Re: Bug#1109262: CVE-2025-7345: gdk-pixbuf: heap buffer overflow in JPEGs with chunked ICC data

Hi Simon, On Sat, Jul 26, 2025 at 03:16:59PM +0100, Simon McVittie wrote: > On Mon, 14 Jul 2025 at 12:15:36 +0100, Simon McVittie wrote: > > I happened to notice that a buffer overflow was reported and fixed > > upstream, involving parsing a JPEG file with multiple chunks of embedded > > ICC colou

Re: triage of CVE-2025-40775/bind9

Hi, Let's loop in Ondrej here. On Fri, Jun 20, 2025 at 05:56:48PM -0400, Roberto C. Sánchez wrote: > Hello Security Team, > > Today I investigated CVE-2025-40775/bind9, which was initially marked as > for bookworm and bullseye. However, I believe that this > is incorrect. > > Based on the desc

Re: Addressing Mojolicious CVE-2024-58134 and CVE-2024-58135 in sid

Hi, On Thu, May 22, 2025 at 10:49:56AM +0100, Sean Whitton wrote: > Hello recent Mojolicious uploaders, > > I'm looking at Mojolicious's two recent CVEs for Freexian's LTS effort. > There are some open questions and I think that they are relevant to your > work in sid. > > It seems that Mojolici

Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

Hi Santiago, On Fri, May 16, 2025 at 03:20:36PM -0300, Santiago Ruano Rincón wrote: > Dear security team, > > El 10/05/25 a las 16:14, Samuel Henrique escribió: > > Hello Salvatore, sorry about the late reply, I was in MiniDebConf Maceió. > > > > On Thu, 1 M

Re: Xen 4.17 LTS

Hi Marek, On Tue, May 06, 2025 at 02:01:48PM +0200, Marek Marczykowski-Górecki wrote: > On Wed, Apr 30, 2025 at 06:10:04PM +0200, Salvatore Bonaccorso wrote: > > Hi Santiago, > > > > On Tue, Apr 29, 2025 at 11:56:51PM -0300, Santiago Ruano Rincón wrote: > > > Hell

Injecting arm-trusted-firmware on security-master for bullseye-security build of u-boot

Hi FTP masters, There was a receont u-boot DLA from the LTS team, for which the arm64 build was uploaded but rejected, because the Built-Using is referring to arm-trusted-firmware (= 2.4+dfsg-2) which is not present. Could you inject the needed packages to security-master and then reprocess the u

Re: Xen 4.17 LTS

Hi Santiago, On Tue, Apr 29, 2025 at 11:56:51PM -0300, Santiago Ruano Rincón wrote: > Hello all, > > (And sorry, I realise now that I should had put the security team and > Xen maintainers more in the loop at some point.) > > This is something that we had tried to do for Xen 4.14 > (https://bugs

Re: Accepted zabbix 1:5.0.46+dfsg-1+deb11u1 (source) into oldstable-security

Hi Tobi, On Sat, Apr 19, 2025 at 11:10:23AM +, Debian FTP Masters wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Format: 1.8 > Date: Sat, 19 Apr 2025 12:40:39 +0200 > Source: zabbix > Architecture: source > Version: 1:5.0.46+dfsg-1+deb11u1 > Distribution: bullseye-security > U

Re: bson CVEs in (E)LTS

Hi, On Mon, Mar 31, 2025 at 07:39:55PM +0200, Sylvain Beucler wrote: > Hi, > > On 31/03/2025 16:56, Adrian Bunk wrote: > > On Mon, Mar 31, 2025 at 04:42:59PM +0200, Sylvain Beucler wrote: > > > ... > > > Do we want to update data/embedded-code-copies to reference > > > libbson-xs-perl? > > > >

Re: docker.io update with no CVE

Hi, On Thu, Feb 27, 2025 at 03:33:00PM +0100, Daniel Leidert wrote: > Am Donnerstag, dem 27.02.2025 um 11:49 +0100 schrieb Marc SCHAEFER: > > > > There is a docker.io upgrade for bullseye: > > > >    https://security-tracker.debian.org/tracker/TEMP-000-7C9547 > > > > However, it was not yet

Re: Please giveback emacs 1:27.1+1-3.1+deb11u6 on arm64

Hi Sean, On Thu, Feb 27, 2025 at 01:16:09PM +0800, Sean Whitton wrote: > Hello, > > I believe that emacs 1:27.1+1-3.1+deb11u6 has failed to build on arm64 > due to a flaky test failure. Given my experience with the package, > I believe that a giveback should be tried first before we start patchi

Re: Bug#1087419: CVE-2024-52533: glib2.0: Buffer overflow in gsocks4aproxy set_connect_msg()

Hi Simon, Thanks a lot for your proactive taking action! On Wed, Nov 13, 2024 at 10:15:48AM +, Simon McVittie wrote: > Package: libglib2.0-0 > Version: 2.74.6-2+deb12u4 > Severity: important > Tags: bookworm security upstream > X-Debbugs-Cc: t...@security.debian.org, debian-lts@lists.debian.o

Re: [SECURITY] [DLA 3941-1] texlive-bin security update

Hi Bastien On Wed, Oct 30, 2024 at 08:56:49AM +, ro...@debian.org wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > - - > Debian LTS Advisory DLA-3941-1debian-lts@lists.debian.org > https://ww

Re: Usage of gen-DSA/DLA/ELA

Hi, On Sun, Oct 20, 2024 at 10:00:56PM +0200, Ola Lundqvist wrote: > Hi Salvatore > > Thank you. I guess we should then have a warning printed since an empty > version is something unusual. While it is unusual, the changes to the script should not break current usages. Remember that for the regu

Re: Usage of gen-DSA/DLA/ELA

Hi, On Sat, Oct 19, 2024 at 11:06:02PM +0200, Ola Lundqvist wrote: > Hi all > > Summary: > Should gen-DSA/DLA/ELA allow the version to be empty/undefined? > > Details: > I'm working on improving the gen-DSA/DLA/ELA tool. It is the same tool, it > just has slightly different functionality dependi

Re: end-of-life iotjs for the upcoming bullseye LTS

Hi Santiago, On Thu, Aug 08, 2024 at 03:07:51PM -0300, Santiago Ruano Rincón wrote: > Hi all, > > As suggested by Moritz, giving the status of iotjs, I think it is not > possible to support it during the bullseye LTS period. iotjs was removed > from unstable (and bookworm when it was testing) nea

git updates in stable (was: Re: Debian LTS & ELTS -- June 2024)

Hi, On Tue, Jul 23, 2024 at 09:54:14AM +0900, Hideki Yamane wrote: > Hello, > > > LTS > > > > - git > > > > - Released DLA-3844-1 fixing CVE-2023-25652, CVE-2023-25815, > > CVE-2023-29007, CVE-2024-32002, CVE-2024-32004, CVE-2024-32021 and > > CVE-2024-32465, and including a follow-up

Re: freeimage and CVE-2019-12214

Hi, On Fri, Apr 26, 2024 at 08:32:21PM +0200, Cyrille Bollu wrote: > > > Le vendredi 26 avril 2024 à 12:50 -0300, Santiago Ruano Rincón a > écrit : > > Hi Cyrille! > > > > El 25/04/24 a las 15:00, Cyrille Bollu escribió: > > > Hi Santiago, > > > > > > Here's some follow up :-) > > > > > > Bes

Re: [SECURITY] [DLA 3735-1] runc security update

Hi Daniel, On Mon, Feb 19, 2024 at 11:00:14AM +0100, Daniel Leidert wrote: > Am Montag, dem 19.02.2024 um 07:11 +0100 schrieb Salvatore Bonaccorso: > > [..] > > > > Debian LTS Advisory DLA-3735-1 > > [..] > > > The DLA reservation for this u

Re: [SECURITY] [DLA 3735-1] runc security update

Hi, On Mon, Feb 19, 2024 at 03:28:00AM +0100, Daniel Leidert wrote: > - > Debian LTS Advisory DLA-3735-1debian-lts@lists.debian.org > https://www.debian.org/lts/security/ Daniel Leidert >

Re: new redirects for www.d.o/security and www.d.o/lts/security

Hi Thomas, On Fri, Jan 05, 2024 at 12:06:58AM +0100, Thomas Lange wrote: > Hi all, > > we now redirect all DSA/DLA URLs under security and lts/security with > or without having the year in the path and with or without a version > to their announcement mail: > Examples: > /security/dsa-5576 > /sec

Re: FTBFS for thunderbird/1:115.6.0-1~deb10u1 from DLA 3698-1 on amd64 and armhf

Hi Carsten, On Thu, Jan 04, 2024 at 07:30:27AM +0100, Carsten Schoenert wrote: > Hello Salvatore, hello Emilio, > > Am 03.01.24 um 19:11 schrieb Salvatore Bonaccorso: > > Hi Emilio, hi Carsten, > > > > I noticed that the builds for amd64 and armhf for > > thu

FTBFS for thunderbird/1:115.6.0-1~deb10u1 from DLA 3698-1 on amd64 and armhf

Hi Emilio, hi Carsten, I noticed that the builds for amd64 and armhf for thunderbird/1:115.6.0-1~deb10u1 from DLA 3698-1 did fail to build: https://buildd.debian.org/status/fetch.php?pkg=thunderbird&arch=amd64&ver=1%3A115.6.0-1%7Edeb10u1&stamp=1704285041&raw=0 https://buildd.debian.org/status/fet

Re: Debian 10 upgrade of amd64 firefox-esr fails

Hi, On Wed, Dec 27, 2023 at 09:53:47PM +0100, Salvatore Bonaccorso wrote: > Hi Jim, > > On Wed, Dec 27, 2023 at 03:33:43PM -0500, Jim Rosenberg wrote: > > Attempting to upgrade firefox-esr, it does not work. > > > > Upgrading from: 115.5.0esr > > > > ap

Re: Debian 10 upgrade of amd64 firefox-esr fails

Hi Jim, On Wed, Dec 27, 2023 at 03:33:43PM -0500, Jim Rosenberg wrote: > Attempting to upgrade firefox-esr, it does not work. > > Upgrading from: 115.5.0esr > > apt-list --upgradable reports 66 packages upgradable, e.g. > > firefox-esr-l10n-en-gb/oldoldstable,oldoldstable 115.6.0esr-1~deb10u1 a

Re: upcoming changes of the web pages /security and /lts/security

Hi Thomas, On Mon, Dec 25, 2023 at 09:14:51PM +0100, Thomas Lange wrote: > Hi all, > > as announced on Dec 7th, I have now removed the old index.wml files > and renamed new.wml to index.wml in the webwml repository under > security/ and lts/security/. > >

Re: Make stable-security build logs public after embargo

Hi Sylvain, On Wed, Dec 13, 2023 at 07:50:38AM +0100, Sylvain Beucler wrote: > Hi all, > > Actually we have a summary of the situation here: > https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/51 > > We have mostly 2 options: > > 1/ General fix, involving a dak hook and some corner cas

DLA for CVE-2022-46175/node-json5 missing?

Hi Bastien, I noticed on 19th there was an upload for node-json5 fixing CVE-2022-46175 according to https://lists.debian.org/debian-lts-changes/2023/11/msg00017.html but I do not see a DLA. Did that felt trough the cracks? Regards, Salvatore

Re: Question about the status of libclamunrar9/libclamunrar and CVE-2023-40477 in debian buster aka oldoldstable

Hi Klaus, On Mon, Nov 13, 2023 at 10:35:04AM +0100, Klaus Zerwes wrote: > Hello. > I know, buster is oldold ... But are there any plans to get a patched > release of libclamunrar9? > https://blog.clamav.net/2023/08/clamav-120-feature-version-and-111-102.html > Currently buster has only 0.102.3-0+d

Re: nsis CVE-2023-37378

hi Sean, hi Sylvain, On Sat, Jul 08, 2023 at 05:35:36PM +0200, Sylvain Beucler wrote: > Hi, > > On 08/07/2023 10:04, Sean Whitton wrote: > > On Sat 08 Jul 2023 at 09:14am +02, Salvatore Bonaccorso wrote: > > > > > Just noticed the suffix for the version

Re: nsis CVE-2023-37378

Hi Sean, On Fri, Jul 07, 2023 at 01:07:57PM +0100, Sean Whitton wrote: > Hello, > > On Fri 07 Jul 2023 at 12:23pm +02, Sylvain Beucler wrote: > > > Hello Sean, > > > > I had a quick test with my: > > http://git.savannah.gnu.org/cgit/freedink.git/tree/nsis > > which is kinda old but does call Wri

Re: Bug#1037178: puppet does not sync files anymore after recent ruby2.5 security upload

Hi LTS team, On Wed, Jun 07, 2023 at 08:44:53AM +0200, Bernhard Schmidt wrote: > Package: libruby2.5 > Version: 2.5.5-3+deb10u5 > Severity: grave > > Hi, > > I can't quite figure out why, but the latest security upload of ruby2.5 in > Buster breaks the ability of the puppet agent to pull files f

Re: Make stable-security build logs public after embargo

Hi, On Sat, Jun 03, 2023 at 10:55:08AM +0200, Philipp Kern wrote: > Hi, > > On 01.06.23 16:51, Sylvain Beucler wrote: > > I'm part of the Debian LTS Team, and along with the Security Team, we're > > looking into making embargo'd build logs eventually public. > > See https://salsa.debian.org/lts-t

Re: Error in firmware-realtek

Hi Federico, On Fri, Jun 02, 2023 at 04:44:58PM -0300, Referente TIC ESRN 37 wrote: > Hi my name is Federico, i´m having some trouble with this package > "*firmware-realtek" > binary firmware for Realtek wired/wifi/BT adapters*. I update my netbook > with Huayra 5 (austral), Debian 10.13 (version

Re: Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with valid metadata

Control: forwarded -1 https://github.com/Netatalk/netatalk/pull/174 Hi Daniel, On Wed, May 24, 2023 at 10:50:41PM -0700, Daniel Markstedt wrote: > Package: netatalk > Version: 3.1.12~ds-3+deb10u1 > X-Debbugs-Cc: t...@security.debian.org > > The code that addressed CVE-2022-23123 introduced apple

Re: Bug#1036265: Wifi deauthentications and complete connection loss with new packages: firmware-iwlwifi, firmware-realtek, firmware-misc-nonfree in version 20190114+really20220913-0+deb10u1

Control: severity -1 important On Thu, May 18, 2023 at 10:17:39AM +0200, 255.255.255.255 wrote: > Package: firmware-iwlwifi, firmware-realtek, firmware-misc-nonfree > Version: 20190114+really20220913-0+deb10u1 > Severity: Critical > > Kernel: 4.19.0-24-amd64 #1 SMP Debian 4.19.282-1 (2023-04-29)

Re: Triage status for a few old packages

Hi Sylvain, On Sat, Apr 15, 2023 at 01:29:08PM +0200, Sylvain Beucler wrote: > Hello Security Team, > > On Thu, Apr 13, 2023 at 05:33:15PM +0200, Moritz Muehlenhoff wrote: > > On Wed, Apr 12, 2023 at 10:58:15PM +0200, Salvatore Bonaccorso wrote: > > > > - For py

Re: Triage status for a few old packages

Hi Sylvain, On Thu, Apr 06, 2023 at 05:54:08PM +0200, Sylvain Beucler wrote: > Hello Security Team, > > On 01/04/2023 21:31, Salvatore Bonaccorso wrote: > > First a disclaimer, this probably needs further discussion, reflects > > my current personal knowledge and view

Re: Triage status for a few old packages

Hi Sylvain, First a disclaimer, this probably needs further discussion, reflects my current personal knowledge and view on the question, and further feedback is appreciated by at least one other persion in the Debian security team doing frequent CVE triage, I have in mind Moritz. As a general rul

Re: Accepted python-cryptography 2.6.1-3+deb10u4 (source amd64 all) into oldstable

On Mon, Feb 27, 2023 at 07:43:42AM +, Chris Lamb wrote: > Hi Salvatore, > > >> python-cryptography (2.6.1-3+deb10u4) buster-security; urgency=high > >> . > >>* Adjust which call to CFFI's from_buffer is marked > >> require_writable=True > >> to address an issue in 2.6.1-3+deb10u4's

Re: Accepted python-cryptography 2.6.1-3+deb10u4 (source amd64 all) into oldstable

Hi Chris, On Wed, Feb 22, 2023 at 05:30:23PM +, Debian FTP Masters wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Format: 1.8 > Date: Wed, 22 Feb 2023 09:17:00 -0800 > Source: python-cryptography > Binary: python-cryptography python-cryptography-dbgsym > python-cryptography-d

Re: New buster-lts upload of shim

Utkarsh, On Tue, Jan 31, 2023 at 08:00:30PM +, Steve McIntyre wrote: > On Wed, Feb 01, 2023 at 01:18:46AM +0530, Utkarsh Gupta wrote: > >Hi Steve, > > > >On Tue, Jan 31, 2023 at 11:43 PM Salvatore Bonaccorso > >wrote: > >> > I've just uploade

Re: New buster-lts upload of shim

Hi Steve, On Tue, Jan 31, 2023 at 03:56:55PM +, Steve McIntyre wrote: > Hey folks, > > I've just uploaded a new shim update for buster, based on the latest > update in unstable today. Please accept it quickly so we can get the > binaries out and signed ASAP? The upload is already accepted, b

Re: pngcheck - use new upstream version?

Hi Tobias, On Fri, Dec 09, 2022 at 10:40:53AM +0100, Tobias Frost wrote: > Hi, > > I was analyzing pngcheck this morning and I'm unsure how to proceed so > any advice would be appreciated :) > > pngcheck has one CVE open [1], however it seems that there are multiple > vulnerabilities, as upstrea

Re: Bug#1021648: buster-pu: package node-xmldom/0.1.27+ds-1+deb10u1

Hi, On Wed, Oct 12, 2022 at 10:12:09AM +0200, Yadd wrote: > Package: release.debian.org > Severity: normal > Tags: buster > User: release.debian@packages.debian.org > Usertags: pu > > [ Reason ] > node-xmldom is vulnerable to prototype pollution > > [ Impact ] > Medium security issue > > [

Re: [SECURITY] [DLA 3077-1] ruby-tzinfo security update

Hi Chris, On Fri, Aug 19, 2022 at 10:00:28AM -0700, Chris Lamb wrote: > Hi Emilio, > > > Could you please use the same template as everyone else? Not just for > > consistency, but also to avoid breaking scripts that work on the > > announcements. > > Very happy to! But it very much looks like

gst-plugins-good1.0/1.14.4-1+deb10u2 for DLA

Hi LTS team members! The maintainer for gst-plugins-good1.0 uploaded for buster-security an update to address current CVEs. I have thus added the package to dla-needed list for making sure a DLA release happens. Can someone of you please pick it up for a DLA release once the packages are built?

Re: Marked three XEN CVEs as EOL

Hi Ola, On Thu, Jul 14, 2022 at 10:12:07PM +0200, Ola Lundqvist wrote: > Hi > > During the work for LTS front-desk I noticed that there are three CVEs > for XEN and xen is unsupported according to the latest > debian-security-support information. It was added as that in 2021 from > what I can see

Re: What are we supporting with LTS now? Please advice

Hi On Tue, Jul 12, 2022 at 07:42:16PM +0200, Markus Koschany wrote: > Am Dienstag, dem 12.07.2022 um 19:24 +0200 schrieb Salvatore Bonaccorso: > > Hey, > > > > On Tue, Jul 12, 2022 at 06:12:04PM +0200, Markus Koschany wrote: > > > > > > > > I assum

Re: What are we supporting with LTS now? Please advice

Hey, On Tue, Jul 12, 2022 at 06:12:04PM +0200, Markus Koschany wrote: > Hi Ola, > > adding the security team to CC to get some feedback from them > > Am Dienstag, dem 12.07.2022 um 13:58 +0200 schrieb Ola Lundqvist: > > [...] > > We (as LTS team) are obviously not responsible for buster yet. >

Re: Pending pdns updates

Hi Enrico, On Mon, Jun 06, 2022 at 11:53:59AM +0200, Enrico Zini wrote: > Hello, > > last month as part of Freexian onboarding I tried to work on pdns: > https://security-tracker.debian.org/tracker/source-package/pdns > > I backported patches for CVE-2020-17482 and CVE-2019-10203 > to https://sa

Re: Support for ckeditor3 in Debian

Hi, On Wed, May 25, 2022 at 03:33:11PM +0200, Sylvain Beucler wrote: > Hi, > > On 21/05/2022 12:06, Sylvain Beucler wrote: > > On 21/05/2022 10:45, Mike Gabriel wrote: > > > as I have a company interest in Horde and thus in ckeditor3, I'd be > > > happy to co-fund work hours on ckeditor3. Esp. be

Re: CVE-2020-8859 for elog, should we support it?

Hi Utkarsh On Wed, May 18, 2022 at 06:05:10AM +0530, Utkarsh Gupta wrote: > Hi Security team, > > On Wed, May 18, 2022 at 2:05 AM Ola Lundqvist wrote: > > If you think we should support the package I'll add it to > > dla-needed. From the description it looks like one can trigger > > a denial of

Re: Support for ckeditor3 in Debian

Hi Sylvain, On Fri, May 06, 2022 at 09:23:27PM +0200, Sylvain Beucler wrote: > Hello Security Team, > > I'm currently checking 'ckeditor' (v4), an HTML editor for web applications, > currently v4), for vulnerabilities to fix. > (I may send a separate e-mail about this later) > > I noted that 'ck

Re: CVE-2021-38595 incorrectly marked as not affecting Qt 5?

Hi Neil, On Wed, Dec 01, 2021 at 03:33:10PM +, Neil Williams wrote: > On Wed, 1 Dec 2021 13:38:48 + > Neil Williams wrote: > > > On Sun, 28 Nov 2021 21:02:16 +0100 > > Salvatore Bonaccorso wrote: > > > > > Hi Adrian, Neil, > > > > >

Re: CVE-2021-38595 incorrectly marked as not affecting Qt 5?

Hi Adrian, Neil, One additional point: On Sun, Nov 28, 2021 at 08:56:57PM +0100, Salvatore Bonaccorso wrote: > Hi, > > On Sun, Nov 28, 2021 at 05:32:07PM +0200, Adrian Bunk wrote: > > On Tue, Aug 31, 2021 at 09:15:15AM +, Raphaël Hertzog (@hertzog) wrote: > &g

Re: CVE-2021-38595 incorrectly marked as not affecting Qt 5?

Hi, On Sun, Nov 28, 2021 at 05:32:07PM +0200, Adrian Bunk wrote: > On Tue, Aug 31, 2021 at 09:15:15AM +, Raphaël Hertzog (@hertzog) wrote: > >... > > Commits: > > 63957298 by Neil Williams at 2021-08-31T10:11:30+01:00 > > CVE-2021-38593/qt vulnerable code introduced later > >... > > Changes: >

Re: [EXTERNAL] TRA-2021-14/CVE-2021-20095 status

Hi, On Mon, Oct 18, 2021 at 09:58:31AM -0700, Rajiv Motwani wrote: > Hi Sylvain, > > Those CVEs were registered in error and were requested to be listed as > REJECTED. There are no plans to re-register these issues under new > identifiers. Out of interest, can you elaborate on this a bit more? W

Re: Tracking related source packages (new tool)

Hi, On Tue, Aug 31, 2021 at 05:32:44PM +0200, Sylvain Beucler wrote: > I submitted a MR for the tool at: > https://salsa.debian.org/security-tracker-team/security-tracker/-/merge_requests/88 > > Follow/comment there if you're interested. Thanks for that. I will try to schedule some time for it

Re: Upgrade problems from LTS -> LTS+1

Hi, On Thu, May 20, 2021 at 08:39:43AM +0200, Ola Lundqvist wrote: > Hi Salvatore > > It is parameterized to check any release update. So it can be used to check > any previous version to any later version. > > It has the parameters --old, --old-sec, --new and --new-sec to point to any > relevan

Re: Upgrade problems from LTS -> LTS+1

Hi, On Thu, May 20, 2021 at 08:14:12AM +0200, Ola Lundqvist wrote: > Hi > > I was thinking more on placing it in the security tracker bin folder for > easy access. Or do you think we should consider it as a separate tool with > its own repo? Given (if) it is specific to things fixed in previous

Re: Tracking unbound1.9

On Thu, Apr 29, 2021 at 06:29:33PM +0200, Sylvain Beucler wrote: > Hi, > > I saw a batch of new CVEs were tracked for 'unbound', but not for the > stretch-specific 'unbound1.9' package[1]. > > I can go ahead and add '- unbound1.9' entries in data/CVE/list but I'm not > sure whether that's what we

Re: FTBFS on i386

Hi, On Sat, Apr 17, 2021 at 05:11:27PM +0200, Salvatore Bonaccorso wrote: > Hi, > > On Sat, Apr 17, 2021 at 08:30:51PM +0530, Utkarsh Gupta wrote: > > Hi Security team, > > > > On Sat, Apr 17, 2021 at 6:29 PM Anton Gladky wrote: > > > I prepared and upload

Re: FTBFS on i386

Hi, On Sat, Apr 17, 2021 at 08:30:51PM +0530, Utkarsh Gupta wrote: > Hi Security team, > > On Sat, Apr 17, 2021 at 6:29 PM Anton Gladky wrote: > > I prepared and uploaded python2.7_2.7.13-2+deb9u5, fixing > > two CVEs. > > > > Unfortunately it fails on i386 due to timeout during the network > >

Re: DLA 2550-1: CVE-2020-27844: Patch present in source but not applied?

Hi Emilio, On Tue, Mar 16, 2021 at 01:26:18PM +0100, Emilio Pozuelo Monfort wrote: > Hi, > > On 15/03/2021 12:36, Salvatore Bonaccorso wrote: > > Hi Brian, LTS team, > > > > This was reported by the Ubuntu security team: The DLA 2550-1 update > > was aiming to f

DLA 2550-1: CVE-2020-27844: Patch present in source but not applied?

Hi Brian, LTS team, This was reported by the Ubuntu security team: The DLA 2550-1 update was aiming to fix CVE-2020-27844 as well, but it looks that whilst a patch is included in debian/patches the series files does not apply it. To be on safe side I have removed the listing for CVE-2020-27844 in

Re: grub2 CVEs

Hi, On Thu, Mar 04, 2021 at 02:21:04PM +0100, Sylvain Beucler wrote: > Are CVE-2021-20225 and CVE-2021-20233 specific to SecureBoot? They are only non-negligligible in SecureBoot context, or put otherwise without SecureBoot grub there is not crossing any reasonable trust boundary here. The short

Re: Tracking related source packages

Hi Moritz, Thanks for CC'ing. On Thu, Feb 25, 2021 at 08:01:42PM +0100, Moritz Mühlenhoff wrote: > Am Thu, Feb 25, 2021 at 05:30:05PM +0100 schrieb Sylvain Beucler: > > - This problem is similar/related to tracking embedded code copies. > > See https://salsa.debian.org/lts-team/lts-extra-tasks/

Re: CVE-2020-36193 php-pear vs drupal7

Hi, On Thu, Feb 25, 2021 at 09:09:08AM +, Chris Lamb wrote: > Morning Ola, > > > Today I looked at CVE-2020-36193 since we have php-pear in dla-needed. > > Ths thing is that this CVE tells that drupal7 is also vulnerable but > > drupal7 is not in dla-needed.txt. > > It may be that drupal7 wa

Re: QEMU upload lost?

Hi Sylvain, On Wed, Feb 17, 2021 at 01:37:43PM +0100, Sylvain Beucler wrote: > Hi, > > Yesterday (2021-02-16 16:57Z) I uploaded qemu_2.8+dfsg-6+deb9u13 to > security-master. > > I received neither acceptance nor rejection mail, which surprises me. > > I recently got my GPG key changed (on 01-24

Re: Supporting unbound in stretch by upgrading to 1.9

Hi Robert, [just small comment below] On Thu, Feb 11, 2021 at 09:20:01PM -0500, Robert Edmonds wrote: > Markus Koschany wrote: > > Hi Robert, > > > > Am Samstag, den 06.02.2021, 19:46 -0500 schrieb Robert Edmonds: > > [...] > > > Hi, Markus: > > > > > > I'm OK with both of these plans. > > > >

Re: golang-github-dgrijalva-jwt-go / CVE-2020-26160

Hi Brian, On Wed, Dec 02, 2020 at 09:01:21AM +1100, Brian May wrote: > Salvatore Bonaccorso writes: > > > Hi Brian, > > > > On Tue, Dec 01, 2020 at 09:01:37AM +1100, Brian May wrote: > >> I note this package - golang-github-dgrijalva-jwt-go - has been marked >

Re: golang-github-dgrijalva-jwt-go / CVE-2020-26160

Hi Brian, On Tue, Dec 01, 2020 at 09:01:37AM +1100, Brian May wrote: > I note this package - golang-github-dgrijalva-jwt-go - has been marked > as vulnerable to CVE-2020-26160 in both Debian stretch and buster. > > https://security-tracker.debian.org/tracker/CVE-2020-26160 > > But I can't find a

Re: Making stretch-security build logs public

Hi Emilio, On Tue, Aug 25, 2020 at 10:35:08PM +0200, Aurelien Jarno wrote: > Hi, > > On 2020-08-02 23:54, Emilio Pozuelo Monfort wrote: > > Hi, > > > > I was wondering if we could make old stretch-security build logs public. I > > suppose there's nothing private there anymore (no more embargoed

Re: Bug#966544: snmpd: extend option broken after update

Hi Felix and all, On Sat, Aug 01, 2020 at 08:37:17AM +0200, Salvatore Bonaccorso wrote: > Hi Felix and all, > > On Fri, Jul 31, 2020 at 03:36:54PM +0200, Felix Sperling wrote: > > Hi, > > > > we were also effected from the update 5.7.3+dfsg-1.7+deb9u2 causing lots

Re: Making stretch-security build logs public

Hi Emilio, On Sun, Aug 02, 2020 at 11:54:27PM +0200, Emilio Pozuelo Monfort wrote: > I was wondering if we could make old stretch-security build logs public. I > suppose there's nothing private there anymore (no more embargoed updates in > stretch) and it can help in debugging issues with updates

Re: Bug#966544: snmpd: extend option broken after update

Hi Felix and all, On Fri, Jul 31, 2020 at 03:36:54PM +0200, Felix Sperling wrote: > Hi, > > we were also effected from the update 5.7.3+dfsg-1.7+deb9u2 causing lots of > broken icinga checks. > > Our workaround is pinning 5.7.3+dfsg-1.7+deb9u1. > > What's unclear from the solution if 5.8 also w

Re: stretch EOL point release (9.13) and 10.5 planning

Hi Emilio, On Thu, Jun 25, 2020 at 11:39:16PM +0200, Salvatore Bonaccorso wrote: > hi Emilio, > > On Thu, Jun 25, 2020 at 06:57:08PM +0200, Emilio Pozuelo Monfort wrote: > > On 22/06/2020 08:37, Salvatore Bonaccorso wrote: > > > Hi security team, LTS team members, >

Re: rails update

Hi Sylvain, rails maintainers, On Mon, Jun 29, 2020 at 01:06:49PM +0200, Sylvain Beucler wrote: > Hi, > > On 25/06/2020 18:20, Sylvain Beucler wrote: > > On 22/06/2020 13:23, Sylvain Beucler wrote: > >> On 22/06/2020 11:56, Utkarsh Gupta wrote: > >>> On Mon, Jun 22, 2020 at 3:11 PM Sylvain Beucle

Re: stretch EOL point release (9.13) and 10.5 planning

hi Emilio, On Thu, Jun 25, 2020 at 06:57:08PM +0200, Emilio Pozuelo Monfort wrote: > On 22/06/2020 08:37, Salvatore Bonaccorso wrote: > > Hi security team, LTS team members, > > > > On Mon, Jun 15, 2020 at 05:44:54PM +0100, Adam D. Barratt wrote: > >> stretch t

Re: [RFC] Proposal: Migrate LTS/TODO wiki page to GitLab issues

Hi Roberto, On Mon, May 25, 2020 at 03:18:17PM -0400, Roberto C. Sánchez wrote: > Hello fello LTS folks, > > I have been discussing with Raphael some things which we can do to > improve the state of the LTS/TODO page in the Debian wiki. This arose > from part of the discussion during the April L

Re: stretch EOL point release (9.13) and 10.5 planning

Hi security team, LTS team members, On Mon, Jun 15, 2020 at 05:44:54PM +0100, Adam D. Barratt wrote: > stretch transitions from oldstable-with-security-support to LTS support > on Saturday July 4th. As usual, we should aim for the final point > release to be soon after that, most likely pulling in

Re: rails update

Hi Sylvain, On Wed, Jun 17, 2020 at 11:09:41PM +0200, Sylvain Beucler wrote: > Hi Security Team, > > I see that 'rails' is present in dsa-needed.txt. Right, current open rails issues would warrant a DSA. > I'm currently testing an update for jessie and I can prepare an update > for stretch (whi

Re: Refreshing mysql-connector-java

Hi Sylvain, On Fri, Jun 05, 2020 at 09:23:12AM +0200, Sylvain Beucler wrote: [...] > Hi Salvatore, > > On 04/06/2020 20:41, Salvatore Bonaccorso wrote: > > On Mon, May 25, 2020 at 07:47:56PM +0200, Moritz Mühlenhoff wrote: > >> On Mon, May 25, 2020 at 10:22:50AM +020

Re: Refreshing mysql-connector-java

hi, On Mon, May 25, 2020 at 07:47:56PM +0200, Moritz Mühlenhoff wrote: > On Mon, May 25, 2020 at 10:22:50AM +0200, Sylvain Beucler wrote: > > Hi Security Team, > > > > What is your view on updating mysql-connector-java 5.1.42->5.1.49 for > > Stretch? > > We can update to 5.1.49, yes. We've had t

Re: security upload imposing load on other parts of Debian

wrote: > > > On 02/03/2020 06:53, Salvatore Bonaccorso wrote: > > > > On Mon, Mar 02, 2020 at 01:57:05AM -, Chris Lamb wrote: > > > >>> Internally they are all no-dsa states for the tracker. But think of it > > > >>> of three "flavo

Re: Apache's mod_remoteip: IP address spoofing via X-Forwarded-For when mod_rewrite rule is triggered

Hi, [For context, this report first reached the security team, we redirected to the LTS team as specific for the jessie version of apache2] On Wed, Apr 29, 2020 at 07:00:38AM +, Andrey Zelenchuk wrote: > Package: apache2 > Version: 2.4.10-10+deb8u16 > Severity: grave > Tags: security > > Dea

Re: amd64-microcode, test

Hi, A smaller comment on the update: On Wed, Mar 11, 2020 at 08:19:11PM +0100, Anton Gladky wrote: > After discussion with the maintainer I decided to backport the latest > upstream version, available in Debian (3.20191218.1). Prepared package > is available here [1]. Debdiff is attached. [...] >

Re: security upload imposing load on other parts of Debian

Hi Chris, On Mon, Mar 02, 2020 at 01:57:05AM -, Chris Lamb wrote: > Hi Salvatore, > > > Internally they are all no-dsa states for the tracker. But think of it > > of three "flavours" of no-dsa. > > > > For instance for postponed, we think that an update is woth of a DSA, > > but it makes no

Re: [SECURITY] [DLA 2115-1] proftpd-dfsg security update

Hi Chris, On Fri, Feb 21, 2020 at 12:32:12PM -0800, Chris Lamb wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Package: proftpd-dfsg > Version: 1.3.5e+r1.3.5-2+deb8u6 > CVE ID : CVE-2020-9273 > > It was discovered that there was a a use-after-free vulnerabi

Re: security upload imposing load on other parts of Debian

Hi [I'm subscribed and following, but if anything needs a immediate reply please do CC me, if something needs a reply from a security team member please cc the security team always] On Sun, Mar 01, 2020 at 08:14:41AM -0500, Roberto C. Sánchez wrote: > On Sun, Mar 01, 2020 at 01:57:21PM +0100, Tho

Re: zsh_5.0.7-5+deb8u1_amd64.changes REJECTED

Hi Holger, On Mon, Feb 24, 2020 at 04:00:50PM +, Holger Levsen wrote: > On Mon, Feb 24, 2020 at 04:57:19PM +0100, Salvatore Bonaccorso wrote: > > > Is this a transient condition? Should I just upload again? Or is there > > > some other issue which I have missed? >

Re: zsh_5.0.7-5+deb8u1_amd64.changes REJECTED

Hi, On Mon, Feb 24, 2020 at 10:18:45AM -0500, Roberto C. Sánchez wrote: > Hi FTP team folks & LTS folks, > > The below rejection error message is confusing. > > On Mon, Feb 24, 2020 at 02:30:20PM +, Debian FTP Masters wrote: > > > > zsh-static_5.0.7-5+deb8u1_amd64.deb: Built-Using refers to

Re: Bug#931376: debian-security-support: mention nodejs is not for untrusted content

Hi Holger, On Thu, Feb 20, 2020 at 04:49:09PM +, Holger Levsen wrote: > > Does LTS provide updates for nodejs/nodejs-*, and is there a place where > > we can document this decision? > > I'd lean to call it unsupported and document this in > src:debian-security-support. I guess you will nee

Re: maintenance: stretch→buster upgrade of security upload host (suchon.d.o)

Hi Julien, On Thu, Feb 06, 2020 at 07:35:57PM +0100, Julien Cristau wrote: > On Thu, Feb 06, 2020 at 07:00:02PM +0100, Julien Cristau wrote: > > Hi, > > > > I'm about to upgrade the security upload host (suchon.d.o) from stretch > > to buster. That is going to cause (most likely short) outages d

Re: spamassassin security update in Debian jessie LTS

Hi Mike, On Fri, Jan 31, 2020 at 10:01:05PM +, Mike Gabriel wrote: > Hi Ola, Noah, > > On Fr 31 Jan 2020 20:32:01 CET, Ola Lundqvist wrote: > > > Hi > > > > Spamassassin (and a few other packages) are handled a little differently > > compared to most packages in Debian. > > > > I'd advise

Re: Regression in X2Go Client caused by CVE-2019-14889/libssh fix

Hi Mike, On Sat, Dec 21, 2019 at 05:47:25PM +, Mike Gabriel wrote: > Hi again, > > On Sa 21 Dez 2019 18:36:09 CET, Mike Gabriel wrote: > > > Hi again, > > > > On Sa 21 Dez 2019 17:27:15 CET, Mike Gabriel wrote: > > > > > Hi all, > > > > > > the recent libssh fix for CVE-2019-14889 cause

Re: Status of php-mbstring vs. libonig

Hi, On Mon, Nov 25, 2019 at 11:50:00AM +0100, Sylvain Beucler wrote: > Hi, > > On 22/11/2019 21:23, Sylvain Beucler wrote: > > I see in 'embedded-code-copies': > > > >   libonig > >       - php5 5.3.2-1 (embed) > > > > (i.e. from 2010) > > > > Jessie seems to properly link to libonig (dependen

Backports for CVE-2019-14287 for sudo (was: Re: Ubuntu ESM access)

Hi Sylvain, On Tue, Oct 15, 2019 at 12:24:20AM +0200, Sylvain Beucler wrote: > Hi, > > I would like to study Ubuntu's backports of CVE-2012-2337/sudo (since > the stable branch of sudo experienced massive changes since our > versions), but sadly those are not available to the public: > https://us

Re: ClamAV update in jessie

Hi Hugo, On Fri, Oct 04, 2019 at 11:37:29AM +0200, Hugo Lefeuvre wrote: > Regarding the DLAs. I plan to release a DLA per upload (one DLA for clamav > and one for each reverse dependency). Announcing all five uploads under a > single DLA seems a bit messy to me. I would say it depends a bit, I wo

  1   2   3   >