ge multiple times from different addresses after properly
subscribing, and still they did not make it to the list.
thanks for the reminder.
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B
html
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
look. Did I manage to answer your questions? If so, I'd
go on, implement the patch and try to get some review from upstream.
BTW, I don't think previous messages reached the c-dev mailing list. I
tried to subscribe, let's see if this one does.
FTR: initial message here[0].
cheers,
H
as already been addressed in jessie via DLA-2061-1[0]
(firefox-esr) and DLA-2071-1 (thunderbird) on Jan, 09 2020.
thanks
cheers,
Hugo
[0] https://security-tracker.debian.org/tracker/CVE-2019-17026
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8
ns in there.
I have asked upstream regarding the licensing issue. For the rest, I think
we should wait for followups, or possibly a better patch.
Any comments/advice?
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A24
delete it.
On ReaderMgr::~ReaderMgr(), delete `fAdoptedStack` and all possibly
remaining elements.
Feedback?
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
y and will investigate and follow-up then.
thanks! Indeed, another followup seems to be coming for CVE-2020-7106,
I added a short note to dla-needed.
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D3
fine to me! (That being said I would definitely not
upload these changes without at least smoke testing slirp. :))
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
ke a look at it in the evening.
thanks!
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
-)
cheers,
Hugo
[0]
https://github.com/Cacti/cacti/commit/47a000b5aba4af16967e249b25f25397506e3464
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
2+yo
regression.
+ prepare, test and upload 8:6.8.9.9-5+deb8u19 (DLA-2049-1).
libexif:
+ investigate CVE-2019-9278 and prepare a patch derived from the Android
fix (work in progress).
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27
a7
https://github.com/ImageMagick/ImageMagick6/commit/4cc316818e5b841ff5a9394a0730d5be6e8686ce
backporting them is sufficient to fix the issue.
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D3
ne
used in stretch).
This will be fixed in the next security update.
cheers,
Hugo
[0]
https://github.com/ImageMagick/ImageMagick/commit/4b85d29608d5bc0ab641f49e80b6cf8965928fb4
[1]
https://github.com/ImageMagick/ImageMagick6/commit/663e70e90257797f4634ea8dd4a31e0947d1f266
--
4 and 0227.
I'll try to ship a patch for this along with the next jessie update.
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
D
assigned hours to 12. This month's 22.75 remaining hours will be returned
to the pool.
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signatur
upstreamed before releasing a DLA.
python-reportlab:
+ Investigate CVE-2019-17626, still no upstream fix yet.
& various misc triage
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25
/issues/detail?id=15826
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17540
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP
he issue and appears to
confirm previous analysis.
Any comments?
cheers,
Hugo
[0]
https://github.com/Cacti/cacti/commit/cf73ae1a9f65b5a27d7f9d10c8e14835c3a76326
[1] https://github.com/Cacti/cacti/blob/develop/lib/rrd.php#L1179
[2] https://github.com/Cacti/cacti/blob/develop/graph_image.php#L132
--
ed to state
clearly that we either (1) do it or (2) don't do it, and document it in the
wiki. If we decide to do it, it would be nice to publish missing advisories
from previous regression updates as well?
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B
't hesitate to open a bug report, I will
take a look at it.
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
th uploading. You can find (UNRELEASED) amd64 builds,
signed by myself on my Debian webpage:
https://people.debian.org/~hle/lts/clamav/
regards,
Hugo
[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=824042
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4
What is our
policy on this matter?
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
bsdl1.2, the update
was missing this patch[0].
I forgot to add an entry for libsdl2.
cheers,
Hugo
[0] https://hg.libsdl.org/SDL/rev/32075e9e2135
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2
> Unless I am mistaken, there is another regression in libsdl1.2, the update
> was missing this patch[0].
>
> I forgot to add an entry for libsdl2.
the dla-needed entry was confusing, indeed. I have updated it to reflect
the current situation.
--
Hugo L
On Mon, Oct 07, 2019 at 11:22:45PM +0200, Hugo Lefeuvre wrote:
> > This looks like a regression, indeed. I will provide a regression update
> > as soon as possible.
>
> Looks like I'm actually not the one who issued this update. Abhijith: do
> you want to handle this,
> This looks like a regression, indeed. I will provide a regression update
> as soon as possible.
Looks like I'm actually not the one who issued this update. Abhijith: do
you want to handle this, or should I proceed with a fix tomorrow?
cheers,
Hugo
--
Hugo Le
es CVE-2019-7635 and the
> commit here <https://hg.libsdl.org/SDL/rev/07c39cbbeacf> fixes CVEs
> CVE-2019-7638 and CVE-2019-7636.
This looks like a regression, indeed. I will provide a regression update
as soon as possible.
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.
bly the best option, and
instead of pointing to the tracker I would just explain the situation and
list the four reverse dependencies.
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
ink they would build if I uploaded them earlier.
Regarding the DLAs. I plan to release a DLA per upload (one DLA for clamav
and one for each reverse dependency). Announcing all five uploads under a
single DLA seems a bit messy to me.
Any comment?
regards,
Hugo
--
Hugo Lefeu
imple, and the versions are close. Probably six
hours altogether, but this is a rough estimation.
FTR, the transition in stretch was tracked as #924278[0].
cheers,
Hugo
[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924278
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA40
'd like to know what you think about this, and if you can think of any
alternative/less time consuming solution.
(cherry picking changes does not seem reasonable to me)
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB
spend these hours in october.
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
latest 389-ds-base update. Did you notice anything wrong
during your tests?
Thanks!
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
up for imagemagick.
This is borderline, so let's stop wasting time: we can keep a dla-needed
entry with appropriate comments for both front desk and regular lts
contributors.
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
propriate to tag them as ignored in data/CVE/list?
>
> Otherwise they pop up again and again in lts-cve-triage.py.
I have done some more triage. However please note that these issues pop up in
lts-cve-triage because they are still open in stretch. The security team is
currently w
cause it is big, not really understandable, and
undocumented. Upstream did not answer my questions yet.
I'd just remove imagemagick from dla-needed and wait some time, until upstream
clarifies this patch. If he doesn't, I'd just mark this no-dsa.
regards,
Hugo
--
requesting a CVE number for
a temporary entry from our tracker.
+ The last patches have been reviewed and merged this morning, meaning that I
will be able to release the jessie update in the next days.
Otherwise, the usual triage. I kept an eye on hdf5.
cheers,
Hugo
--
Hug
he issue, but the vulnerable code is present.
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
nyways, 4.3.29 introduced quite a few regressions[0], we should probably wait
for 4.3.30.
regards,
Hugo
[0] https://lists.xymon.com/archive/2019-August/046643.html
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37
nfident enough with the codebase to do that.
Thanks!
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
d be worth inspecting the diff, but there were quite a few releases
between 4.3.17 and 4.3.29... I'm considering to cherry pick relevant changes for
the most important issues.
Christoph and Axel, do you have comments/suggestions regarding this?
regards,
Hugo
--
Hug
help me to reproduce these vulnerabilties with the code
from jessie/buster?
thanks for your work!
regards,
Hugo
[0] https://security-tracker.debian.org/tracker/source-package/tika
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8
gards,
Hugo
[0] https://tika.apache.org/security.html
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
always the latest version is present without waiting for the next point
> release.
Thanks your answer. I suppose that buster and stretch will be upgraded to
the latest upstream release when the definitive patch will be available for
this issue. I will then backport the same changes to je
bian.org/934359
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
743f6
Can anybody confirm? Are there other fixes I should consider applying?
thanks!
regards,
Hugo Lefeuvre (Debian LTS team)
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357
/ImageMagick6/commit/cb5ec7d98195aa74d5ed299b38eff2a68122f3fa
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
than what he can
already do.
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
month.
misc:
+ various triage in the tracker.
+ wavpack: take a look at current issues, answer Brian's e-mail.
+ hdf5: take stock of the situation, prepare plans for next update.
I should be able to use up the remaining hours in august.
cheers,
Hugo
--
Hugo Lefeuvre
LAs.
> 3. DLAs that are related to prior DLAs should use the same first part
> and an incremented second part.
Sounds reasonable. Thanks!
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D
gt; the correct information and a note about what changed.
Thanks, I wasn't aware of this. I can't find any information about it in
our documentation, did I miss something?
(just in case: this is not a regression, just a typo in the advisory)
regards,
Hugo
--
Hugo Le
On Sat, Jul 27, 2019 at 03:30:14PM -0300, Hugo Lefeuvre wrote:
> Package: sdl-image1.2
> Version: 1.2.12-5+deb9u2
> CVE ID : CVE-2018-3977 CVE-2019-5051 CVE-2019-5052 CVE-2019-7635
> CVE-2019-12216 CVE-2019-12217 CVE-2019-12218 CV
p these
patches in a future update.
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
a member of the
CVE-2019-12221 family, and is therefore fixed by [0].
cheers,
Hugo
[0] https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
aging upstream's
latest 2.0.5 release should be sufficient, but they can also be addressed
with more targeted fixes.
I can provide some help if needed.
Thanks for your work!
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8
remaining hours will be returned to the pool.
==
Debian ELTS report
I was allocated 15 hours. I did not spend any of them (I already returned
them to the pool on June, 18th).
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D
oper triage for currently open issues. Prepare and test a
security update addressing CVE-2019-10053 (not uploaded yet, but should
be done by tomorrow).
misc:
+ various triage, see tracker's logs.
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_
> Given back.
Thanks Emilio!
No idea what happened (hardware issue?), anyways, build succeeded.
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D D
=wireshark&suite=jessie-security
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
se issues as well, although I didn't
have time to do it yet. I will update the tracker entries then.
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2
n the bugzilla, right thing would be to replace the source package
> tracking entries to the correct source.
> So basically replace tracking of slibsdl2 and libsdl1.2 with
> libsdl2-image and sdl-image1.2 instead.
I see that you already did it, thanks! :)
cheers,
Hugo
--
] - libsdl2-image
and same for libsdl1.2?
thanks,
Hugo
[0] https://bugzilla.libsdl.org/show_bug.cgi?id=4628
[1]
https://salsa.debian.org/security-tracker-team/security-tracker/commit/39f9e891a4b37
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F
t of adding fixes for other recent CVEs, but given the
pain it was to backport CVE-2019-11598 and CVE-2019-11597 (multiple issues
in the patches, required extensive testing), I though it would maybe be
better to avoid very large uploads and keep them for future DLAs.
cheers,
Hugo
--
Hu
dresses these issues.
Upstream fixed these issues yesterday, I will update my work and send it to
you. Thanks!
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D
ream addresses these issues.
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
19-10650,
CVE-2019-11598 and CVE-2019-11597. I'm currently testing it. Still OK to
upload during the week-end?
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5
fixes should be feasible, even if the code changed
quite a bit. I'm not sure upgrading to a whole upstream release is worth
it.
Any comments?
Thanks!
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_
9-10650 and possibly
CVE-2019-11598. Do you think an upload ~ next week-end would be feasible
for you?
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
th
> > it.
> >
> > Any comments?
> >
> That all makes sense. I did not do any work on backporting fixes, apart
> from making an attempt to build the latest upstream from sid in jessie.
> Since the backport idea did not go anywhere, you should be able to pick
>
nks. We'll go for no-dsa in jessie as well.
I see you have marked CVE-2016-10745 no-dsa in stretch but not
CVE-2019-10906.
Fixing CVE-2019-10906 without CVE-2016-10745 does not make much sense to
me, so I assumed it was oversight and marked CVE-2019-10906 no-dsa in
stretch as well.
cheers,
Hugo
-
maining wireshark
CVEs, should be uploaded by next month.
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
.
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
ck on this?
Anyways, it only makes sense to me to fix this in Jessie if I also prepare
a stretch update at the same time.
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F
ect[0], not mentors from the package sponsoring process.
Yet another reason to not use "sponsoring" related arguments in the
tracker?
[0] https://wiki.debian.org/LTS/Funding
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247
ot sure we want to introduce such
uncertain information in the tracker anyways.
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
part
> of the front-desk duties.
I also find them useful.
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
> This should help confirming vulnerability in other suites.
2.7.3-1 and all later releases affected. In addition, both 2.7.3-1 and
2.8-1 are affected by the previous str.format issue[0].
[0] https://palletsprojects.com/blog/jinja-281-released/
--
Hugo Lefeuvre (
p(dic) }}')
>>> t.render(dic={"x": User('joe')})
"{'SECRET_KEY': '12345'}"
Expected behaviour would be jinja2.exceptions.SecurityError.
Adapted from[0].
regards,
Hugo
[0] https://palletsprojects.com/blog/jinja-281-released/
--
quite
quickly due to my liblivemedia, kde4libs and hdf5 work. I wanted to
continue my work on faad2 but did not manage to find time for that, so I
will try to finish this next month.
Best Regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
.
Did I miss something?
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Hi,
I'm Hugo Lefeuvre, from the Debian LTS team. I am currently working on
CVE-2019-7443 which appears to affect not only kauth but also kdelibs
since it ships a very similar kdecore/auth/backends/dbus/DBusHelperProxy.cpp
file[0].
As far as I am aware the fix for CVE-2019-7443 was not appli
to create merge requests, then it should be mentioned but I don't
> really
> think that this is an efficient way. I doubt this is the workflow of the
> security team.
I have asked for commit rights and got them right away :)
https://salsa.debian.org/webmaster-team/webwml/merge_requ
> Here is my LTS report for February.
>
> I was allocated 20 hours. I have spent all of them in the following
> tasks:
-> 19.5h, not 20.
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38
iling list.
Best Regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
y was introduced in
0a96ca2437646bad197b0108c5f4a93e7ead05a9[1].
thanks!
cheers,
Hugo
[0]
https://git.qemu.org/?p=qemu.git;a=commit;h=a71c775b24ebc664129eb1d9b4c360590353efd5
[1]
https://git.qemu.org/?p=qemu.git;a=commit;h=0a96ca2437646bad197b0108c5f4a93e7ead05a9
--
Hugo Lefeuvre
yet?). I suggest to mention
CVE-2019-7663 here. :)
thanks!
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
; + return 0;
I don't really like this patch... it has not been merged yet (the PR has
been closed, so I guess it will never get merged) and looks more like a
hack to me.
What if tilew * spp = INT_MAX ?
Then oskew + iskew will still overflow. So this does not fix the issue.
chee
Hi,
> Attached is my proposed patch for tiff in Jessie.
I will be able to test the upload with my usual set of test files tomorrow
if necessary.
> +From d0a842c5dbad2609aed43c701a12ed12461d3405 Mon Sep 17 00:00:00 2001
> +From: Hugo Lefeuvre
> +Date: Wed, 21 Nov 2018 18:50:34 +010
1/msg00071.html
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
und before upload :)
> I'll fix it and perform some tests. Thanks for the review and the time
> that you spent on this.
I am available for testing the updated package if needed.
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4
xcessive value should not be
considered a bug but invalid user passed input, that is normal behaviour,
right? In this case I expect qemu to simply reject the input instead of
triggering an assert failure and terminating.
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA
ut they won't if user compiles
without asserts. Also, AFAIK any assert failure will stop the qemu host
process which is not what we want in this case.
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
Hi Adrian,
> On 1/12/19 5:52 PM, Hugo Lefeuvre wrote:
> > the subsystem doesn't seem to be very actively maintained and that the user
> > base is quite small, it is maybe better to mark this no-dsa in stretch and
>
> Please don't forget thet Debian has derivat
getInfo();
> ++if (class_exists($class_name)) {
> ++return $class_name::getInfo();
> ++}
> ++return ''
I guess a ; is missing here :)
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8
checking
using assert(). If these assert() calls are standard ansi ones, then their
failure would stop the whole qemu process which is not exactly what we
want right?
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
part
changelog entries. I will do a few more tests and upload.
Thanks !
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
uld be aware of about these
changes.
thanks !
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
t helps.
will have a look later today, thanks !
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
seem to be very actively maintained and that the user
base is quite small, it is maybe better to mark this no-dsa in stretch and
jessie.
Cheers,
Hugo
[0] https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg03570.html
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_
1 - 100 of 243 matches
Mail list logo
