Guido Günther writes:
> As I wrote in dla-needed.txt the bignum handling is in
> crypto/peersec/mpi.c and it seems to use the same algorithms (and lacks
> the same checks in e.g. mp_exptmod) so I marked it as
> vulnerable. Porting back the fixes from the current version will be
> difficult though
Hi Brian,
> 45.3.0esr-1~deb7u1 in wheezy is vulnerable.
> 45.3.0esr-1~deb8u1 in jessie is vulnerable.
> 45.3.0esr-1 in sid and stretch is not vulnerable.
>
> Which makes me wonder if Wheezy and Jessie versions have been fixed, but
> not marked as such
Good spot.
CVE-2016-2839 is marked as fixed
On Wed, Aug 17, 2016 at 09:00:30AM +0100, Chris Lamb wrote:
> Hi Brian,
>
> > 45.3.0esr-1~deb7u1 in wheezy is vulnerable.
> > 45.3.0esr-1~deb8u1 in jessie is vulnerable.
> > 45.3.0esr-1 in sid and stretch is not vulnerable.
> >
> > Which makes me wonder if Wheezy and Jessie versions have been fix
It's probably best to compare the 4.1.12 upstream version and make sure it
follows whatever they do there. That in theory has been tested. I'm
surprised there was a database update skipped.
And yes the security bug was around having comments too long. I forget the
exact attack method but it was o
On Sun, Jul 24, 2016 at 04:26:20PM -0400, Roberto C. Sánchez wrote:
> FYI, I did the last LTS update of ICU earlier this month, so I think I
> will be able to easily prepare another update. I went ahead and claimed
> it in dla-needed.txt, but if the maintainer or someone else would like
> to help,
Hi,
For July 2016, I had in total 25.95 paid hours available (including
those spare from previous months) to work on Debian LTS via the Freexian
umbrella. However, I was only able to use 14. This is partially what I
have done:
* Helped to test the apache2 package prepared and uploaded by Salvator
On 16.08.2016 10:22, Brian May wrote:
> Markus Koschany writes:
>
>> I also tried to fix CVE-2015-8834 for Wheezy by backporting
>> changeset/32387 but the database upgrade failed, at least I could not
>> log back into the admin backend again. Did you notice a similar issue
>> for Jessie?
>
> I
Hello,
On 26.07.2016 18:51, Diego Biurrun wrote:
> Sorry, I'm afraid I maintained too much radio silence..
Yes, that happens. You don't need to wait until you have fixed all open
libav issues because LTS users will also benefit from a intermediate
release of your fixes. I believe we should work t
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of libgcrypt11:
https://security-tracker.debian.org/tracker/CVE-2016-6313
Would you like to take care of this yourself?
If yes, please follow the workflow we have de
On 2016-08-17 21:04, Markus Koschany wrote:
On 26.07.2016 18:51, Diego Biurrun wrote:
Sorry, I'm afraid I maintained too much radio silence..
Yes, that happens. You don't need to wait until you have fixed all open
libav issues because LTS users will also benefit from a intermediate
release of
Hi Brian,
On Wed, Aug 17, 2016 at 05:49:46PM +1000, Brian May wrote:
> Guido Günther writes:
>
> > As I wrote in dla-needed.txt the bignum handling is in
> > crypto/peersec/mpi.c and it seems to use the same algorithms (and lacks
> > the same checks in e.g. mp_exptmod) so I marked it as
> > vulne
11 matches
Mail list logo
