armhf builds failing for thunderbird/1:115.8.0-1~deb10u1

Hi Carsten, Thanks for working through and uploading thunderbird/1:115.8.0-1~deb10u1 to buster-security. However, I noticed that armhf builds are failing: https://buildd.debian.org/status/package.php?p=thunderbird&suite=buster-security rm -f old-configure js/src/configure js/src/old-configure moz

Re: man-db hardening fixes

Hi Colin, On Thu, Feb 1, 2024 at 1:44 AM Colin Watson wrote: > I'm both the Debian and upstream maintainer of man-db. I'm considering > uploading some variation of the attached diff to buster-security LTS. > They're adjustments to hardening arrangements, so they do have some > security relevance

Re: Fixing CVEs fixed in ELA-909-1/DLA-3513-1 in (old)stable

Hi Aron, On Sun, Nov 26, 2023 at 12:20 PM Aron Xu wrote: > Thanks for ping on the tiff issue - there are updates prepared on > security-master for (old)stable to fix CVE-2023-3576, CVE-2023-40745 > and CVE-2023-41175. I was waiting for autopkgtest results during the > weekend and it appears to be

Fixing CVEs fixed in ELA-909-1/DLA-3513-1 in (old)stable

Hi Adrian, Thanks for working on tiff. I saw the ELA-909/DLA-3513 fixes a bunch of things in buster, stretch, and jessie. Great, thanks for that. However, https://deb.freexian.com/extended-lts/tracker/source-package/tiff looks a bit odd to see that (old)stable are the only releases with no fixes,

Re: Backporting mutt patches to Debian Buster

Hi Chris, On Fri, Sep 15, 2023 at 8:09 PM Chris Frey wrote: > Attached is a patch that applies to the unpackaged sources of Debian Buster's > version of mutt 1.10. > > It includes 3 patches: > > upstream/Fix-rfc2047-base64-decoding-to-abort-on-illegal-char.patch > debian-specific/

Re: firefox on buster

Hey, On Fri, Sep 1, 2023 at 5:49 AM Chris Frey wrote: > I see firefox esr 102.15.x has been released on bullseye. > > Do I dare hope that buster will be blessed with a similar update? Gods of Hope have answered and the buster update has been rolled out via DLA 3553-1. _Hope_ that's what you were

Re: opendmarc 1.3.2-6+deb10u3 postinst hangs

Hi Chris, On Wed, Aug 30, 2023 at 3:20 PM Matus UHLAR - fantomas wrote: > seems that the postinst file hangs, missing db_stop line > > this is described/fixed in bug#965284 > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965284 FYI. ;) - u

Re: Build missing for buster-security/non-free - intel-microcode

Hey, On Mon, Aug 21, 2023 at 2:52 PM Moritz Muehlenhoff wrote: > > Yep, I've uploaded the source but will upload the amd64 and i386 binaries > > now. > > Did you upload anything? There have been no accept or rejects for these, FWIW. After some back and forth, that's done. Both the binaries are

Re: Build missing for buster-security/non-free - intel-microcode

Hey, On Sat, Aug 19, 2023 at 9:12 PM Vincent wrote: > It would be very appreciated if someone complete the > build of intel-microcode for the buster-security/non-free. Yep, I've uploaded the source but will upload the amd64 and i386 binaries now. - u

Re: Bug#1037178: puppet does not sync files anymore after recent ruby2.5 security upload

Hello, On Fri, Jun 9, 2023 at 12:23 PM Schmidt, Bernhard wrote: > Any news here? The regression fix along with the fix for the two CVEs have been rolled out via DLA 3450-1. - u

Re: Bug#1037178: puppet does not sync files anymore after recent ruby2.5 security upload

Hi Chris, On Wed, Jun 7, 2023 at 9:01 PM Chris Lamb wrote: > I see your 2.5.5-3+deb10u6 update on the debian/buster branch which > fixes the broken +deb10u5 upload, but I don't see it in the archive > yet. > > Although you mentioned you were going to wait a bit more, I'm just > 100%-checking you

Re: Bug#1037178: puppet does not sync files anymore after recent ruby2.5 security upload

Hi Bernhard, Kees, On Wed, Jun 7, 2023 at 6:58 PM Schmidt, Bernhard wrote: > > I've prepared a fix for the regression and uploaded the binaries at: > > https://people.debian.org/~utkarsh/lts/ruby2.5/ > > > > Can you please give these a try and see if that fixes the regression > > you're seeing? >

Re: Bug#1037178: puppet does not sync files anymore after recent ruby2.5 security upload

Hi Kees, On Wed, Jun 7, 2023 at 6:53 PM Kees Meijs | Nefos wrote: > I know you were asking Bernhard, but I downloaded and installed as well. > Our Puppet agent seems to be happy again. I had missed your comment in the bug but super, many thanks for testing this out! I'll wait a bit more before I

Re: Bug#1037178: puppet does not sync files anymore after recent ruby2.5 security upload

Hi Bernhard, On Wed, Jun 7, 2023 at 4:16 PM Utkarsh Gupta wrote: > Yep, I'm taking a look to prep something for 2.5. I've prepared a fix for the regression and uploaded the binaries at: https://people.debian.org/~utkarsh/lts/ruby2.5/ Can you please give these a try and see if t

Re: Bug#1037178: puppet does not sync files anymore after recent ruby2.5 security upload

Hiya, On Wed, Jun 7, 2023 at 2:39 PM Moritz Muehlenhoff wrote: > Specifically > https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/ > states: > > | For Ruby 2.7: Update to uri 0.10.0.1 > | For Ruby 3.0: Update to uri 0.10.2 > | For Ruby 3.1: Update to uri 0.11.1 > | For Rub

Re: Bug#1037178: puppet does not sync files anymore after recent ruby2.5 security upload

Hi Chris, On Wed, Jun 7, 2023 at 12:56 PM Salvatore Bonaccorso wrote: > Can you please have a look, as this seems to be caused by the DLA > issued as DLA-3447-1. This has been caused by the ruby2.5 update. Can you please TAL? This is perhaps because of the URI version in buster v/s URI version u

Re: Accepted postgresql-11 11.20-0+deb10u1 (source) into oldstable

Hi Christoph, On Thu, May 11, 2023 at 10:42 PM Christoph Berg wrote: > I uploaded PostgreSQL 11 to buster. The same DSA for PG 13 went out a > few minutes ago. The PG 15 upload will happen now. Great, thank you. I'll prep the paperwork in sometime. - u

Re: Mentorship

Hi Scarlett, On Tue, Mar 21, 2023 at 11:23 PM Scarlett Moore wrote: > I am looking for someone who can mentor me through a security update or two to > get me going on contributing here and ELTS. I am a quick learn, once I get one > under my belt. If anyone can spare a few extra moments to help me

Re: RFC: ruby-loofah 2.2.3-1+deb10u2

Hi Daniel, On Thu, Mar 16, 2023 at 7:06 PM Utkarsh Gupta wrote: > Please hold off on the update for a while. I have something to add wrt > ruby-rails-html-sanitizer. I just haven't had the time to write it > down, I'll get back in another ~7h. In order to fix the CVEs

Re: RFC: ruby-loofah 2.2.3-1+deb10u2

Hi Daniel, On Thu, Mar 16, 2023 at 3:01 AM Daniel Leidert wrote: > I'll wait another day for feedback and then go ahead with the upload. Please hold off on the update for a while. I have something to add wrt ruby-rails-html-sanitizer. I just haven't had the time to write it down, I'll get back i

Re: Bug#1032998: imagemagick: font issue since 8:6.9.10.23+dfsg-2.1+deb10u2

Hi Bastien, Did you look at the following bug report? - u On Wed, Mar 15, 2023 at 8:09 PM Maxime Besson wrote: > > Package: imagemagick > Version: 8:6.9.10.23+dfsg-2.1+deb10u2 > Severity: normal > > Dear Maintainer, > > After updating to 8:6.9.10.23+dfsg-2.1+deb10u2, libgd-securityimage-perl >

Re: New buster-lts upload of shim

Hi Steve, On Thu, Mar 9, 2023 at 8:14 PM Steve McIntyre wrote: > As you'll have probably seen, I've uploaded shim-signed last > night. Next up, some grub updates... Awesome, thanks for letting us know. Also, let us know when the whole thing is done. :) - u

Re: New buster-lts upload of shim

Hi Steve, On Tue, Jan 31, 2023 at 11:43 PM Salvatore Bonaccorso wrote: > > I've just uploaded a new shim update for buster, based on the latest > > update in unstable today. Please accept it quickly so we can get the > > binaries out and signed ASAP? > > The upload is already accepted, but I'm in

Re: Re: libappimage lts update

Hi Scarlett, On Mon, Jan 23, 2023 at 6:43 PM Scarlett Moore wrote: > It turns out the issue affects 0.4 or earlier. Buster has 0.9.1 which was > completely rewritten C -> C++ and not affected. While I was looking forward to > learning this process, I am happy libappimage is not vulnerable in Bust

Re: libappimage lts update

Hi Scarlett, On Sat, Jan 21, 2023 at 8:51 PM Scarlett Moore wrote: > and the CVE is not listed. I need to know how I proceed as it stated Do not > add it, frontdesk needs to. I am a maintainer of the package and I do have the > upstream fix. Thank you for reaching out. I am at the front desk thi

Re: [Pkg-clamav-devel] Clamav Package

Hello, On Sun, Dec 4, 2022 at 11:46 PM Utkarsh Gupta wrote: > This is now released as DLA 3220-1. You will now be able to update to > v0.103.7 on your buster machines (provided the -security pocket is > enabled). Let me know if you run into any problems. I've done the same upda

Re: Upload MariaDB 1:10.3.37-0+deb10u1 ?

Hi Otto, On Mon, Dec 5, 2022 at 5:33 AM Otto Kekäläinen wrote: > I didn't get a reply to this, so asking again. I could take care of the upload but if you'd like to do that, please feel free to do so and I can take care of the paperwork. One quick thing I spotted in the target in d/ch is "buster

Re: [Pkg-clamav-devel] Clamav Package

Hello, On Mon, Oct 31, 2022 at 6:26 PM wrote: > Thank you. That's why I was saying I was confused. It would > be great to be able to run ClamAV 0.103.7 on Buster. It > "complains" and warns you every day that the new version > is available but it won't allow you to upgrade your existing > 0.103.6

Re: https://bugs.debian.org/1024932 ceph-base: ceph to root privilege escalation via ceph-crash.service CVE-2022-3650

Hi Thomas, On Wed, Nov 30, 2022 at 7:17 PM Thomas Goirand wrote: > The patch is kind of trivial Python stuff backporting work. Can someone > take care of it in Buster? I'm currently building the Bullseye backport > of the fix... The LTS time is trying to reduce the queue and a big piece of that

Re: Using Salsa-CI as pre-upload QA for Bullseye and Buster uploads: Lintian and Piuparts

Hi Otto, On Sun, Nov 13, 2022 at 3:18 AM Otto Kekäläinen wrote: > I was wondering how common is it for DDs to use Salsa-CI while doing > quality assurance prior to Bullseye and Buster uploads? We have started using Salsa CI more proactively for LTS uploads to catch issues prior to uploading. We'

Re: [Pkg-clamav-devel] Clamav Package

Hi Klaipedaville, On Sat, Oct 29, 2022 at 2:22 PM Klaipedaville Mail wrote: > Debian 10 (Buster) keeps on complaining that ClamAV version 0.103.6 > is outdated and I need to upgrade it to the latest one, which is ClamAV > 0.103.7. However, it won't let me install from packages and says that > it

Re: [Pkg-clamav-devel] Clamav Package

Hello, On Fri, Oct 28, 2022 at 10:09 PM Sebastian Andrzej Siewior wrote: > > It looks like updating packages is running for about 5 months late > > again if I am not mistaken. This is what my logs tell me.. and my > > eyes.. any news on updates, please? Many thanks! > > > > "Clamav is outdated,

Re: Redmine ActionView::Template::Error after recent Rails security update

Hi Sven, On Tue, Sep 13, 2022 at 12:50 PM Sven Eckelmann wrote: > > On Monday, 12 September 2022 18:54:36 CEST Utkarsh Gupta wrote: > > I have fixed the regression and uploaded the binaries here: > > https://people.debian.org/~utkarsh/lts/rails/ > > Thanks. > > &g

Re: Redmine ActionView::Template::Error after recent Rails security update

Hi Jude and Sven, On Tue, Sep 6, 2022 at 10:00 AM Jude Hungerford wrote: > Since then, loading any of our Redmine pages returns the following error: > """ > Internal error > An error occurred on the page you were trying to access. > If you continue to experience problems please contact your Redmi

Re: Regression in stretch update of ruby-activerecord 2:5.2.2.1+dfsg-1+deb10u4

Hi Abhijith, On Sat, Sep 10, 2022 at 11:31 PM Abhijith PA wrote: > > Please don't upload yet. We either upload what I have or just rollback > > the fix for CVE-2022-32224. Wait for the further decision or let me > > handle that - whatever works for you. :D > > Should I rollback CVE-2022-32224 for

Re: Regression in stretch update of ruby-activerecord 2:5.2.2.1+dfsg-1+deb10u4

Hi Abhijith, On Fri, Sep 9, 2022 at 6:04 PM Abhijith PA wrote: > Can you share how autopkgtest.kali.org service setup and how > is it running. I am using https://ci.debian.net/doc/file.HACKING.html > to reproduce this. What is your rack server like and you also run any > proxy server. It's also

Re: Regression in stretch update of ruby-activerecord 2:5.2.2.1+dfsg-1+deb10u4

Hi Raphael, Abhijith, On Thu, Sep 8, 2022 at 3:18 PM Raphael Hertzog wrote: > Please coordinate with Utkarsh who seems to have worked on it yesterday > already. > > To both of you, it would be nice to document the fact that you work on it by > adding an entry in dla-needed.txt to avoid duplicate

Closing of buster-backports?

Hello, Now that buster is LTS and no longer officially supported, should the -backports pocket be closed? AFAIK, buster just receives the security uploads by the -security pocket and shouldn't have -backports open anymore. I hope I am not mistaken or missing anything? FTR, packages are still ente

Re: [SECURITY] [DLA 3093-1] rails security update

Hi Abhijith, On Sat, Sep 3, 2022 at 5:04 PM Abhijith PA wrote: > CVE-2022-32224 > > When serialized columns that use YAML (the default) are > deserialized, Rails uses YAML.unsafe_load to convert the YAML data > in to Ruby objects. If an attacker can manipulate data in the > databa

Re: [Debian Wiki] Update of "LTS" by BenWestover

Hello, Someone (Ben Westover) made 2 (incorrect) revisions to the LTS wiki page: https://wiki.debian.org/LTS?action=diff&rev1=88&rev2=89 https://wiki.debian.org/LTS?action=diff&rev1=89&rev2=90 I've reverted them for now. Will TAL closely and add changes worth keeping. - u On Sat, Jul 2, 2022 a

Re: RFR: openscad update

Hi Helmut, On Thu, Jun 23, 2022 at 8:33 PM Helmut Grohne wrote: > I've been looking into updating openscad in buster to fix CVE-2022-0496 > and CVE-2022-0497. They're already fixed in bullseye and later. They are > input sanitization issues and CVE-2022-0496 needed a little porting of > the patch

Re: Pending pdns updates

Hi Enrico, On Mon, Jun 6, 2022 at 3:24 PM Enrico Zini wrote: > last month as part of Freexian onboarding I tried to work on pdns: > https://security-tracker.debian.org/tracker/source-package/pdns > > I backported patches for CVE-2020-17482 and CVE-2019-10203 > to https://salsa.debian.org/enrico/p

Re: Taking from backports - icingaweb2

Hi Ahijith, On Thu, Jun 2, 2022 at 5:50 PM Abhijith PA wrote: > Package icingaweb2 (2.4) in stretch have around 9 open CVEs. Most of > them fixed in upstream v2.6. There isn't isolated patches available > for CVE-2018-18246 to CVE-2018-18250. > > The changes from 2.4 .. 2.6 is pretty large and no

Re: [SECURITY] [DLA 3014-1] elog security update

Hi Ola, On Sat, May 21, 2022 at 3:49 AM Ola Lundqvist wrote: > Did you type the CVE-number wrong? The CVE is CVE-2020-8859, right? Bah, thanks for spotting this. Fixed in the tracker, at least. - u

Re: CVE-2020-8859 for elog, should we support it?

Hi Security team, On Wed, May 18, 2022 at 2:05 AM Ola Lundqvist wrote: > If you think we should support the package I'll add it to > dla-needed. From the description it looks like one can trigger > a denial of service without being authenticated. That sounds > pretty severe to me. I'll just go a

Re: CVE-2020-8859 for elog, should we support it?

Hi Ola, On Tue, May 17, 2022 at 12:35 PM Ola Lundqvist wrote: > While triaging today I noticed this rather old CVE. The elog package > is clearly vulnerable (at least when looking through the source code). > However I noticed that elog is removed (exists in buster and bullseye > though) and it ha

Re: [Git][freexian-team/extended-lts/security-tracker][master] 2 commits: Reserve DLA-3001-1 for libgoogle-gson-java

Hellu again, On Fri, May 13, 2022 at 11:55 PM Utkarsh Gupta wrote: > I see you've reserved the DLA and announced the update. But I > can't see the upload anywhere? Did it make through? Did you > get the ACCEPT mail? Apologies, it's not been announced yet. But do let

Re: [Git][freexian-team/extended-lts/security-tracker][master] 2 commits: Reserve DLA-3001-1 for libgoogle-gson-java

Hi Dominik, I see you've reserved the DLA and announced the update. But I can't see the upload anywhere? Did it make through? Did you get the ACCEPT mail? I couldn't find anything on https://tracker.debian.org/pkg/libgoogle-gson-java and neither on buildd or anyplace equivalent. Let me know if yo

Re: How to handle gpac?

Hello, [looping in the Security team as this involves buster and in general, their opinion would be very helpful!] On Thu, Apr 14, 2022 at 8:52 PM Roberto C. Sánchez wrote: > Open security issues: > > bookworm: 4 > bullseye: 100 > buster: 124 > stretch: 126 Holy smokes! CRAZY! Let me take a mom

Re: [Git][security-tracker-team/security-tracker][master] Reserve DLA-2936-1 for libgit2

Hello, On Tue, Mar 22, 2022 at 12:01 PM Emilio Pozuelo Monfort wrote: > I see this finally went through. Do you know what was the issue? In case it > happens again in the future to someone else. This was an interesting case of me building libgit2 in an LXD VM (yes, you can create a VM via LXD! :

Re: Update of debian-archive-keyring in stretch?

Hi Jonathan, On Mon, Oct 11, 2021 at 6:24 AM Utkarsh Gupta wrote: > On Tue, Oct 5, 2021 at 1:26 PM Jonathan Wiltshire wrote: > > You will need (but may not want) the commit removing jessie's keys as well. > > Basically all intermediate commits which touch keyrings - a rem

Re: [Git][security-tracker-team/security-tracker][master] Reserve DLA-2936-1 for libgit2

Hi Emilio, On Fri, Mar 11, 2022 at 4:56 AM Emilio Pozuelo Monfort wrote: > Friendly ping about this update. I see the DLA was reserved but I haven't seen > the package uploaded yet (and thus the announcement sent out). Is there any > blocker with the update? In general I think it's good to not re

Re: Semi-automatic package unclaim after two weeks of inactivity​

Hello, On Tue, Dec 21, 2021 at 10:26 PM Jeremiah C. Foster wrote: > There is only a single, new missing DLA: 2847-1 (15 Dec 2021) (mediawiki) This was a result of the maintainer doing the update and someone from the security team rolling out the announcement. So I went ahead and did the last mis

Re: privoxy stretch package 3.0.26-3+deb9u3 prepared

Hi Roland, On Fri, Dec 10, 2021 at 9:51 PM Roland Rosenfeld wrote: > Okay, I just uploaded the package to security-master. Thank you. Ran the basic smoke test and rolled out the announcement. \o/ - u

Re: LTS work - November 2021

Hi Lee, On Sun, Dec 12, 2021 at 6:10 PM Lee Garrett wrote: > Actually, it's affected by CVE-2019-14856 as soon as you apply the patch > from CVE-2019-10206. :P Ah, I am not sure if we're supposed to update the tracker accordingly then. Because it says "not-affected", which isn't true based on th

Re: LTS work - November 2021

Hiya, On Sun, Dec 12, 2021 at 3:42 AM Lee Garrett wrote: > In November I worked for 9 hours on: > - triaging ansible CVEs > - fixing CVE-2019-10206, CVE-2019-14856, CVE-2020-10684 in stretch ^^^ D'you mean buster because stretch wasn't affected, hehe? :P

Re: privoxy stretch package 3.0.26-3+deb9u3 prepared

Hi Roland, On Fri, 10 Dec, 2021, 5:50 pm Roland Rosenfeld, wrote: > Privoxy upstream just released version 3.0.33, which fixes four new > CVEs, which are also reported at security-tracker. > > I prepared a package that fixes CVE-2021-44540 and CVE-2021-44543. > > CVE-2021-44541 and CVE-2021-4454

Re: ClamAV LTS.

Hi Sebastian, On Thu, 9 Dec, 2021, 1:29 am Sebastian Andrzej Siewior, < sebast...@breakpoint.cc> wrote: > OldOldStable has 0.102.4+dfsg-0+deb9u2. This should be updated to the > 103 series. I want to upload 103.4 to old-stable/stable but didn't find > the time yet. > The problem with the 102 seri

Re: Bug#1001219: libnss3: recent update prevents ssl connections in chromium 73

Hello, On Tue, Dec 7, 2021 at 2:28 PM Utkarsh Gupta wrote: > Thank you for the heads up. I've sent the new .debs for testing to > Tobias (and CC'ed the bug). This has also been reported to the Ubuntu > security and ESM team since that's where this patch originated from

Re: Bug#1001219: libnss3: recent update prevents ssl connections in chromium 73

Hi Chris, On Mon, Dec 6, 2021 at 9:39 PM Chris Lamb wrote: > No doubt you are already aware of it, but just a heads-up that it > seems like a bug report has been received (#1001219) that relates to > your most recent upload of src:nss, specifically version 2:3.26.2-1.1+deb9u3 > via DLA-2836-1. T

Re: postgresql-9.6 lts update

Hi Christoph, On Fri, Nov 12, 2021 at 1:47 PM Christoph Berg wrote: > could someone do the paperwork for > postgresql-9.6_9.6.24-0+deb9u1_source.changes ? Done both, the announcement and the website update. Thank you! \o/ - u

Re: DLA-2743-1 amd64-microcode incomplete

Hi Philipp, On Mon, Aug 23, 2021 at 2:42 PM Philipp Hahn wrote: > amd64-micocode for > looks incomplete: > > The source page > > lists > > stret

Re: [SECURITY] [DLA 2743-1] amd64-microcode security update

Hello, On Thu, Oct 14, 2021 at 8:19 PM wrote: > Since the published date of the Debian LTS Advisory (DLA-2743-1), to this > point > in time, the upgraded package fails to be discovered by "aptitude update". > > My investigation has found that the expected upgraded package, > "amd64-microcode_3.2

Re: ccextractor embeds unpatched and vulnerable source code from gpac in buster - 994746

Hi Neil, On Mon, Sep 27, 2021 at 6:34 PM Neil Williams wrote: > So far, opinion (Sebastien, Raphael & I) is all for option C: - leave > ccextractor unchanged in buster. > > Have I missed another solution? Does anyone object to adopting solution > C:? I spent some time on this during my FD duty a

Re: DLA-2743-1 amd64-microcode incomplete

Hello, On Tue, Oct 12, 2021 at 12:04 AM Henrique de Moraes Holschuh wrote: > At least for non-ELTS, uploading a binary build typically works, > and at least once I fixed such an issue by just doing a binary > (arch) upload, yes. This is for stretch, which is LTS. I'll go ahead and do a binary up

Re: Update of debian-archive-keyring in stretch?

Hi Jonathan, On Tue, Oct 5, 2021 at 1:26 PM Jonathan Wiltshire wrote: > You will need (but may not want) the commit removing jessie's keys as well. > Basically all intermediate commits which touch keyrings - a removal is > really a move from the main keyring to the archive keyring, so it will > c

Re: [SECURITY] [DLA 2777-1] tiff security update

at 8:35 AM Utkarsh Gupta wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > - --- > Debian LTS Advisory DLA-2777-1 debian-lts@lists.debian.org > https://www.debian.org/lts/security/

Re: Update of debian-archive-keyring in stretch?

On Sat, Oct 2, 2021 at 9:35 PM Utkarsh Gupta wrote: > With these 3 commits, I tried to build the package and it failed > with the following error: > 8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8< > gpg --no-options --no-def

Re: Update of debian-archive-keyring in stretch?

Hi Jonathan, On Wed, Aug 25, 2021 at 11:27 PM Raphael Hertzog wrote: > it would be nice if we could get an update of debian-archive-keyring > in stretch to add the bullseye key just like it has been done in buster a > while ago: > https://tracker.debian.org/news/1236764/accepted-debian-archive-ke

Re: Update of debian-archive-keyring in stretch?

Hello all, On Thu, Aug 26, 2021 at 12:33 AM Utkarsh Gupta wrote: > > The missing key creates problems for example with simple-cdd: > > https://bugs.debian.org/992966 > > Okay, I'll be happy to do the update. Though I wonder if it'd rather > be helpful in just doing

Re: DLA-2743-1 amd64-microcode incomplete

Hi Philipp, On Sun, Sep 12, 2021 at 12:42 PM Philipp Hahn wrote: > Am 31.08.21 um 16:41 schrieb Utkarsh Gupta: > > This is on my radar for today/tomorrow. I'll have this fixed; > > shouldn't warrant a separate upload though. > > Any news on this? > Looking at &l

Re: DLA-2743-1 amd64-microcode incomplete

Hi, This is on my radar for today/tomorrow. I'll have this fixed; shouldn't warrant a separate upload though. - u

Re: postgresql-9.6 9.6.23-0+deb9u1

Hi Christoph, On Tue, Aug 31, 2021 at 7:34 PM Christoph Berg wrote: > I just pushed the changes to the security-tracker git and mailed > -lts-announce. > > If you could update the website, that would be nice. Done, thank you! - u

Re: postgresql-9.6 9.6.23-0+deb9u1

Hello, On Tue, Aug 31, 2021 at 7:18 PM Adam D. Barratt wrote: > I noticed that postgresql-9.6 got uploaded to stretch-lts late last > week, but there doesn't appear to have been a DLA issued for it yet. > > Is that already in progress? If not, I'll be happy to release one and prep the website up

Re: Bug#993129: redis-tools 3:3.2.6-3+deb9u6 has broken dependencies

Hi Chris, On Fri, Aug 27, 2021 at 9:33 PM Nskaggs wrote: > > Package: redis-tools > Version: 3:3.2.6-3+deb9u5 > Severity: grave > Justification: renders package unusable > > Dear Maintainer, > >* What led up to the situation? > Attempting norma apt upgrade attempts to update redis-tools, but

Re: Update of debian-archive-keyring in stretch?

Hi Raphael, On Wed, Aug 25, 2021 at 11:27 PM Raphael Hertzog wrote: > it would be nice if we could get an update of debian-archive-keyring > in stretch to add the bullseye key just like it has been done in buster a > while ago: [...] > > The missing key creates problems for example with simple-cd

Re: packages in *-lts newer than in subsequent releases

Hi Chris, On Thu, Aug 5, 2021 at 4:18 PM Chris Lamb wrote: > > As I understand it, this needs fixing in stretch and not jessie. So > > needs to be added to dla-needed. That said, whilst I am cleaning all > > sorts of bugs like these, I'll take this one as well. > > Ah, I saw "jessie" and quickly

Re: packages in *-lts newer than in subsequent releases

Hi Chris, On Thu, Aug 5, 2021 at 3:53 PM Chris Lamb wrote: > Thanks for this. Have added to amd64-microcode to data/ela-needed.txt > so this gets addressed. As I understand it, this needs fixing in stretch and not jessie. So needs to be added to dla-needed. That said, whilst I am cleaning all so

Re: packages in *-lts newer than in subsequent releases

Hey Chris, On Mon, Aug 2, 2021 at 10:51 PM Chris Lamb wrote: > > libpam-tacplus https://bugs.debian.org/962830 > > pyxdg https://bugs.debian.org/930099 > > Will resolve these two. Um, I just uploaded libpam-tacplus. Maybe take care of pyxdg, please? Thank you! - u

Re: packages in *-lts newer than in subsequent releases

Hi Andreas, On Mon, Aug 2, 2021 at 7:11 PM Andreas Beckmann wrote: > I tried to find all the affected packages, but there is no > guarantee that the following list is complete. ;-) > > These packages are out-of-sync since they have a version > in jessie-lts (or earlier -lts) that is newer than in

Re: LTS upgrade issues

Hi Andreas, Holger, On Mon, Aug 2, 2021 at 3:36 PM Holger Levsen wrote: > #991808 (serious) in usermode 1.109-1 by Andreas Beckmann (anbe) > «wheezy-lts has newer version than jessie(-lts) and stretch(-lts)». > https://bugs.debian.org/991808 Thanks for bringing this to our attent

Re: DLA missing for intel-microcode 3.20210608.2~deb9u2

Hi Holger, On Tue, Jul 13, 2021 at 6:03 PM Holger Levsen wrote: > thank you for providing the intel-microcode last Friday! However, no DLA > has been published yet and that's rather unfortunate. Are you planning > on providing it or should the LTS team finish it? I have been actively working wit

Re: [SECURITY] [BUGFIX] [DLA 2703-1] ieee-data crash fix

Hello, On Mon, Jul 5, 2021 at 3:23 PM Holger Levsen wrote: > > On Sun, Jul 04, 2021 at 05:53:33PM +0530, Utkarsh Gupta wrote: > > --- > > Debian LTS Advisory DLA-2703-1 debian-lts@lists.de

Re: ieee-data: are you interested in fixing a non-security related issue?

Hi Samuel, On Mon, Jun 21, 2021 at 1:08 AM Samuel Henrique wrote: > Awesome, I did fix the Homepage link and also changed the version to > and target release to "20160613.1+deb9u1 security-master" as per > Utkarsh's request on pvt. Hopefully, you meant "stretch-security". :) Anyway, thank you! E

Re: ieee-data: are you interested in fixing a non-security related issue?

Hi Abhijith, On Sun, Jun 20, 2021 at 11:09 PM Abhijith PA wrote: > I don't see any problem in fixing those broken URL and uploading. No > need of DLA, I guess. Please also update the homepage link(broken in > sid too) in the control file as well. Thank you, Abhijith. However, each upload to stre

Re: Accepted eterm 0.9.6-5+deb9u1 (source amd64) into oldstable

Hello, On Fri, Jun 11, 2021 at 2:28 AM Moritz Mühlenhoff wrote: > > Right. So should we, in case of the same version in stretch & buster, > > wait for point release to happen for buster & then do the stretch > > upload? > > It depends :-) > > In the case of eterm is doesn't really matter; it only

Re: Accepted eterm 0.9.6-5+deb9u1 (source amd64) into oldstable

Hello, On Thu, Jun 10, 2021 at 11:50 PM Moritz Mühlenhoff wrote: > True that, but keep in kind that this update will only reach buster > users with the point relese on 2021-06-19. Right. So should we, in case of the same version in stretch & buster, wait for point release to happen for buster &

Re: Accepted eterm 0.9.6-5+deb9u1 (source amd64) into oldstable

Hi Emilio, On Thu, Jun 10, 2021 at 12:46 PM Emilio Pozuelo Monfort wrote: > > * Non-maintainer upload by the LTS team. > > * Add patch to fix CVE-2021-33477 (Closes: #989041) > > This now has a higher version than in buster. Maybe you can look into > preparing > an update for buster-pu?

Re: ieee-data: are you interested in fixing a non-security related issue?

Hi Samuel, On Sun, Jun 6, 2021 at 6:39 PM Samuel Henrique wrote: > I wasn't very clear in the pu request; the ieee-data package ships 2 > things; the data from ieee and a script to update that data. This > issue fully breaks the script's functionality but the original data > shipped still "works"

Re: ieee-data: are you interested in fixing a non-security related issue?

Hi Samuel, On Sun, Jun 6, 2021 at 4:40 AM Samuel Henrique wrote: > Is the LTS team interested in the fix? It's for a critical issue on > one script provided by the package, reported at #908623 and #932711: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908623 > https://bugs.debian.org/cgi-bi

Re: CVE-2021-32642 in radsecproxy

Hi Sven, On Thu, May 27, 2021 at 7:54 PM Sven Hartge wrote: > I am absolutely fine with this. Most people using radsecproxy by now > will be using the 1.8.2 package on Buster anyway. Perfect, it's settled then. I'll mark it as postponed for stretch in a while. > Thank you for sponsoring the upl

Re: CVE-2021-32642 in radsecproxy

Hello Sven, Chris, On Thu, May 27, 2021 at 4:22 PM Sven Hartge wrote: > > I'll ultimately leave it up to whoever is on LTS frontdesk duty this > > week, but I suspect we will do the same too. Happy to do the actual > > upload if FD believes the vulnerability does warrant an update, mind > > you.

Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)

Hello, On Tue, May 25, 2021 at 2:23 AM Lynoure Braakman wrote: > No one claimed more than 4 packages. Utkarsh claimed 4 packages, but > having mrxvt, rxvt and uxvt-unicode claimed by different people wouldn't > make very much sense, so no problem there. Yep, all 4 packages are affected by the sa

Re: Upgrade problems from LTS -> LTS+1

Hello, On Mon, May 17, 2021 at 5:06 PM Holger Levsen wrote: > > Holger, can you TAL? > Gee... I don't know what TAL means... Heh. Take A Look (TAL) :) > That said, I'm aware of this issue and have been waiting for an issue worth > updating debian-security-support in buster. I don't think the v

Re: Upgrade problems from LTS -> LTS+1

Hello, On Mon, May 17, 2021 at 3:08 PM Ola Lundqvist wrote: > mqtt-client: 1.14-1+deb9u1 newer than 1.14-1 Abhijith, can you please take care of this? You need a -pu update prepared for this. > ruby-websocket-extensions: 0.1.2-1+deb9u1 newer than 0.1.2-1 Already has an opened -pu bug. > veloc

Re: Upgrade problems from LTS -> LTS+1

On Mon, May 17, 2021 at 2:18 PM Utkarsh Gupta wrote: > I think we shouldn't wait for when the package in the older release > has a greater version but check them *before*. [...] Or well, we could check after as well. But I am much more inclined towards "avoiding" such a

Re: Upgrade problems from LTS -> LTS+1

Hello, On Mon, May 17, 2021 at 2:05 PM Ola Lundqvist wrote: > 3) Merge the normal release with the security release (takes the latest) Yeah, the goal is to cover all sorts of releases (normal, -pu, security) and get the highest version amongst them. > 4) Compare the two merged sets and check if

Re: Firmware-nonfree update?

Hello, On Mon, May 17, 2021 at 1:00 PM Ola Lundqvist wrote: > firmware-nonfree > NOTE: 20201207: wait for the update in buster and backport that (Emilio) > > The problem here is that will likely not happen due to the following note in > the security tracker on all the connected CVEs: > [buster

Re: Upgrade problems from LTS -> LTS+1

Hello, On Mon, May 17, 2021 at 1:04 PM Ola Lundqvist wrote: > Should we try to automate the detection of such issues? It should be fairly > easy to do. This shouldn't just run once, it should keep checking once in a while. And once especially when we're nearing EOL of the LTS and ELTS releases.

Upgrade problems from LTS -> LTS+1

Hello, There's #988289 reported against htmldoc which is the unfortunate result of issuing a DLA when jessie was LTS and was marked as no-dsa for stretch *and* both had the same version. Whilst I'll fix this for stretch (already sponsored the upload for buster), there are more such bugs for stret

  1   2   3   >