El 24/06/25 a las 22:53, Santiago Ruano Rincón escribió:
> El 24/06/25 a las 23:15, Andreas Beckmann escribió:
> > On 6/24/25 19:46, Santiago Ruano Rincón wrote:
> > > I plan to contact directly the sponsor to study the impact of
> > > (officially) stopping supporting n
El 01/08/25 a las 19:08, Bastien Roucaries escribió:
> Le jeudi 31 juillet 2025, 22:30:11 heure d’été d’Europe centrale Vladimir
> Petko a écrit :
> Hi,
>
> > Hi,
> >
> > As far as I remember, 20230707 removes the circular dependency that
> > caused upgrade issues[1][2][3]. It also requires open
El 24/06/25 a las 23:15, Andreas Beckmann escribió:
> On 6/24/25 19:46, Santiago Ruano Rincón wrote:
> > I plan to contact directly the sponsor to study the impact of
> > (officially) stopping supporting nvidia-graphics-driver. But before
> > that, it would be helpful to k
Hello all,
El 24/06/25 a las 14:06, Sylvain Beucler escribió:
> Hi,
>
> On 24/06/2025 12:57, Andreas Beckmann wrote:
> > On 6/23/25 20:51, Tobias Frost wrote:
> > > Therefore I'd suggest to drop support for nvidia-graphics-drivers and
> > > add it to debian-security-support.
> >
> > No objection
Hello Otto,
El 04/06/25 a las 19:44, Otto Kekalainen escribió:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> From: Otto Kekäläinen
> To: debian-lts-annou...@lists.debian.org
> Subject: [SECURITY] [DLA 4208-1] mariadb-10.5 security update
>
> - -
El 29/05/25 a las 12:28, Moritz Mühlenhoff escribió:
> Am Tue, May 27, 2025 at 06:40:38PM -0300 schrieb Santiago Ruano Rincón:
> > > Else, you can push to a debian/bookworm branch and release the changes.
> > > Each
> > > commit looks good.
> >
> > Thank
for reviewing!
>
> Let me know for the upload.
>
> --
> William Desportes
> Le 2025/05/26 18:44, Santiago Ruano Rincón a écrit :
> > Bonjour William, hello security team,
> >
> > El 16/05/25 a las 17:37, Santiago Ruano Rincón escribió:
> > > El 16/05/25 a
Bonjour William, hello security team,
El 16/05/25 a las 17:37, Santiago Ruano Rincón escribió:
> El 16/05/25 a las 21:08, William Desportes escribió:
> > Hello,
> >
> > Thank you for reaching out to me.
> > Do you have access to the salsa repository?
[...]
This is
t pushed into tcpdf
> since some years.
Great!
>
> And yes, no POC to be found. Quite a shame, fixes come out of nowhere and are
> released as they are.
> --
> William Desportes
>
> Le 16 mai 2025 20:13:21 GMT+02:00, "Santiago Ruano Rincón"
> a écrit :
>
Hello William, hello all,
This is just a quick heads-up about my on-going work to prepare a
security update for tcpdf, and to avoid any double-work.
Among the currently open CVEs [tcpdf], the most complex backport seems
to be CVE-2024-32489, since among the two referenced commits, the only
one th
Dear security team,
El 10/05/25 a las 16:14, Samuel Henrique escribió:
> Hello Salvatore, sorry about the late reply, I was in MiniDebConf Maceió.
>
> On Thu, 1 May 2025 at 06:24, Salvatore Bonaccorso wrote:
> > Yes the A2 would go in the direction we are thingking, internally we
> > have said t
El 08/05/25 a las 13:05, Chris Lamb escribió:
> Hi Santiago,
Hi Chris,
> > As a follow up of https://lists.debian.org/debian-lts/2025/05/msg00023.html,
> > I forgot to check if a pu for python-django was in the queue. And I
> > would just like to point you out about the above questions from
> >
El 08/05/25 a las 18:45, Adrian Bunk escribió:
> On Wed, May 07, 2025 at 01:26:32PM -0300, Santiago Ruano Rincón wrote:
Hi Adrian
> > Currently, debusine.d.n helps to verify how a packages builds on
> > different architectures, to run autopkgest (contrary to Salsa CI,
> > d
Hi again Chris!
El 19/04/25 a las 21:16, Salvatore Bonaccorso escribió:
> Hi Chris,
>
> On Fri, Mar 14, 2025 at 06:38:56AM +0100, Salvatore Bonaccorso wrote:
> > Hi,
> >
> > [including Chris in CC]
> >
> > On Sun, Oct 20, 2024 at 09:05:43AM +0200, Paul Gevers wrote:
> > > Hi Steve,
> > >
> > >
Hi Chris,
(Moving the secteam to BCC, to avoid spamming them too much afterwards.)
El 07/05/25 a las 09:36, Chris Lamb escribió:
> Hey Santiago,
>
> > According to dsa-needed.txt, nodejs and python-django are being
> > prepared by rouca and lamby, respectively.
> >
> > Could you please tell me i
Hello all,
(CCing the security team just for visibility - I hope this is not too
much noise.)
As I mentioned to rouca on #debian-lts, I would like to ask your help to
test debusine.debian.net to test the uploads that you are preparing for
bookworm-security. According to dsa-needed.txt, nodejs an
Hello all,
(And sorry, I realise now that I should had put the security team and
Xen maintainers more in the loop at some point.)
This is something that we had tried to do for Xen 4.14
(https://bugs.debian.org/1053246), but we failed to find an external
party able to help.
The full announcement c
El 16/04/25 a las 15:06, Sylvain Beucler escribió:
> Hi,
>
> On 14/04/2025 02:49, Santiago Ruano Rincón wrote:
> > Who is interested in having an LTS BoF during DC 25?
> >
> > Part of the topics that we could discuss is the security-tracker-related
> > work that
Hi there!
Who is interested in having an LTS BoF during DC 25?
Part of the topics that we could discuss is the security-tracker-related
work that we plan to tackle during DebCamp (BTW, deadline for bursaries
is tomorrow, 2025-04-14!).
If LTS sponsors are planing to attend, it would be a nice opp
Hi Bastien,
El 13/04/25 a las 16:15, ro...@debian.org escribió:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> - -
> Debian LTS Advisory DLA-4124-1debian-lts@lists.debian.org
> https://www.debian.org/
Package: debian-security-support
Version: 1:13+2025.01.30
Severity: normal
X-Debbugs-Cc: debian-lts@lists.debian.org
Hello there,
I would like to propose EOL'ing odoo in bullseye, because 14.0 has been
EOL'ed by upstream and the complexity of backporting patches seems to be
too high.
There is cu
El 08/02/25 a las 08:58, Santiago Ruano Rincón escribió:
> El 06/02/25 a las 17:46, László Böszörményi (GCS) escribió:
> > On Wed, Feb 5, 2025 at 8:18 PM Santiago Ruano Rincón
> > wrote:
[snip]
> > It seems 3.17 is coming, at least this commit [4] seems interesting
&
El 06/02/25 a las 17:46, László Böszörményi (GCS) escribió:
> Hi Santiago,
>
> On Wed, Feb 5, 2025 at 8:18 PM Santiago Ruano Rincón
> wrote:
> > Testing (trixie) currently ships fuse3 3.14.0. FYI, upstream released
> > 3.16.2 on Oct 10th 2023:
> > https://github.co
Control: User -1 debian-lts@lists.debian.org
Control: Usertag -1 + upstream-trixie
Hello Thijs and LTS team,
El 01/12/24 a las 17:38, Thijs Kinkhorst escribió:
> Package: simplesamlphp
> Severity: grave
> Tags: trixie sid
>
> The current package in testing and unstable is version 1.19. Upstream
Source: fuse3
Version: 3.14.0-10
Severity: normal
User: debian-lts@lists.debian.org
Usertags: upstream-trixie
X-Debbugs-Cc: debian-lts@lists.debian.org
Dear László,
Testing (trixie) currently ships fuse3 3.14.0. FYI, upstream released
3.16.2 on Oct 10th 2023:
https://github.com/libfuse/libfuse/re
Hi,
El 03/02/25 a las 15:15, infra...@alara-group.fr escribió:
> Package: orthanc
> Version: 1.9.2+really1.9.1+dfsg-1+deb11u1
> Severity: grave
> Justification: renders package unusable
> X-Debbugs-Cc: debian-lts@lists.debian.org
>
> Dear Maintainer,
>
> The last dcmtk/libdcmtk15 security update
Source: wget
Severity: normal
User: debian-lts@lists.debian.org
Usertags: upstream-trixie
X-Debbugs-Cc: debian-lts@lists.debian.org
Dear Noël,
Testing (trixie) currently ships wget 1.24.5-2. FYI, upstream released
1.25.0 on November 10th 2024:
https://ftp.gnu.org/gnu/wget/wget-1.25.0.tar.gz.
Whi
Hi!
El 02/02/25 a las 22:29, Aron Xu escribió:
> On 2025年1月29日周三 19:32 Santiago Ruano Rincón wrote:
> > > On Mon, Aug 19, 2024 at 3:54 PM Emilio Pozuelo Monfort
> > wrote:
> > > >
> > > > On 17/08/2024 11:13, Paul Gevers wrote:
> > > > &
Source: wpa
Severity: important
User: debian-lts@lists.debian.org
Usertags: upstream-trixie
X-Debbugs-Cc: debian-lts@lists.debian.org
Dear Debian wpasupplicant Maintainers,
Testing (trixie) currently ships wpa 2.10. FYI, upstream released 2.11
on July 20th 2024:
https://w1.fi/cgit/hostap/plain/wp
Source: async-http-client
Severity: important
User: debian-lts@lists.debian.org
Usertags: upstream-trixie
X-Debbugs-Cc: debian-lts@lists.debian.org
Dear async-http-client maintainer(s),
Testing (trixie) currently ships async-http-client 2.12.3. Upstream released
2.12.4 and 3.0.1 (whose breaking c
Hi Aron,
Thanks a lot for your work on libxml2!
El 21/08/24 a las 19:32, Aron Xu escribió:
> On Mon, Aug 19, 2024 at 3:54 PM Emilio Pozuelo Monfort
> wrote:
> >
> > On 17/08/2024 11:13, Paul Gevers wrote:
> > > Hi,
> > >
> > > [Disclaimer: I'm not the most experienced person on transitions in t
Source: libapache-mod-jk
Severity: important
User: debian-lts@lists.debian.org
Usertags: upstream-trixie
X-Debbugs-Cc: debian-lts@lists.debian.org
Dear libapache-mod-jk maintainer(s),
Testing (trixie) currently ships libapache-mod-jk 1.2.49. Upstream released
the latest version, 1.2.50, on Augus
Source: bouncycastle
Severity: important
User: debian-lts@lists.debian.org
Usertags: upstream-trixie
X-Debbugs-Cc: debian-lts@lists.debian.org
Dear bouncycastle maintainer(s),
Testing (trixie) currently ships bouncycastle 1.77. Upstream released
the latest version, 1.80, on January 14th 2025.
W
Control: User -1 debian-lts@lists.debian.org
Control: Usertags -1 upstream-trixie
Dear nagios4 maintainer,
El 23/09/23 a las 17:57, Unit 193 escribió:
> Source: nagios4
> Severity: wishlist
>
> Dear Maintainer,
>
> Please update nagios4 in Debian as, at the time of this writing, 4.4.14 is
> a
Hello!
El 20/12/24 a las 10:09, Santiago Ruano Rincón escribió:
> Thank you Emilio for doing the triaging, and thanks Chris for claiming
> the package.
>
> El 20/12/24 a las 11:12, Emilio Pozuelo Monfort escribió:
> > On 20/12/2024 03:53, Santiago Ruano Rincón wrote:
> &g
Thank you Emilio for doing the triaging, and thanks Chris for claiming
the package.
El 20/12/24 a las 11:12, Emilio Pozuelo Monfort escribió:
> On 20/12/2024 03:53, Santiago Ruano Rincón wrote:
> > Hi Mark, and thanks for the heads-up,
> >
> > CC'ing the LTS mailing li
Hi Mark, and thanks for the heads-up,
CC'ing the LTS mailing list for visibility. BCC'ing debian-devel.
El 19/12/24 a las 17:50, Mark Hindley escribió:
> Hello,
>
> I recently completed salvaging of src:ucf[1].
>
> As part of code cleanup I discovered a variable inherited from the environment
>
Thanks a lot to Hans, Maximilian and Sean!
El 08/12/24 a las 13:38, Sean Whitton escribió:
> Hello,
>
> On Sat 07 Dec 2024 at 12:58pm +01, Hans van Kranenburg wrote:
>
> > Yes, we need some assistance.
>
> Thank you for the write-up. Santiago, maybe we should add a link to
> this thread to pac
Hi,
El 08/12/24 a las 07:30, Adrian Bunk escribió:
> On Fri, Dec 06, 2024 at 10:10:19PM -0500, Roberto C. Sánchez wrote:
> > Hello everyone,
>
> Hi Roberto,
>
> > The Security Team has supplied a list of packages/CVEs which were fixed
> > by DLA (some in bullseye and some in buster) but which re
Source: openjpeg2
Severity: important
User: debian-lts@lists.debian.org
Usertags: upstream-trixie
X-Debbugs-Cc: debian-lts@lists.debian.org
Dear openjpeg2 maintainer(s),
Testing (trixie) currently ships openjpeg2 2.5.0. Upstream released
2.5.2 on Februray 28th 2024, and they are considering doin
Hi!
El 05/12/24 a las 19:43, Daniel Baumann escribió:
> Hi,
>
> On 12/5/24 18:39, Santiago Ruano Rincón wrote:
> > I thought I had mentioned somewhere than Daniel Baumann showed some
> > interests in working on those CVEs, but that was some time ago.
>
> I was mo
't seem to consider these CVEs.
> >
> > This is triaged in bookworm with:
> > (Minor issue, revisit when fixed upstream)
> > but this has much likely no chances to happen, because EOL'd.
> >
> > Do we want to reach out to HeroDevs?
> > Do we want to EOL these packages?
> > Do we want to try and fix this ourselves?
> >
> > Cheers!
> > Sylvain
> > (FD this week)
--
Santiago Ruano Rincón ◈ Freexian SARL
https://www.freexian.com
signature.asc
Description: PGP signature
Hello Daniel!
Thanks a lot for preparing this update. However, I have some
comments/questions below:
El 05/12/24 a las 08:03, Daniel Baumann escribió:
> Hi,
>
> although ceph 14 is not affected by the RGW issue from yesterday
> (#1088993, CVE-2024-48916), I have similar to [bookworm] also prepar
Source: xen
Severity: normal
User: debian-lts@lists.debian.org
Usertags: upstream-trixie
X-Debbugs-Cc: debian-lts@lists.debian.org
Dear xen maintainers,
Testing (trixie) currently ships xen 4.17, which, according to the
upstream support matrix [x], will get security support until 2025-12-12.
The
Hi,
El 24/10/24 a las 10:55, Arturo Borrero Gonzalez escribió:
> Hi,
>
> On 10/23/24 23:48, Santiago Ruano Rincón wrote:
> > I added the reference to the commit that introduced the vulnerability
> > after you committed it to the elts security tracker.
>
> I have no r
Salut Pierre, hello security team,
Sorry for this very late reply.
El 07/10/24 a las 23:46, Pierre Gruet escribió:
> Hi Santiago,
>
> Le 07/10/2024 à 20:21, Santiago Ruano Rincón a écrit :
> > Dear teams,
> >
> > activemq is listed in both dla-needed and dsa-neede
El 23/10/24 a las 13:03, Arturo Borrero Gonzalez escribió:
> Hi, sorry for the late follow up.
>
> On 10/16/24 00:38, Santiago Ruano Rincón wrote:
> >
> > Again, you can also ask upstream. They are in a better position to tell
> > you if the vulnerability is present in
Hola,
El 15/10/24 a las 23:07, Arturo Borrero Gonzalez escribió:
> On 10/15/24 16:58, Santiago Ruano Rincón wrote:
> >
> > Moreover, I do see the code introduced by that change as part of
> > 2:3.61-1+deb11u3, that relate to HACL* AVX2 support for different crypto
>
Hello Arturo,
El 12/10/24 a las 13:08, Arturo Borrero Gonzalez escribió:
> Hi there,
>
> this email is to propose we mark the nss package in debian bullseye as not
> affected by CVE-2024-7531 [0].
>
> The upstream patch is clearly identified [1], but debian/bullseye [2] just
> doesn't contain th
ian/changelog 2024-10-07 13:25:51.0
-0300
@@ -1,3 +1,10 @@
+activemq (5.17.2+dfsg-2+deb12u1) bookworm-security; urgency=medium
+
+ * CVE-2023-46604: The Java OpenWire protocol marshaller is vulnerable to
+Remote Code Execution (Closes: #1054909).
+
+ -- Santiago Ruano Rincón Mo
Hello Bernhard,
El 28/09/24 a las 15:39, Schmidt, Bernhard escribió:
> Hi,
>
> the ELTS documentation suggests to use a local mirror
>
> https://www.freexian.com/lts/extended/docs/how-to-use-extended-lts/
>
> We run an official mirror for our local infrastructure, and we would be
> willing to
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: override
X-Debbugs-Cc: syst...@packages.debian.org, debian-lts@lists.debian.org, Adrian
Bunk , debian-ad...@lists.debian.org
Control: affects -1 + src:systemd
Dear FTP Master team,
It seems the bullseye-s
El 31/08/24 a las 16:43, Adrian Bunk escribió:
> On Sat, Aug 31, 2024 at 10:12:19AM -0300, Santiago Ruano Rincón wrote:
> >...
> > It seems the bullseye-security upload queue is finally open (now that
> > the point release has been published).
> >...
>
> Are yo
Hello Chris, hello LTS Team,
El 26/08/24 a las 13:59, Santiago Ruano Rincón escribió:
> El 26/08/24 a las 19:22, Adrian Bunk escribió:
> > Hi,
> >
> > where has the binary package been built, and where is it available for
> > our users to download?
> >
> &g
El 13/08/24 a las 19:37, Sylvain Beucler escribió:
> Hi,
>
> On 13/08/2024 11:54, Moritz Mühlenhoff wrote:
> > Am Mon, Aug 12, 2024 at 03:10:06PM -0300 schrieb Santiago Ruano Rincón:
> > > El 08/08/24 a las 12:10, Sylvain Beucler escribió:
> > > > python2.
Dear Debian LTS users,
Bernhard (FreeRADIUS debian maintainer), Bastien and myself (with the kind
help from Alan DeKok - upstream maintainer) have been preparing freeradius
updates that mitigate the Blast-RADIUS issue for both bookworm and bullseye.
To mitigate the vulnerability, RADIUS servers a
El 26/08/24 a las 19:22, Adrian Bunk escribió:
> Hi,
>
> where has the binary package been built, and where is it available for
> our users to download?
>
> Except for this announcement, I have not seen traces of it anywhere.
python-html-sanitizer and libtommath uploads have been rejected. Chri
Control: severity -1 important
(CCing: the security team)
Hi,
El 24/08/24 a las 02:08, alexvong.rc...@simplelogin.com escribió:
> Subject: youtube-dl: GHSA-22fp-mf44-f2mq GHSA-9jqj-9wwh-r5mg
> Source: youtube-dl
> Version: 2021.12.17-1~bpo11+1
> X-Debbugs-Cc: debian-lts@lists.debian.org
> Severi
Hi!
El 22/08/24 a las 14:30, Sylvain Beucler escribió:
> Hi Wanna-Build Team,
>
> On 19/08/2024 18:57, Aurelien Jarno wrote:
> > On 2024-08-14 12:59, Santiago Ruano Rincón wrote:
> > > El 13/12/23 a las 11:56, Salvatore Bonaccorso escribió:
> > > > On W
El 19/08/24 a las 05:33, Holger Levsen escribió:
> On Fri, Aug 16, 2024 at 02:31:02PM -0300, Santiago Ruano Rincón wrote:
> > I have updated
> > https://salsa.debian.org/debian/debian-security-support/-/merge_requests/29
> > accordingly.
>
> will you also merge it? :
El 16/08/24 a las 18:03, Alberto Garcia escribió:
> On Thu, Aug 15, 2024 at 02:32:42PM -0300, Santiago Ruano Rincón wrote:
> >
> > Alberto, does the following change matches your thoughts?
> >
> > diff --git a/security-support-limited.deb11 b/security-support-limi
Hi!
El 12/05/23 a las 12:06, Alberto Garcia escribió:
> On Fri, May 12, 2023 at 08:27:49AM +, Holger Levsen wrote:
> > > Note that wpewebkit is still supported in bullseye and will remain
> > > supported until the distro reaches EOL.
> > does that mean when the Debian security stops supporting
Dear wanna-build team,
El 13/12/23 a las 11:56, Salvatore Bonaccorso escribió:
> Hi Sylvain,
>
> On Wed, Dec 13, 2023 at 07:50:38AM +0100, Sylvain Beucler wrote:
> > Hi all,
> >
> > Actually we have a summary of the situation here:
> > https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/5
Hi,
El 08/08/24 a las 12:10, Sylvain Beucler escribió:
> Hello Security Team,
>
> python2.7 was marked unsupported in bullseye.
>
> We recently noted that pypy[v2] (included up to bullseye) and jython (all
> dists) include the python2 stdlib. Unlike pypy3, neither package currently
> track the
El 12/08/24 a las 00:27, Mike Gabriel escribió:
> Hi Moritz, hi Santiago,
>
> On So 11 Aug 2024 12:57:23 CEST, Moritz Muehlenhoff wrote:
>
> > On Sat, Aug 10, 2024 at 11:19:24AM -0300, Santiago Ruano Rincón wrote:
> > > (I had tried to answer from the web debian-lt
(I had tried to answer from the web debian-lts archive, and I don't know
why firefox ended up sending four empty emails to the list. Really sorry
for the noise)
El 31/05/22 a las 05:42, Mike Gabriel escribió:
> Hi Moritz, Salvatore, Sylvain,
>
> On Mo 30 Mai 2022 20:04:14 CEST, Moritz Mühlenhoff
El 08/08/24 a las 23:06, Moritz Mühlenhoff escribió:
> Am Thu, Aug 08, 2024 at 09:31:31PM +0200 schrieb Salvatore Bonaccorso:
> > So the package can be safely removed I would say and so my proposal
> > would be to ask for removal of iotjs in the last bullseye point
> > release.
> >
> > What do you
Hi all,
As suggested by Moritz, giving the status of iotjs, I think it is not
possible to support it during the bullseye LTS period. iotjs was removed
from unstable (and bookworm when it was testing) nearly two years ago:
https://tracker.debian.org/news/1354004/removed-10715-1-from-unstable/.
It
nt to mark gpac EOL for bullseye as well?
I think it makes sense, yes. Would you like to proceed and document
this in d-d-s?
Thanks,
--
Santiago Ruano Rincón ◈ Freexian SARL
https://www.freexian.com
signature.asc
Description: PGP signature
Hi Ubuntu security team,
I would just like to put you in the loop about this git issue, and a
possible regression in Ubuntu related to its fix. Please, see below.
El 31/05/24 a las 10:41, Roberto C. Sánchez escribió:
> Hi Sean,
>
> On Fri, May 31, 2024 at 03:05:35PM +0100, Sean Whitton wrote:
>
Package: wnpp
Severity: wishlist
Owner: Emmanuel Arias , Santiago Ruano Rincón
X-Debbugs-Cc: debian-de...@lists.debian.org, t...@security.debian.org,
debian-ker...@lists.debian.org, debian-lts@lists.debian.org, eam...@debian.org
* Package name: linux-livepatching
Version
the first time I
looked at these CVEs, when they just came out.
Thanks, and sorry for the noise,
-- S
>
> Cheers
>
> // Ola
>
> On Tue, 23 Apr 2024 at 22:55, Santiago Ruano Rincón
> wrote:
> >
> > Hi Ola,
> > El 19/04/24 a las 07:54, Ola Lundqvist
Hi Cyrille!
El 25/04/24 a las 15:00, Cyrille Bollu escribió:
> Hi Santiago,
>
> Here's some follow up :-)
>
> Best regards,
>
> Cyrille
>
> Le mardi 16 avril 2024 à 12:52 -0300, Santiago Ruano Rincón a écrit :
> > Hi Cyrille,
> >
> > El 16/0
Hi Ola,
El 19/04/24 a las 07:54, Ola Lundqvist escribió:
> Hi
>
> I have now made the package build.
Thank you for preparing the patch. I've built, tested basic
functionality and tested reversed dependencies.
However, I have a question: could you please point me where do you get
from the changes
Dear team,
TL;DR: if you have a local copy of the lts-team/packages/samba repo,
please consider resetting the debian/buster branch.
The lts-team's was originally created from scratch, then we moved over a
fork of the debian maintainers. To reconcile the differences in history
between the buster u
Hi Cyrille,
El 16/04/24 a las 16:09, Cyrille Bollu escribió:
> Hi Santiago,
>
> >It is not a question of trust. It is a problem of lack of strong
> >evidence that the issue is no longer there in freeimage or openjepg2.
> >We cannot rely only on CVE description to track the issues.
>
> I think yo
Hi,
El 15/04/24 a las 21:47, Ola Lundqvist escribió:
> Hi Santiago
>
> On Mon, 15 Apr 2024 at 21:10, Santiago Ruano Rincón
> wrote:
> >
> > Hi Ola,
> >
> > As being discussed with Salvatore, there is not enough evidence to
> > conclude there is n
t; > NOTE: in libopenjpeg, not freeimage. Without reproducer or
> > stacktrace, this is
> > NOTE: nearly unfixable.
> > + NOTE: Turned out that the issue is not in freeimage at all,
> > but rather in openjpeg.
> > + NOTE: For more information see
>
Hi,
Cyrille, thank you for checking this. However, I don't think the contact
address you had sent the email is correct.
CVE is maintained by MITRE (not NIST). And there exist several CNAs that
could issue CVE IDs for specific products/domains.
According to https://www.cve.org/CVERecord?id=CVE-2019
Hello Cyrille,
El 11/04/24 a las 09:15, Cyrille Bollu escribió:
> Why not using CVSS as a base calculation for assigning severity levels?
>
> IIRC, something like:
>
> CVSS>=8 => High
> 4<=CVSS<8 => Medium
> CVSS<4 => Low
...
Thanks for the comment!
I cannot talk for the security team, but I u
Hi Ola,
El 11/04/24 a las 08:25, Ola Lundqvist escribió:
> On Thu, 11 Apr 2024 at 02:34, Santiago Ruano Rincón
> > El 10/04/24 a las 22:08, Ola Lundqvist escribió:
> > > Hi all
> > >
> > > Sorry for late reply. It took me too long today to answer the CVE
&g
Hi Ola,
El 10/04/24 a las 22:08, Ola Lundqvist escribió:
> Hi all
>
> Sorry for late reply. It took me too long today to answer the CVE
> triaging discussion. Now to this issue.
>
> Regarding the fedora patches. The patches seem to help for those
> specific issues they solve.
>
> My intention f
Hi (especially Ola),
El 08/04/24 a las 13:59, Sylvain Beucler escribió:
> Hi,
>
> I think this requires a bit of coordination:
> - the package is basically dead upstream, there hasn't been a fix in the
> official repos, neither Debian or other distros attempted to fix them
The only "exception" s
El 15/03/24 a las 08:31, Roberto C. Sánchez escribió:
> On Fri, Mar 15, 2024 at 11:06:10AM +0100, Raphael Hertzog wrote:
> > Hello Roberto,
> >
> > On Thu, 14 Mar 2024, Roberto C. Sánchez wrote:
> > > Santiago and I are in agreement that at the moment the best available
> > > option is to use dla-
El 08/03/24 a las 18:51, Ola Lundqvist escribió:
> Hi
>
> Ah, right. I was thinking i386, amd64 were only hardware architectures. If
> it includes freebsd as a separate then it is clearly not supported.
> Thank you
That is a good point. We tend to use the term architecture, but if you
want to be
Hello Ola,
El 08/03/24 a las 00:20, Ola Lundqvist escribió:
> Hi
>
> I'm triaging issues and I found one undetermined one for kfreebsd-10.
> There is very little information on the issue so I agree with the
> undetermined status.
>
> My question is whether we should even try to determine it... I
El 29/02/24 a las 14:14, Sean Whitton escribió:
> Hello,
>
> Does anyone have working debvm runes for stretch & jessie?
>
> If you just use 'debvm-create -r stretch --
> http://deb.freexian.com/extended-lts'
> then there isn't working networking.
AFAIU, networking is set up while running debvm-
El 05/02/24 a las 15:30, Colin Watson escribió:
> On Mon, Feb 05, 2024 at 11:33:41AM -0300, Santiago Ruano Rincón wrote:
> > As part of the LTS workflow, we keep information about VCS of the
> > packages uploaded, including git tags for every upload.
> >
> > Woul
El 01/02/24 a las 13:34, Colin Watson escribió:
> On Thu, Feb 01, 2024 at 05:41:19PM +0530, Utkarsh Gupta wrote:
> > On Thu, Feb 1, 2024 at 1:44 AM Colin Watson wrote:
> > > I'm both the Debian and upstream maintainer of man-db. I'm considering
> > > uploading some variation of the attached diff
El 22/12/23 a las 14:21, Moritz Muehlenhoff escribió:
> On Fri, Dec 22, 2023 at 10:19:15AM -0300, Santiago Ruano Rincón wrote:
> > El 22/12/23 a las 09:54, Moritz Muehlenhoff escribió:
> > > On Thu, Dec 21, 2023 at 07:30:51PM -0300, Santiago Ruano Rincón wrote:
> > > &
El 22/12/23 a las 09:54, Moritz Muehlenhoff escribió:
> On Thu, Dec 21, 2023 at 07:30:51PM -0300, Santiago Ruano Rincón wrote:
> > So let me ask you: are you interested in addressing the infrastructure
> > limitations to handle those kind of packages? and having some he
Dear Security, Release and Wanna-build teams,
As some of you may be aware, we (the LTS Team) are reviewing the
packages with limitations in their support, and I would like to bring
some discussion regarding Go, Rust and the like. As the bookworm (and
older) release notes document:
The Debian
unce/2023/msg00258.html
and:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056606
I think we should follow that for buster. Any objections?
Cheers,
--
Santiago Ruano Rincón ◈ Freexian SARL
https://www.freexian.com
signature.asc
Description: PGP signature
El 19/10/23 a las 11:29, Yadd escribió:
> Hi,
>
> I think I did what is needed (mail + webml). Let me know if everything is
> OK.
It is perfect. Thank you!
Cheers,
-- Santiago
signature.asc
Description: PGP signature
Hey,
node-babel was accepted into buster-security. Yadd, will you do the
paperwork by yourself or do you want some help?
Cheers,
-- S
El 18/10/23 a las 21:20, Debian FTP Masters escribió:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> Format: 1.8
> Date: Fri, 13 Oct 2023 20:56:38 +04
Hi Yadd,
El 13/10/23 a las 20:59, Yadd escribió:
> and Buster ;-)
Thanks for preparing the fix!
Just to be on the safe side, have you been able to test it, and how?
Are you willing to upload it by yourself, or do you want some help?
Cheers,
-- Santiago
signature.asc
Description: PGP signat
1 - 100 of 277 matches
Mail list logo
