On 2018-07-05, Ola Lundqvist wrote:
> If you read the mail chain you can see that I have alread analyzed the
> two CVEs. So it is already done.
>
> Is it so that you think we should reanalyze entries from 2009 as well,
> or?
Yes. All of them, not only the 2011 ones. Same for jetty 9 and CVEs
prio
On 2018-07-04, Ola Lundqvist wrote:
> You are right, CVE-2011- first found to affect jetty (jetty 6)
> could very well not be fixed in jetty 8 since jetty 8 was first
> released in 2009.
Even if jetty 8 had been first released in 2018, you *still* could not
conclude anything simply because "2
On 2018-07-03, Ola Lundqvist wrote:
> jetty8 appears first 2012.
> jetty9 appears first 2015.
>
> This means that CVE entries before 2012 are not relevant for jetty8
> and before 2015 not relevant for jetty9.
That's just wrong; for instance, a CVE-2011- first found to affect
jetty7 could very
On Oct/26, Antoine Beaupré wrote:
> Right, how does that look then?
>
> https://gitlab.com/anarcat/git-annex/commit/b21ccd25ecd4cad0efcc8f4f0c94ad99ce32cd04
Nah, +deb8u1 ;)
> Then I can just upload this to security-master?
Yep.
Cheers,
--Seb
On Oct/26, Antoine Beaupré wrote:
> I have also backported joey's patch to jessie. It was simpler than
> wheezy because the code is much more similar. The resulting patch is
> available here:
>
> https://gitlab.com/anarcat/git-annex/commit/58daf6cbe4c1ea1cf71f3a538a0e27b5075c7265
>
> As expected,
After some discussion about what no-dsa really means, I've added 2 new
sub-states to the tracker, and they can be used as follows:
CVE-2018-10012345
- foo (bug #9876543)
[stretch] - shadow (Minor issue, later)
[jessie] - shadow (Minor issue, later)
[wheezy]
On Aug/09, Markus Koschany wrote:
> I intend to submit a patch for reportbug to implement the first part
> of this idea. It basically asks an additional question before the
> question about bccing multiple e-mail addresses but only if the
> reported regression is against a package with a version nu
On Aug/09, Roberto C. Sánchez wrote:
> Is it still OK to use verbatim text from a DSA in a DLA? It seems
> like that should be OK, and it is something I do sometimes, as the
> DSAs are frequently published first and I feel like sharing the same
> summary text regarding a particular vulnerability k
On Aug/07, Roberto C. Sánchez wrote:
> Would there be a willingness to allow remote participation via
> laptop+webcam?
I don't know *how* it could be done, but Salvatore certainly would most
definitely be interested as well.
Cheers,
--Seb
On Apr/29, Antoine Beaupré wrote:
> I sent this to the security team to see if we could coordinate a
> release of squirrelmail between wheezy and jessie. Unfortunately, we
> weren't able to complete the process before my vacations, so I throw
> this patch back in the pool.
>
> Hopefully someone he
On Mar/15, Craig Small wrote:
> I saw the rejection of the old package so uploaded it and the new second
> package got rejected so something is unhappy about all of this.
Yes, the policy queue also need to be cleared. It's OK now, please
upload.
Cheers,
--Seb
On Mar/15, Craig Small wrote:
> Damn, you're right. I missed that. Upstream missed it too! I'll need
> to add those to the security package too.
I'll take care of removing the current package on security-master, so
you don't have to bump the version again. I'll let you know once it's OK
to re-upl
On Mar/14, Markus Koschany wrote:
> > So my whole rationale for adding this one in and going against what
> > WPScan said is purely 40176 is in the 4.1 branch of the upstreams
> > svn. Looking at the relevant file it does look like it does things
> > and not dead or unreachable code, so I think 4.
On 2017-03-02, Bálint Réczey wrote:
> I have prepared a patch to optionally prepare the template using:
> bin/gen-DSA package.changes
That looks OK, just merge it and we can adapt it later on if needed (for
instance it would need to handle multiple changes files, for when both
stable and oldstabl
On Feb/28, Peter Palfrader wrote:
> Maybe we should be able to pass the name of the .changes file to
> gen-DSA, and then the script can go and use all the information from
> there?
Implementation-wise, this sounds like a much more sensible approach, but
since the *.changes files may not live on th
On Feb/28, Salvatore Bonaccorso wrote:
> > Since I made mistakes in setting the package version in DLA texts
> > (and I'm not alone ;-)) I came up with the attached patch which
> > makes gen-DLA and guess the proper one.
> >
> > If both teams like it I'll push it to the repo.
>
> I can only speak
On Aug/02, Santiago R.R. wrote:
> .changes attached. security-master doesn't handle source-only uploads,
> isn't it?
No, in most cases it does not, so it's always better not to try it. Feel
free to upload to security-master, and I'll probably have time to
release the DSA tomorrow.
Cheers,
--Seb
On Aug/01, Santiago R.R. wrote:
> Please, find attached debdiffs to mitigate this in wheezy (that I plan
> to upload) and jessie. I have tested it with a python cgi taken from
> httpoxy's PoCs, and it seems to work well. However, I am not familiar
> with lighttpd, so any review is welcome.
Hi Sant
On 2016-03-01, Mike Gabriel wrote:
> @Security Team: Shall we (LTS contributors) handle wheezy-security
> updates like described below until Debian wheezy LTS comes into play?
>
>o Pick a package that has open CVE issues in wheezy, e.g. from
> above list
>o Add the package to data/
On Feb/12, Brian May wrote:
> > - imagemagick in squeeze appears to only be vulnerable
> > TEMP-0811308-B63DA1[0].
>
> This is five separate issues. See #811308. So does it make sense to ask
> for a separate CVE for each issue?
"Having a CVE associated to each security issue is definitely a
On Feb/11, Brian May wrote:
> 0069-Fixed-memory-leak-when-reading-incorrect-PSD-files.patch
> 0070-Fix-PixelColor-off-by-one-on-i386.patch
> 0071-Prevent-null-pointer-access-in-magick-constitute.c.patch
> 0072-Fixed-out-of-bounds-error-in-SpliceImage.patch
> 0073-Fixed-memory-leaks.patch
>
> I hav
On Feb/06, Guido Günther wrote:
> > A few things on the debdiff you just posted:
> > - The attachment came though in ISO-8859-1 instead of UTF-8 and
> > lintian didn't like it. Hopefully the file is ok on your machine
> > though.
> > - I think the ssl-server-test needs an 'isolation-container'
On Jan/31, Guido Günther wrote:
> Uploaded now. Thanks!
Hi Guido,
have you looked into fixing the jessie version (1.3.9-2.1) as well ? If
not, I'll need to look into it later this week, so that a DSA for
CVE-2015-5291 fixes both wheezy and jessie.
Cheers,
--Seb
On Jan/29, Sébastien Delafond wrote:
> thanks for the debdiff. It looks OK, so feel free to upload it. Once
> that's done, I'll release the DSA.
Hi Guido,
are you still willing to upload polarssl to security-master ? :)
Cheers,
--Seb
On Jan/30, Guido Günther wrote:
> For some reason freetype in wheezy is a native package and I forgot
> about that when rebuilding, sorry. Rebuilt and uploaded.
This one's been accepted, thank you. I'll release the DSA either later
today, or tomorrow morning.
Cheers,
--Seb
On Jan/29, Guido Günther wrote:
> urgency set to high and uploaded. Thanks a lot!
the upload was rejected because it "Refers to non-existing file
'freetype_2.4.9.orig.tar.gz'". Salvatore investigated and found out that
there is instead a 'freetype_2.4.9-1.1+deb7u2.tar.gz' in the
archive... Not sur
Hi Guido,
thanks for the debdiff. It looks OK, so feel free to upload it. Once
that's done, I'll release the DSA.
Cheers,
--Seb
On Jan/23, Guido Günther wrote:
> Hi,
> I've forward ported Thorsten's fix fow squeeze to wheezy and added some
> autopkgtest (debdiff attached). Please find the debdi
Hi Guido,
thanks for the debdiff. It looks good, except for the urgency which
you'll want to set to "high" before uploading. Once that's done, I'll
release the DSA.
Cheers,
--Seb
On Jan/24, Guido Günther wrote:
> Dear security team,
> while looking into CVEs that are fixed in Jessie and Squeeze
28 matches
Mail list logo
