(semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)

hi, today four packages were unclaimed for LTS: - glib2.0 (Emilio) - golang-1.7 (Sylvain Beucler) - golang-1.8 (Sylvain Beucler) - xmlbeans (Roberto C. Sánchez) and two for ELTS: - glib2.0 (Emilio) - golang (Sylvain Beucler) Noone claimed 4 packages or more. Three DLAs which already had been re

privoxy stretch package 3.0.26-3+deb9u2 prepared

Hi! (please Cc: me in reply, since I'm not subscribed to debian-lts) Privoxy upstream just released version 3.0.32, which fixes five new CVEs, which are also reported at security-tracker. I prepared a package that fixes CVE-2021-20272, CVE-2021-20273, CVE-2021-20275, and CVE-2021-20276. CVE-202

Re: privoxy stretch package 3.0.26-3+deb9u2 prepared

Hi! Thanks for preparing a LTS fix for privoxy. For reference, our full procedure is documented at: https://wiki.debian.org/LTS/Development To answer your points: - The debdiff looks good to me - Salvatore updated the CVE-2021-20274 status accordingly - 'minor issue' means there is not immed

LTS report for February 2021 - Abhijith PA

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 February was my 36th month as a Debian LTS paid contributor. I had a total of 19h (assigned and carried from last month). I spent all of them for the following; * python-pysaml2: Fixed CVE-2017-1000433, CVE-2021-21239. Marked CVE-2021-21238 a

Re: privoxy stretch package 3.0.26-3+deb9u2 prepared

Hello On 08/03/21 05:16 PM, Sylvain Beucler wrote: > Hi! > > Thanks for preparing a LTS fix for privoxy. > > For reference, our full procedure is documented at: > https://wiki.debian.org/LTS/Development > > To answer your points: > > - The debdiff looks good to me > > - Salvatore updated the

CVE-2021-3121 stretch patch review request and request for test help

Hi I have prepared a patch for CVE-2021-3121 described in: https://security-tracker.debian.org/tracker/CVE-2021-3121 You can find the patch here: http://apt.inguza.net/stretch-lts/golang-gogoprotobuf/CVE-2021-3121-1.patch The patch is based on the following commit: https://github.com/gogo/protob

Re: CVE-2020-36193 php-pear vs drupal7

Hi Salvatore, Gunnar, all When looking further into this issue I do not think drupal7 is completely fixed. The durpal 7 package include the following fix: +if (strpos(realpath(dirname($v_header['link'])), realpath($p_path)) !== 0) { But it is missing the depth check https:

Re: CVE-2020-36193 php-pear vs drupal7

Hello Ola, Salvatore, Chris et. al.! Ola Lundqvist dijo [Mon, Mar 08, 2021 at 11:51:35PM +0100]: > Hi Salvatore, Gunnar, all > > When looking further into this issue I do not think drupal7 is completely > fixed. > The durpal 7 package include the following fix: > +if (strp