looking into updating openscad in buster to fix CVE-2022-0496 and CVE-2022-0497. They're already fixed in bullseye and later. They are input sanitization issues and CVE-2022-0496 needed a little porting of the patch. I verified that the pro

Re: buster & ntpd leapsecond file ('/usr/share/zoneinfo/leap-seconds.list'): will expire in less than 19 days

I will take a look at this and coordinate with the maintainer. Cheers, Emilio El jue, 9 jun 2022 12:22, Marc SCHAEFER escribió: > On Thu, Jun 09, 2022 at 09:49:31AM +, Schmidt, Bernhard wrote: > > /usr/share/zoneinfo/leap-seconds.list is provided by the tzdata > > package. That one would ne

Re: [DLA-3007-1] imagemagick security update incomplete

On 16/05/2022 11:04, Philipp Hahn wrote: Hello Andreas, The upload of https://packages.debian.org/source/stretch/imagemagick (8:6.9.7.4+dfsg-11+deb9u14) seems to be incomplete: It only includes the architecture-independant files and files for arm64,armel,armhf, but *not* i386,amd64; see http

Re: Lintian errors on ffmpeg

On 04/05/2022 09:58, Neil Williams wrote: On Wed, 4 May 2022 09:43:06 +0200 Enrico Zini wrote: Hello, I'm working at a LTS release of ffmpeg, and the CI is failing with Lintian errors that weren't present in the previous version: Is the version of lintian in this Salsa CI environment correc

Re: libspring-java support

Hi, On 03/12/2021 23:50, Markus Koschany wrote: Hi Sylvain, Am Freitag, dem 03.12.2021 um 14:28 +0100 schrieb Sylvain Beucler: Hi, This year I worked on libspring-java twice for LTS&ELTS. In both case upstream provided limited information for the CVEs, and for 5 of them we're unable to determ

Re: [Git][security-tracker-team/security-tracker][master] Reserve DLA-2936-1 for libgit2

On 11/03/2022 14:22, Utkarsh Gupta wrote: Hi Emilio, On Fri, Mar 11, 2022 at 4:56 AM Emilio Pozuelo Monfort wrote: Friendly ping about this update. I see the DLA was reserved but I haven't seen the package uploaded yet (and thus the announcement sent out). Is there any blocker with the u

(E)LTS report for February

Hi, Last month, I worked on LTS on: - CVE triaging - sec-tracker improvements - connman - firefox-esr - openjdk-8 - pgbouncer - zsh - freecad - thunderbird - expat For ELTS I worked on: - CVE triaging - security-tracker - openjdk-8 - python3.4 - zsh - usbredir - expat Cheers, Emilio

Re: DLA needed for tryton-server and tryton-proteus

On 10/03/2022 09:24, Mathias Behrle wrote: Hi team, there are two CVEs for tryton-server and tryton-proteus: https://security-tracker.debian.org/tracker/CVE-2022-26661 https://security-tracker.debian.org/tracker/CVE-2022-26662 I have prepared fixes at https://salsa.debian.org/tryton-team/try

Re: [Git][security-tracker-team/security-tracker][master] Reserve DLA-2936-1 for libgit2

Hi Utkarsh, On 07/03/2022 14:44, Utkarsh Gupta (@utkarsh) wrote: Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 14218b36 by Utkarsh Gupta at 2022-03-07T19:14:25+05:30 Reserve DLA-2936-1 for libgit2 Friendly ping about this update. I see the DL

Re: DLA needed for tryton-server and tryton-proteus

On 10/03/2022 09:24, Mathias Behrle wrote: Hi team, there are two CVEs for tryton-server and tryton-proteus: https://security-tracker.debian.org/tracker/CVE-2022-26661 https://security-tracker.debian.org/tracker/CVE-2022-26662 I have prepared fixes at https://salsa.debian.org/tryton-team/try

Re: DLA needed for NBD 1:3.15.2-3

Hi Wouter, On 09/03/2022 11:09, Wouter Verhelst wrote: Hi, There are two CVEs in NBD currently. One of them does not apply to stretch (it is in functionality introduced in NBD 3.16), but part of the other does. Thanks for the notice. I was just triaging this vulnerability for stretch and not

Re: bug in glibc package

Hi Alex, On 03/03/2022 22:08, Alex King wrote: In Debian 9 Stretch, I am seeing this bug (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987266). This means that when I try to use a kernel with a revision later than 254 i get an error, e.g. I'm trying to use a 4.14.264 kernel. It seems l

(E)LTS report for January

Hi, During the month of January I worked on the following tasks for stretch LTS: - thunderbird 91 ESR update - thunderbird armhf failure - clamav security update - gdal security update - firefox-esr security update - thunderbird security update - pillow security update - openjdk-8 security updat

Re: [SECURITY] [DLA 2880-1] firefox-esr security update

On 16/01/2022 23:49, Miroslav Skoric wrote: On 1/16/22 11:55 AM, Emilio Pozuelo Monfort wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian LTS Advisory DLA-2880-1    debian-lts@lists.debian.org

Re: [Pkg-clamav-devel] Clamav Package

Hi, On 31/12/2021 09:32, Sebastian Andrzej Siewior wrote: On 31 December 2021 06:21:57 UTC, Klaipedaville Mail wrote: Hello, Is clamav abandoned by Debian forever? That's the only reason I can come up with as to why it takes more than 6 months to create / update the clamav package as per m

(E)LTS report for December

Hi, During December I spent 41.5h on LTS working on: - security-tracker improvements (looking at issue in 8795311f) - firefox-esr toolchain updates (cargo, cbindgen, as well as supporting Roberto with LLVM and rust) - firefox-esr update - thunderbird update - CVE triaging I also spent 10h on

(E)LTS report for November

During the month of November, I spent 17h on LTS working on - remove no-dsa tags script - udisks2 - security-tracker improvements - CVE triaging - mbedtls For ELTS, I spent 14h working on - remove no-dsa tags script - update-nvd sec-tracker checks - udisks2 - jqueryui - openjdk-7 - CVE triaging

(E)LTS Report

Hi, Since my previous report I have spent 21.5h on LTS working on: - triaging - apache2 - firefox-esr - thunderbird - openjdk-8 - firefox-esr 91 preparations - tzdata, libdatetime-timezone-perl For ELTS I have spent 21h on: - triaging - apache2 - linux-4.9 - openjdk-7 - openjdk-8 - openjdk-7 r

Re: always check and update (d|e)la-needed.txt (Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do))

Roberto C. Sánchez wrote: On this past Friday, Raphaël put me in touch with Thorsten Glaser, who had already prepared openjdk-8 package for jessie and stretch. I reviewed and sponsored the upload, and the packages were literally in the process of uploading when I saw this message. I will publis

(E)LTS report for June

Hi, During the month of June I spent 29h on LTS working on: - triaging - redmine security update - webwml parser squeeze issue - libx11 security update - firefox-esr security update - isc-dhcp security update - caribou regression update - thunderbird security update - apache2 security update - n

Re: Accepted eterm 0.9.6-5+deb9u1 (source amd64) into oldstable

Hi Utkarsh, On 09/06/2021 12:00, Debian FTP Masters wrote: eterm (0.9.6-5+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the LTS team. * Add patch to fix CVE-2021-33477 (Closes: #989041) This now has a higher version than in buster. Maybe you can look into prep

Re: libxstream-java blacklist EOL?

On 02/06/2021 14:24, Markus Koschany wrote: Hi Emilio, Am Mittwoch, den 02.06.2021, 12:26 +0200 schrieb Emilio Pozuelo Monfort: I think it is time we declare the block list unsupported, asking users to switch to the allow list. Thoughts? I believe it is sensible to switch to the whitelist

  1   2   3   4   5   >