During the month of January 2025 and on behalf of Freexian, I worked on the
following:
python-reportlab
Uploaded 3.1.8-3+deb8u3 (jessie) and issued ELA-1289-1.
https://www.freexian.com/lts/extended/updates/ela-1289-1-python-reportlab/
* CVE-2019-19450: Code injection in parapar
During the month of December 2024 and on behalf of Freexian, I worked on the
following:
php7.4, php7.3, php7.0 and php5
---
Uploaded php7.4=7.4.33-1+deb11u7 and issued DLA-3986-1.
https://lists.debian.org/msgid-search/?m=z1wxnl0vw0es6...@debian.org
* CVE-2024-8929:
During the month of November 2024 and on behalf of Freexian, I worked on the
following:
opensc
--
Kept backporting more fixes for known vulnerabilities, notably
CVE-2023-5992, CVE-2023-40660 and CVE-2023-40661, but didn't upload yet
as more security issues need to fixed first. Work is ongoin
During the month of October 2024 and on behalf of Freexian, I worked on the
following:
php7.4
--
Uploaded 7.4.33-1+deb11u6 and issued DLA-3920-1.
https://lists.debian.org/msgid-search/?m=zw20swdcj3zl6...@debian.org
* CVE-2022-4900: Setting the environment variable
PHP_CLI_SERVER_WORKER
During the month of September 2024 and on behalf of Freexian, I worked on the
following:
dovecot
---
Uploaded 1:2.3.13+dfsg1-2+deb11u2 and issued DLA-3860-1.
https://lists.debian.org/msgid-search/?m=ztxjlvofwoqm2...@debian.org
* CVE-2024-23184: Having a large number of address headers (Fro
During the month of August 2024 and on behalf of Freexian, I worked on the
following:
roundcube
-
Uploaded 1.3.17+dfsg.1-1~deb10u7 to buster-security resp.
1.4.15+dfsg.1-1+deb11u4 to bullseye-security, and issued ELA-1170-1 for
* CVE-2024-42008: XSS in serving of attachments other than
During the month of July 2024 and on behalf of Freexian, I worked on the
following:
libvirt
---
Submitted an os-pu for 7.0.0-3+deb11u3, fixing the following no-dsa
security issues:
* CVE-2021-3631: SELinux MCS may be accessed by another machine.
* CVE-2021-3667: Improper locking in the v
During the month of June 2024 and on behalf of Freexian, I worked on the
following:
python-idna
---
Upload 2.10-1+deb11u1 and 3.3-1+deb12u1 to (o)s-pu to fix CVE-2024-3651
(potential DoS issue).
roundcube
-
Uploaded 1.3.17+dfsg.1-1~deb10u6 and issued DLA-3835-1.
https://lists.de
During the month of May 2024 and on behalf of Freexian, I worked on the
following:
php7.3
--
Uploaded 7.3.31-1~deb10u6 and issued DLA-3810-1.
https://lists.debian.org/msgid-search/?m=zjq5or0vqptng...@debian.org
* CVE-2024-2756: Due to an incomplete fix to CVE-2022-31629, network
and sa
During the month of April 2024 and on behalf of Freexian, I worked on the
following:
gnutls28
Triaged CVE-2024-28834 and -28835.
util-linux
--
Uploaded 2.33.1-0.1+deb10u1 and issued DLA-3782-1.
https://lists.debian.org/msgid-search/?m=zhj4lnfse0rh2...@debian.org
* CVE-2021-3
During the month of March 2024 and on behalf of Freexian, I worked on the
following:
phpseclib
-
Uploaded 1.0.19-3~deb10u3 and issued DLA-3749-1.
https://lists.debian.org/msgid-search/?m=zeck08zg6y-jz...@debian.org
* CVE-2024-27354: An attacker can construct a malformed certificate
During the month of February 2024 and on behalf of Freexian, I worked on the
following:
gnutls28
Uploaded 3.6.7-4+deb10u12 and issued DLA-3740-1
https://lists.debian.org/msgid-search/?m=zdxck-hkepfc8...@debian.org
* CVE-2024-0553: Timing side-channel attack in the RSA-PSK key
exchan
During the month of January 2024 and on behalf of Freexian, I worked on the
following:
php-phpseclib
-
Uploaded 2.0.30-2~deb10u2 and issued DLA-3718-1
https://lists.debian.org/msgid-search/?m=zbhgvxygvemfp...@debian.org
* CVE-2023-48795: Terrapin attack
phpseclib
-
Uploade
During the month of December 2023 and on behalf of Freexian, I worked on the
following:
ncurses
---
Uploaded 6.1+20181013-2+deb10u5 and issued DLA-3682-1
https://lists.debian.org/msgid-search/?m=zwznc9mam3buc...@debian.org
* CVE-2021-39537: The tic(1) utility was susceptible to a
heap
On Thu, 30 Nov 2023 at 19:47:42 -0500, Roberto C. Sánchez wrote:
> Yes, I would recommend two things.
Done, thanks Roberto!
--
Guilhem.
On Thu, 30 Nov 2023 at 23:59:28 +0100, Guilhem Moulin wrote:
> -
> Debian LTS Advisory DLA-3676-1debian-lts@lists.debian.org
> https://www.debian.org/lts/security/ Guilh
During the month of November 2023 and on behalf of Freexian, I worked on the
following:
opensc
--
Uploaded 0.19.0-1+deb10u3 and issued DLA-3668-1
https://lists.debian.org/msgid-search/?m=zwpsqzcsk_2as...@debian.org
* CVE-2023-40660: Potential PIN bypass. The bypass was removed and
exp
On Thu, 30 Nov 2023 at 23:59:28 +0100, Guilhem Moulin wrote:
> -
> Debian LTS Advisory DLA-3676-1debian-lts@lists.debian.org
> https://www.debian.org/lts/security/ Guilh
Hi,
On Sat, 18 Nov 2023 at 03:39:33 -0500, Chris Frey wrote:
> I noticed that MediaWiki has suffered from the following CVE's for
> a while:
>
> CVE-2023-45363
> CVE-2023-45362
> CVE-2023-45360
>
> Is the work-in-progress available via git somewhere?
Fixed CVE-2023-3550 and -453
During the month of October 2023 and on behalf of Freexian, I worked on the
following:
python-urllib3
--
Uploaded 1.24.1-1+deb10u1 and issued DLA-3610-1
https://lists.debian.org/msgid-search/?m=zsknlpfmnhu4q...@debian.org
* CVE-2018-25091: The fix for CVE-2018-20060 did not cover
During the month of September 2023 and on behalf of Freexian, I worked on the
following:
php7.3
--
Uploaded 7.3.31-1~deb10u5 and issued DLA-3555-1
https://lists.debian.org/msgid-search/?m=zpexm9jokfktz...@debian.org
* CVE-2023-3823: Security issue with external entity loading in XML
wi
During the month of August 2023 and on behalf of Freexian, I worked on the
following:
* DLA-3515-1 for cjose=0.6.1+dfsg1-1+deb10u1
[CVE-2023-37464]
https://lists.debian.org/msgid-search/?m=zmzs4jlh%2bwykb...@debian.org
* DLA-3551-1 for otrs2=6.0.16-2+deb10u1
[CVE-2019-11358, CVE-2
During the month of July 2023 and on behalf of Freexian, I worked on the
following:
* DLA-3488-1 for node-tough-cookie=2.3.4+dfsg-1+deb10u1
[CVE-2023-26136]
https://lists.debian.org/msgid-search/?m=zkxrmnkoiqoif...@debian.org
* DLA-3493-1 for symfony=3.4.22+dfsg-2+deb10u2
[CVE-202
During the month of June 2023 and on behalf of Freexian, I worked on the
following:
* DLA-3442-1 for nbconvert=5.4-2+deb10u1
[CVE-2021-32862: GHSL-2021-1013 to -1028]
https://lists.debian.org/msgid-search/?m=zhteirpktw6wr...@debian.org
* DLA-3458-1 for php7.3=7.3.31-1~deb10u4
[CVE
During the month of May 2023 and on behalf of Freexian, I worked on the
following:
* DLA-3424-1 for python-ipaddress=1.0.17-1+deb10u1
CVE-2020-14422
https://lists.debian.org/msgid-search/?m=zglark8btpj4t...@debian.org
* DLA-3425-1 for sqlparse=0.2.4-1+deb10u1
CVE-2023-30608
ht
During the month of April 2023 and on behalf of Freexian, I worked on the
following:
* DLA-3410-1 for openvswitch=2.10.7+ds1-0+deb10u4
CVE-2023-1668
https://lists.debian.org/msgid-search/?m=ze8ep8fiq5ztl...@debian.org
* Triage WordPress' outstanding CVEs and conclude no DLA is warrant
During the month of March 2023 and on behalf of Freexian, I worked on the
following:
* DLA-3347-2 for spip=3.2.4-1+deb10u11
[Regression update for DLA-3347-1]
https://lists.debian.org/msgid-search/?m=zaj85ko1lavxw...@debian.org
* DLA-3363-1 for pcre2=10.32-5+deb10u1
CVE-2019-20454
During the month of February 2023 and on behalf of Freexian, I worked on the
following:
* DLA-3336-1 for node-url-parse=1.2.0-2+deb10u2
CVE-2021-3664, CVE-2021-27515, CVE-2022-0512, CVE-2022-0639,
CVE-2022-0686 and CVE-2022-0691
https://lists.debian.org/msgid-search/?m=Y/a5cbemzr3li.
During the month of January 2023 and on behalf of Freexian, I worked on the
following:
* DLA-3270-1: net-snmp 5.7.3+dfsg-5+deb10u4
CVE-2022-44793 and CVE-2022-44792
https://lists.debian.org/msgid-search/Y8Nreff/4mms8...@debian.org
* DLA-3271-1: node-minimatch 3.0.4-3+deb10u1
CVE-2
Hi,
During the month of December 2022 and on behalf of Freexian, I worked on
the following:
* DLA-3221-1, node-cached-path-relative (prototype pollution)
https://lists.debian.org/msgid-search/y40yr8jdg8vmg...@debian.org
* DLA-3222-1, node-fetch (information leak)
https://lists.debian.org
Hi Sylvain!
On Wed, 12 Jan 2022 at 15:48:51 +0100, Sylvain Beucler wrote:
> On 12/01/2022 14:15, Guilhem Moulin wrote:
>> In a recent post roundcube webmail upstream has announced the following
>> security fix for #1003027.
>>
>> CVE-2021-46144: Cross-site script
x for CVE-2021-46144: Fix cross-site scripting (XSS) via HTML
+messages with malicious CSS content. (Closes: #1003027)
+
+ -- Guilhem Moulin Wed, 12 Jan 2022 12:56:32 +0100
+
roundcube (1.2.3+dfsg.1-4+deb9u9) stretch-security; urgency=high
* Non-maintainer upload by the LTS team.
diff
On Mon, 28 Dec 2020 at 12:10:46 +0530, Utkarsh Gupta wrote:
> On Mon, Dec 28, 2020 at 8:28 AM Guilhem Moulin wrote:
>> Debdiff tested and attached. I can upload if you'd like but would
>> appreciate if you could take care of the DLA :-)
>
> Yes, please. I can take ca
cious content svg/namespace. (Closes: #978491)
+
+ -- Guilhem Moulin Mon, 28 Dec 2020 03:25:57 +0100
+
roundcube (1.2.3+dfsg.1-4+deb9u7) stretch-security; urgency=high
* Backport security fix for CVE-2020-16145: Cross-site scripting (XSS)
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-
Hi Roberto,
On Tue, 11 Aug 2020 at 14:57:15 -0400, Roberto C. Sánchez wrote:
>>> Dear security team,
Should have been LTS team of course, bad templating from my side :-P
>> I'll take care of it shortly.
>>
> I have uploaded the updated, published the DLA to the mailing list and
> submitted a Sa
16145: Cross-site scripting (XSS)
+vulnerability via HTML messages with malicious svg or math
+content. (Closes: #968216)
+
+ -- Guilhem Moulin Tue, 11 Aug 2020 18:38:40 +0200
+
roundcube (1.2.3+dfsg.1-4+deb9u6) stretch; urgency=high
* Backport security fix for CVE-2020-15562: Cross
On Wed, 01 May 2019 at 18:44:39 +0200, Markus Koschany wrote:
> Thank you very much. I didn't want to bother you and went ahead and
> uploaded your patch only an hour ago. I will issue the DLA now.
Aha, should have refreshed the page before sending this :-P Thanks!
--
Guilhem.
signature.asc
D
helling out to `iconv`. (Closes: #928256.)
+
+ -- Guilhem Moulin Wed, 01 May 2019 17:39:56 +0200
+
signing-party (1.1.10-3) unstable; urgency=medium
[ Guilhem Moulin ]
diff -Nru signing-party-1.1.10/debian/control
signing-party-1.1.10/debian/control
--- signing-party-1.1.10/debian/control 2014-11
Hi anarcat,
On Wed, 06 Feb 2019 at 14:13:23 -0500, Antoine Beaupré wrote:
> On 2019-02-06 01:59:58, Guilhem Moulin wrote:
>> * Upstream hasn't yet filed a CVE for this issue; I forwarded jmm's
>> instructions regarding this.
>
> Sorry, forwarded where? Did I mi
og 2010-04-26 04:29:39.0 +0200
+++ netmask-2.3.12+deb8u1/debian/changelog 2019-02-06 01:08:09.0
+0100
@@ -1,3 +1,10 @@
+netmask (2.3.12+deb8u1) jessie-security; urgency=medium
+
+ * Fix buffer overflow vulnerability
+https://github.com/tlby/netmask/issues/3
+
+ -- Guil
Hi Holger,
On Fri, 24 Aug 2018 at 09:06:43 +, Holger Levsen wrote:
> On Fri, Aug 24, 2018 at 08:22:50AM +, Holger Levsen wrote:
>>> dropbear 2014.65-1+deb8u2 from jessie-security is vulnerable to
>>> CVE-2018-15599:
>>> dget -x
>>> https://people.debian.org/~guilhem/tmp/dropbear_2014.65
Adapted from https://secure.ucc.asn.au/hg/dropbear/rev/5d2d1021ca00 .
+
+ -- Guilhem Moulin Fri, 24 Aug 2018 02:52:26 +0200
+
dropbear (2014.65-1+deb8u2) stable-security; urgency=high
* Backport security fixes from 2017.75 (closes: #862970):
only in patch2:
unchanged:
--- dropbear-2014.65.o
Hi Ola,
Sorry for the delay, not sure if you got an answer yet; either way I'm
not answering on behalf of the team here.
On Sat, 11 Nov 2017 at 20:14:38 +0100, Ola Lundqvist wrote:
> Would you like to take care of this yourself?
>
> The proposed patch for later release will not apply cleanly to
Hi,
On Sun, 21 May 2017 at 20:52:30 +0200, Ola Lundqvist wrote:
> I saw the upload now. Do you plan to send a DLA for it as well?
In a reply to the other thread Thorsten Alteholz wrote he uploaded
2012.55-1.3+deb7u2 and will later also send the DLA.
Cheers,
--
Guilhem.
signature.asc
Descripti
Hi Ola,
On Sun, 21 May 2017 at 14:11:54 +0200, Ola Lundqvist wrote:
> Would you like to take care of this yourself?
> […]
> If that workflow is a burden to you, feel free to just prepare an
> updated source package and send it to debian-lts@lists.debian.org
> (via a debdiff, or with an URL pointin
On Sat, 20 May 2017 at 21:37:02 +0200, Guilhem Moulin wrote:
> Not sure how to tell the security tracker, though.
Oops, just saw the docs :-P
--
Guilhem.
signature.asc
Description: PGP signature
o contain valid
+authorized_keys with command= options it might be possible to read other
+contents of that file.
+This information disclosure is to an already authenticated user.
+
+ -- Guilhem Moulin Sat, 20 May 2017 20:49:16 +0200
+
dropbear (2012.55-1.3+deb7u1) wheezy-securit
Dear LTS team,
On Thu, 15 Sep 2016 at 17:56:49 +0200, Markus Koschany wrote:
> If you don't want to take care of this update, it's not a problem, we
> will do our best with your package. Just let us know whether you would
> like to review and/or test the updated package before it gets released.
S
On Tue, 03 May 2016 at 10:47:31 -0400, Antoine Beaupré wrote:
> I agree, however I suspect most people using roundcube in production are
> probably using the backport... There's even a dangling backport in
> wheezy right now (0.9)... a little messy.
Sorry, I meant oldstable-backports not oldstable
Hi there,
On Mon, 02 May 2016 at 21:19:13 +0200, Markus Koschany wrote:
> Would you like to take care of this yourself?
Not replying in the name of team (however I'm the one who pushed for
Roundcube in jessie-backports and who is trying to taking care of it
there), unfortunately I don't have the
50 matches
Mail list logo
