any meaningful reverse dependency
for ruby-omniauth in jessie. So it has less priority for now.
* tomcat8: is also affected by CVE-2019-0221 and is currently in FTBFS
due to couple of test failures. Started investigating that and will
upload in coming days.
Regards
Abhijith P
Hi,
On 04/07/19 3:53 pm, Sylvain Beucler wrote:
> Hi,
>
> There are 2 free Frontdesk slots in the upcoming weeks.
> Volunteers wanted :)
>
>>From 08-07 to 14-07:Chris Lamb
>>From 15-07 to 21-07:
>>From 22-07 to 28-07:Thorsten Alteholz
>>From 29-07 to 04-08:
>
> https://wiki.debian.org/LTS/Dev
. Using snapshot.debian.org to find
the change causing the regression.
Regards
Abhijith PA
[1] - https://lists.debian.org/debian-lts-announce/2019/07/msg8.html
-BEGIN PGP SIGNATURE-
iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl0k07gACgkQhj1N8u2c
KO9aeQ
Carsten,
On 13/07/19 5:38 pm, Carsten Leonhardt wrote:
> Hi,
>
> if you're interested in addressing this CVE, you can find a fixed
> version for jessie at https://salsa.debian.org/debian/pound/tree/jessie
>
> An amd64 binary package can be found here:
>
> https://salsa.debian.org/debian/pound/-
Hello.
tomcat8 is FTBFS in jessie. I think the culprit is CVE-2017-5647 patch
which makes TestSendFile to fail. I tried with a latest upstream change
of TestSendfile but it is still failing. I like to get help on this one.
--abhijith
Hi,
On 22/07/19 1:13 pm, Brian May wrote:
> I am a bit unclear when we should be some issues, and when we should be
> marking them as no-DSA (or similar).
>
> For example, webpack was three issues:
>
> - CVE-2019-1010315: divide by zero
> - CVE-2019-1010317: use of uninitialized memory.
> - CVE-
Hi,
I don't think the link you gave on commit [fe932dd39d] is the reason for
FTBFS. I tried building on a VM that matches the certificate date and it
was successful. I also tried disabling all ssl related tests and was fine.
While doing these all I found TestSendFile test is the culprit. In
CVE-
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi,
On 29/08/19 6:47 pm, Paul Gevers wrote:
> Hi
>
> On 29-08-2019 14:28, Raphael Hertzog wrote:
>> (Note: pkg-security@tracker.d.o is not a valid email, dropped)
>>
>> Hi,
>>
>> On Thu, 29 Aug 2019, Holger Levsen wrote:
In general, we (Deb
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
July was my 18th month as a Debian LTS paid contributor. I had 14 hours
from last month. Out of which I spent 8 hours for the following,
* 1 week of LTS front desk ( 15-07 to 21-07 )
* tomcat: Investigated on the tests failures though couldn't re
CVE-2019-6438. upstream responded with
relevant commits [2].
Regards
Abhijith PA
[1] - https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html
[2] -
https://github.com/SchedMD/slurm/commit/afa7d743f407c60a7c8a4bd98a10be32c82988b5
-BEGIN PGP SIGNATURE
On 09/10/19 1:32 pm, Hugo Lefeuvre wrote:
> On Mon, Oct 07, 2019 at 11:22:45PM +0200, Hugo Lefeuvre wrote:
>>> This looks like a regression, indeed. I will provide a regression update
>>> as soon as possible.
>>
>> Looks like I'm actually not the one who issued this update. Abhijith: do
>> you w
On 10/10/19 6:35 pm, Hugo Lefeuvre wrote:
> Hi Abhijith,
>
Looks like I'm actually not the one who issued this update. Abhijith: do
you want to handle this, or should I proceed with a fix tomorrow?
>>
>> I will look into it.
>
> Well... I ended up preparing the update and planned to
:
Sponsored ruby-mini-magick for Utkarsh Gupta. DLA[4]
Regards
Abhijith PA
[1] - https://lists.debian.org/debian-lts-announce/2019/10/msg4.html
[2] - https://lists.debian.org/debian-lts-announce/2019/10/msg00031.html
[3] - https://lists.debian.org/debian-lts-announce/2019/11/msg0.html
Hello Markus,
There isn't any open vulnerabilities in libapache2-mod-auth-openidc.
Last one was announced in DLA-1996-1. Any particular reason for keeping
it in dla-needed.txt.
--abhijith
, CVE-2019-6438
after combing through the upstream changes history. Currently testing
the build and will be uploaded soon. Thanks to Gennaro Oliva for
helping in testing. Package is available here[2].
* otrs2: Started Working on CVE-2019-18179, CVE-2019-18180.
Regards
Abhijith PA
[1
Hi Markus and Mike
On 21/12/19 3:26 am, Mike Gabriel wrote:
> On Fr 20 Dez 2019 15:35:01 CET, Markus Koschany wrote:
>> Nethack is a game and I believe it should be added to our end-of-life
>> list.
> +1 from me.
>
> Mike
I claimed it in dla-needed. Should I take care of eol procedure or you
chopping file names. Confirmed with upstream.
* nethack: Marked eol and updated in security-support-ended.deb8
* tomcat8: Patched CVE-2019-17563 and CVE-2019-12418, though one test
related to this is failing. Will be uploaded soon.
Regards
Abhijith PA
[1] - https://lists.debian.org/debian-lts
CVE-2019-17563 patch.
Regards
Abhijith PA
[1] - https://lists.debian.org/debian-lts-announce/2020/01/msg9.html
[2] - https://lists.debian.org/debian-lts-announce/2020/01/msg00027.html
-BEGIN PGP SIGNATURE-
iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl4+g+wACgkQhj1N8u2c
KO8hLQ
ng for DLA 2101-1 (reserved by Bastian Blank)
> ERROR: .data or .wml file missing for DLA 2083-1 (reserved by Chris Lamb)
> ERROR: .data or .wml file missing for DLA 2079-1 (reserved by Abhijith PA)
> ERROR: .data or .wml file missing for DLA 2053-1 (reserved by Abhijith PA)
DLA 2053-1 p
last update.
* otrs2: 5 CVEs reported - CVE-2020-1771 marked as no-affected,
the upstream patch for CVE-2020-1769 is not working as intended.
CVE-2020-1770, CVE-2020-1772, CVE-2020-1773 are patched.
Regards
Abhijith PA
[1] - https://lists.debian.org/debian-lts-announce/2020/03/msg00029.ht
Hi Chris,
> ---
> data/dla-needed.txt | 4
> 1 file changed, 4 insertions(+)
>
> diff --git a/data/dla-needed.txt b/data/dla-needed.txt
> index 071a4292d1..5dc070a663 100644
> --- a/data/dla-needed.txt
> +++ b/data/dla-needed.txt
> @@ -73,6 +73,10 @@ openjdk-7 (Roberto C. Sánchez)
> --
>
Chris,
On 29/04/20 4:28 am, Chris Lamb wrote:
> Abhijith,
>
>>> otrs2
>>>NOTE: 20200412: Asked upstream for clarity in CVE-2020-1769 patch
>>> (abhijith)
>>> + NOTE: 20200427: Cannot find the above comment on the various
>>> commits/PRs, nor
>>> + NOTE: 20200427: on the -dev mailing list
eded.txt:
>
> === cut ===
> commit c68a758f05548b7441dc218176123c37db4bb3bb
> Author: Abhijith PA
> Date: Tue May 5 18:02:27 2020 +0530
>
> Add note for mumble in dla-needed.txt
>
> diff --git a/data/dla-needed.txt b/data/dla-needed.txt
> index 1f1e7888df..ef6beea1ac 100644
> --
fixed and 3 marked as
no-dsa. DLA-2198-1[1]
* mumble: Attempted to upgrade Jessie's version to 1.2.18.
Unfortunately Stretch version is also vulnerable to DoS. I've written
the current status here[2]
Regards
Abhijith PA
[1] - https://lists.debian.org/debian-lts-announ
Hello.
I've backported CVE-2020-11651, CVE-2020-11652 mostly from
https://github.com/rossengeorgiev/salt-security-backports/ and uploaded
to people.debian.org
https://people.debian.org/~abhijith/upload/salt_2014.1.13+ds-3+deb8u1.dsc
Please review the patch and let me know if you find any regress
Hi,
On 20/02/20 11:14 pm, Holger Levsen wrote:
> On Thu, Feb 20, 2020 at 06:08:52PM +0100, Emilio Pozuelo Monfort wrote:
>> So we should add it to security-support-ended for those releases, and
>> let it be supported in buster.
>
> done in
> https://salsa.debian.org/debian/debian-security-suppor
On 05/06/20 6:39 pm, Sylvain Beucler wrote:
> Hi,
>
> On 05/06/2020 15:03, Abhijith PA wrote:
>> On 20/02/20 11:14 pm, Holger Levsen wrote:
>>> On Thu, Feb 20, 2020 at 06:08:52PM +0100, Emilio Pozuelo Monfort wrote:
>>>> So we should add it to security-s
-2020-11078. Uploaded and issued
dla[3]
* 2 weeks of lts-frontdesk from 25-05 to 07-06. Most of my triage work
can be seen in salsa activity[4]
Regards
Abhijith PA
[1] - https://lists.debian.org/debian-lts-announce/2020/05/msg00027.html
[2] - https://lists.debian.org/debian-lts-announce/2020
: Initially worked on CVE-2020-13231 for jessie. Will be
updating on stretch.
Regards
Abhijith PA
[1] - https://lists.debian.org/debian-lts-announce/2020/06/msg6.html
-BEGIN PGP SIGNATURE-
iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl8ArJYACgkQhj1N8u2c
KO+YWhAAk9UdO3q
Hi,
On 07/07/20 4:52 pm, Chris Lamb wrote:
> Hi Emilio,
>
>> The header. It looks like a bit too much for the DLA to me,
>
> Not quite sure what you mean by this. I am assuming you mean something
> along the lines of it being "too intense for a DLA" but if so I don't
> understand what the concer
]
* 2 weeks of frontdesk duty (From 27-07 to 09-08). Most of my triage work
can be seen in salsa activity[5]
Regards
Abhijith PA
[1] - https://lists.debian.org/debian-lts-announce/2020/08/msg4.html
[2] - https://lists.debian.org/debian-lts-announce/2020/08/msg00014.html
[3] - https
). Reported to upstream
developer.
* qemu: Fixed CVE-2020-13253, CVE-2020-14364, CVE-2020-16092,
CVE-2020-1711. After couple more smoke tests, package will be
uploaded[1]. Marked CVE-2020-15859, CVE-2020-17380 as postponed.
Regards
Abhijith PA
[1] - https://people.debian.org/~abhijith
tested and
uploaded[4].
* Attended #debian-lts irc meeting.
Regards
Abhijith PA
[1] - https://lists.debian.org/debian-lts-announce/2020/09/msg00013.html
[2] - https://lists.debian.org/debian-lts-announce/2020/09/msg00015.html
[3] - https://lists.debian.org/debian-lts-announce/2020/10
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi Antoine,
On 19/10/20 6:50 pm, Antoine Cervoise wrote:
> Hi,
>
>
> I'm not familiar with how to report security issues regarding
> packages under LTS/Extended LTS support. I've reported this issue on
> poppler-utils (included in poppler package, l
Hi,
On 23/10/20 8:20 pm, Utkarsh Gupta wrote:
> Hi Abhijith,
>
> William, both upstream and downstream maintainer, CCed here, has
> prepared an upload for stretch.
> cf:
> https://mentors.debian.net/debian/pool/main/p/phpmyadmin/phpmyadmin_4.6.6-4+deb9u2.dsc
>
> I generally sponsor all his uplo
Hi,
On 23/10/20 9:24 pm, Abhijith PA wrote:
> Hi,
>
> On 23/10/20 8:20 pm, Utkarsh Gupta wrote:
>> Hi Abhijith,
>>
>> William, both upstream and downstream maintainer, CCed here, has
>> prepared an upload for stretch.
>> cf:
>> https://men
s not-
affected[3]. Marked CVE-2019-10255, CVE-2019-9644 as no-dsa[4]. Fixed
CVE-2018-19351 CVE-2018-21030 CVE-2018-8768. Upload stuck due to
#823820[5]
Regards
Abhijith PA
[1] - https://lists.debian.org/debian-lts-announce/2020/10/msg00024.html
[2] - https://lists.debian.org/debia
Hey,
On 06/11/20 11:03 am, Utkarsh Gupta wrote:
> Hi Abhijith,
>
> If I am parsing your note for cacti in dla-needed correctly, does it
> make sense to remove the package from dla-needed file altogether
> (since all remaining issues are no-dsa and can be fixed with the next
> upload)?
Yes, it ca
Hi,
On 16/11/20 5:06 pm, Emilio Pozuelo Monfort wrote:
> Hi,
...
> fwiw the jupyter-notebook DLA is not in -announce either, so it's not just
> missing in the website.
I generated DLA for jupyter-notebook just before upload. But upload was
rejected due to `Built-Using refers to non-existing sourc
Hello Brian,
On 17/11/20 2:14 am, Brian May wrote:
> Abhijith PA writes:
>
>> I generated DLA for jupyter-notebook just before upload. But upload was
>> rejected due to `Built-Using refers to non-existing source package`. I have
>> pinged ftp masters couple of times
agent: Working on open CVEs. Only CVE-2020-25650 partially
backported. Asked maintainer for help, also agreed.
* salt: Fixed CVE-2020-16846 CVE-2020-17490 CVE-2020-25592, tested and
uploaded[2].
- Created new page LTS/TestSuites/salt[3] and documented running tests.
Regards
Abhiji
-2020-35678 as ignored [2]
* spice-vdagent: Preparing fix. Corresponding with old maintainer.
Regards
Abhijith PA
[1] - https://lists.debian.org/debian-lts-announce/2020/12/msg00036.html
[2] -
https://salsa.debian.org/security-tracker-team/security-tracker/-/c
n May backported the patches for the first
two CVEs.
Regards
Abhijith PA
[1] - https://lists.debian.org/debian-lts-announce/2021/01/msg00012.html
signature.asc
Description: PGP signature
tests are adjusted. Patch[9]
* 01/03 - 07/03, 1 week of front desk duty.
Regards
Abhijith PA
[1] - https://security-tracker.debian.org/tracker/CVE-2021-21238
[2] - https://lists.debian.org/debian-lts-announce/2021/02/msg00038.html
[3] - https://security-tracker.debian.org/tracker/TEMP
Hello
On 08/03/21 05:16 PM, Sylvain Beucler wrote:
> Hi!
>
> Thanks for preparing a LTS fix for privoxy.
>
> For reference, our full procedure is documented at:
> https://wiki.debian.org/LTS/Development
>
> To answer your points:
>
> - The debdiff looks good to me
>
> - Salvatore updated the
On 09/03/21 10:47 AM, Roland Rosenfeld wrote:
> Hi Abhijith!
>
> On Di, 09 Mär 2021, Abhijith PA wrote:
>
> > Roland, thanks again for the patch. I can see that last LTS update
> > (3.0.26-3+deb9u1) done by you. Hope you can upload this time as
> > well. If not, l
: Marked CVE-2019-25025 as ignored[3]
Regards
Abhijith PA
[1] - https://lists.debian.org/debian-lts-announce/2021/04/msg4.html
[2] - https://lists.debian.org/debian-lts-announce/2021/03/msg9.html
[3] -
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit
finding it.
* samba: There were 9 CVEs including the no-dsa tagged ones.
So far backported CVE-2019-10218 CVE-2019-14833 CVE-2019-14847
CVE-2019-14861 CVE-2019-14870. Continuing work on remaining fixes.
Build available[4] for testing.
Regards
Abhijith PA
[1] - https://lists.debian.org
On 10/05/21 12:34 AM, Abhijith PA wrote:
> March was my 38th month as a Debian LTS paid contributor.
^
Oops, April.
On 17/05/21 04:54 PM, Utkarsh Gupta wrote:
> Hello,
>
> On Mon, May 17, 2021 at 3:08 PM Ola Lundqvist wrote:
> > mqtt-client: 1.14-1+deb9u1 newer than 1.14-1
>
> Abhijith, can you please take care of this? You need a -pu update
> prepared for this.
Okay, I will take care of this. Issue is no DS
Hi Ola,
On 26/05/21 01:45 PM, Ola Lundqvist wrote:
>Hi fellow LTS contributors
>
>I have checked this CVE and my conclusions are as follows.
>The CVE actually cover five different problems. I guess CVEs should not
>do that, but it did anyway.
>
>Quote from upstream:
>
>T
. Added couple of
autopkgtest from unstable. Tested and uploaded[1].
* squid3: Investigated and tested on ubuntu[2] and Beuc patches[3].
Will upload soon.
Misc:
* mqtt-client: Uploaded 1.14-1+deb10u1[4] to proposed-updates.
Regards
Abhijith PA
[1] - https://lists.debian.org/debian
Hi,
On 06/06/21 07:59 PM, Utkarsh Gupta wrote:
> Hi Samuel,
>
> On Sun, Jun 6, 2021 at 6:39 PM Samuel Henrique wrote:
> > I wasn't very clear in the pu request; the ieee-data package ships 2
> > things; the data from ieee and a script to update that data. This
> > issue fully breaks the script's
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
June was my 40th month as a Debian LTS paid contributor. I was
assigned 14 hours plus 7h from last month. I have spent 18h and will
carry rest to next month;
* 1 week of frontdesk: From 14-06 to 20-06.[1]
* python-urllib3: There were 4 CVEs. CV
: Investigated on CVE-2021-30465. Marked as no-dsa
* pjproject: Backporting fix for CVE-2021-32686.
Regards
Abhijith PA
-BEGIN PGP SIGNATURE-
iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmESwxwACgkQhj1N8u2c
KO8H4g//TAtPZdBS7v9z/zQpyukflYA1xIDT2L2DQcIrr0t/wXMaXfOa1t+/6SvD
Tu/JJS6q6W
unittest related to this CVE. Released DLA 2754-1[1]
* smarty3: Prepared an update for reported regression #989141[2].
ELTS
* ckeditor: 5 CVEs including postponed ones. Available patches have
backported.
Regards
Abhijith PA
[1] - https://lists.debian.org/debian-lts-announce/2021
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
- -BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hello,
In December I was assigned 08 hours to work on Debian LTS by Freexian
SARL. I spent only 3 hour on package libraw's[1] open CVEs. I will
carry rest of the hours to next month.
- - --abhiji
Hello,
For January I had 5 hours remaining from last month. I spent all of them for :
* libraw: There were 28 open CVEs. Marked 6 among those as not-affected.
Fixed 22 CVEs, tested and uploaded [DLA 2903-1]
Regards
Abhijith
[DLA 2903-1] -
https://lists.debian.org/debian-lts-announce/2022
.
Regards
Abhijith PA
[1] -
https://people.debian.org/~abhijith/upload/vda/pjproject_2.5.5~dfsg-6+deb9u3.dsc
[2] -
https://people.debian.org/~abhijith/upload/vda/ring_20161221.2.7bd7d91~dfsg1-1+deb9u2.dsc
signature.asc
Description: PGP signature
On 30/03/22 12:05 PM, Bastian Triller wrote:
> Hello,
>
> we upgraded to 2.5.5~dfsg-6+deb9u3 and we're seeing crashes in
> Asterisk. It seems the patch for CVE-2022-23608 is faulty. In your
> patch, the hash table key is assigned twice in hunk #2 but not in hunk
> #4.
> Please see attached patch C
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hello.
During the month of March I worked on following packages for LTS:
* asterisk
- Total of 22 CVEs
- Fixed 6 CVEs, 5 CVEs as no-DSA (intrusive to backport)
- Rest CVEs are of pjproject not affecting stretch
- [DLA-2969-1]
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hello.
During the month of April I worked on following packages for LTS:
* mitmproxy
- Total of 3 CVEs
- Due to lot of code refactoring, marked 2 CVEs as ignored.
* mruby
- Total of 18 CVEs
- Fixed 5 CVEs. Marked 5 as not aff
Hello,
Package icingaweb2 (2.4) in stretch have around 9 open CVEs. Most of
them fixed in upstream v2.6. There isn't isolated patches available
for CVE-2018-18246 to CVE-2018-18250.
The changes from 2.4 .. 2.6 is pretty large and not much descriptive
to comb through and cherry pick. I have pi
- DLA-3036-1
* icingaweb2
- Continued work from last month
- v2.6[1]
* libmatio
- Total of 28 CVEs
- Working on CVE-2019-9026 to CVE-2019-9038
Misc:
* Ring
- No updates from upstream regarding [2]
Regards
Abhijith PA
[1] -
https://people.debian.org/~abhijith/upload
On 03/06/22 04:45 PM, Utkarsh Gupta wrote:
> Hi Ahijith,
...
> So ideally since the package is in the -backports pocket, I don't
> think it'd be a problem but do make sure that you at least test the
> package so it doesn't introduce any regressions or anything. Hope that
> helps.
Thank you. I've
- Backported 13 CVEs from the work of Sébastien Villemot in
buster to stretch[2]. Unfortunely couldn't able to fix 6
failing tests before stretch's EOL.
Regards
Abhijith PA
[1] -
https://people.debian.org/~abhijith/upload/mruby/qemu_3.1+dfsg-8+deb10u9.dsc
[
Hello FTP masters,
My recent upload to security-master for the buster security got
rejected, because glib2.0 (= 2.58.3-2+deb10u3) package is not
available in the security archive. Can you please manually copy this
package to security archive.
refs:
https://bugs.debian.org/cgi-bin/bugreport.cgi
On 03/09/22 03:41 PM, Ansgar wrote:
> Abhijith PA writes:
> > My recent upload to security-master for the buster security got
> > rejected, because glib2.0 (= 2.58.3-2+deb10u3) package is not
> > available in the security archive. Can you please manually copy this
&g
[[resending with different mail address due couple of MTA rejections]]
On 05/09/22 06:28 PM, Abhijith PA wrote:
> Hey,
>
> On 05/09/22 06:09 PM, Utkarsh Gupta wrote:
> > Hi Abhijith,
> >
> > On Sat, Sep 3, 2022 at 5:04 PM Abhijith PA wrote:
> > >
Hello.
On 07/09/22 11:10 AM, Raphael Hertzog wrote:
> Hello Abhijith and the LTS team,
>
> in Kali we have applied the last ruby-active* security updates and this
> broke the web API part of autopkgtest.kali.org.
Ok, I am on it.
Hello Raphael,
On 07/09/22 11:10 AM, Raphael Hertzog wrote:
> Hello Abhijith and the LTS team,
>
> in Kali we have applied the last ruby-active* security updates and this
> broke the web API part of autopkgtest.kali.org.
Can you share how autopkgtest.kali.org service setup and how
is it running
Hey,
On 12/09/22 04:08 PM, Utkarsh Gupta wrote:
> Hi Abhijith,
>
> On Sat, Sep 10, 2022 at 11:31 PM Abhijith PA wrote:
> > > Please don't upload yet. We either upload what I have or just rollback
> > > the fix for CVE-2022-32224. Wait for the further deci
Hello,
On 18/10/22 11:05 PM, Markus Koschany wrote:
> Hi,
..
> I would appreciate it if actual users of Asterisk tested the update
> and left some feedback on this list. You can find prebuilt amd64
> binary packages and the sources at
Earlier my Jessie Asterisk builds were tested by Bastian
Hey,
On 14/11/22 01:56 PM, Sylvain Beucler wrote:
> Hi!
>
> On 12/11/2022 22:31, Otto Kekäläinen wrote:
> > I was wondering how common is it for DDs to use Salsa-CI while doing
> > quality assurance prior to Bullseye and Buster uploads?
>
> I personally tend to run initial builds and dep-8 tests
Hello Anton,
>From 5b2bcfaa20e12d0c90eb3999fba8b6e942e201ab Mon Sep 17 00:00:00 2001
From: Anton Gladky
Date: Tue, 16 May 2023 22:39:34 +0200
Subject: [PATCH] LTS: add libpcap to dla-needed.txt
---
data/dla-needed.txt | 4
1 file changed, 4 insertions(+)
diff --git a/data
Hi Ola
(thanks for the ping, I almost missed it)
On 10/06/24 10:35 PM, Ola Lundqvist wrote:
> Hi Abhijith
>
> I had a brief look at varnish that you have worked on to figure out
> what the state of the package is.
>
> In buster I can see the following CVEs.
> CVE-2024-30156 - ignored in bullsey
Hi.
On 26/06/24 08:17 PM, Ola Lundqvist wrote:
...
> >
> > If I remember correctly, CVE-2024-30156 was very intrusive. But I
> > didn't marked likewise as I wanted to give a try after other fixes.
>
> Good point. Do you still think it is worth fixing when you have worked
> on the other issues, or
On 01/07/24 08:18 AM, Ola Lundqvist wrote:
> Hi Abhijith
>
> Thank you. I have marked CVE-2024-30156 as ignored now for buster.
Thank you.
--a
Hello.
I prepared LTS security updates for transmission. Please review and upload.
debdiff -http://188.226.198.239/transmission_2.52_wheezy.debdiff
package:
https://mentors.debian.net/debian/pool/main/t/transmission/transmission_2.52-3+nmu3.dsc
--
Abhijith PA (bhe)
On Thursday 18 January 2018 02:34 PM, Guido Günther wrote:
> Hi Abhijith,
>
> On Thu, Jan 18, 2018 at 01:53:08AM +0530, Abhijith PA wrote:
>> Hello.
>>
>> I prepared LTS security updates for transmission. Please review and upload.
>>
kage. Just let us know whether you would
like to review and/or test the updated package before it gets released.
You can also opt-out from receiving future similar emails in your
answer and then the LTS Team will take care of python2.6, python2.7
updates
for the LTS releases.
Thank you very much.
A
or the LTS releases.
Thank you very much.
Abhijith PA,
on behalf of the Debian LTS team.
PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://salsa.debian.org/security-tracker-tea
Removed
On Sunday 04 February 2018 02:37 AM, Ola Lundqvist wrote:
> Hi
>
> Sorry for the duplicate. I did not realize that someone else had sent
> this message already.
>
> // Ola
>
Sorry for the confusion. What is the best solution to avoid this in
future?
-maintainer upload by the Debian LTS Team.
+ * Fix CVE-2017-18122: Signature validation bypass
+ * Fix CVE-2017-18121: Cross Site Scripting (XSS) in the consentAdmin module
+ * Fix CVE-2018-6521: Use of insecure connection charset (sqlauth module)
+
+ -- Abhijith PA Mon, 05 Feb 2018 11:14:11 +0530
Hi, I think someone uploaded to master ftp queue. :)
Forwarded Message
Subject: simplesamlphp_1.9.2-1+deb7u2_amd64.changes REJECTED
Date: Mon, 05 Feb 2018 12:08:25 +
From: Debian FTP Masters
To: abhij...@openmailbox.org, Abhijith PA , Thijs
Kinkhorst
Uploads to
:28:22.0 +0530
@@ -1,3 +1,11 @@
+mailman (1:2.1.15-1+deb7u3) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the Debian LTS team.
+ * CVE-2018-5950: Fix cross-site scripting (XSS) vulnerability in the
+web UI in Mailman. (Closes: #888201)
+
+ -- Abhijith PA Wed, 07 Feb
On Wednesday 07 February 2018 12:38 PM, Brian May wrote:
> Markus Koschany writes:
>
>> +krb5
>> + NOTE: lts-do-not-call
>> +--
>
> What does lts-do-not-call mean?
>
See security-tracker/data/packages/lts-do-not-call .
Hi,
On Wednesday 07 February 2018 12:54 PM, Brian May wrote:
>
> Hello,
>
> I see you have claimed Python2.7 but not Python2.6, which both have the
> same vulnerability. CVE-2018-130
>
> Upstream have decided that this is not a security issue, and it has been
> marked no-DSA in Jessie and S
Command Injection Vulnerability
+(closes: #889759)
+
+ -- Abhijith PA Tue, 13 Feb 2018 23:36:39 +0530
+
leptonlib (1.69-3.1) unstable; urgency=medium
* Non-maintainer upload
diff -Nru leptonlib-1.69/debian/patches/CVE-2018-3836.patch
leptonlib-1.69/debian/patches/CVE-2018-3836.patch
and release DLA 1272-1[2]
* leptonlib: Patch for CVE-2018-3836, test and release DLA 1284-1[3]
* golang: Research on CVE-2018-7187.
Thanks to Markus Koschany and Roberto C. Sánchez for sponsoring packages
.
- -Abhijith PA
[1] https://lists.debian.org/debian-lts-announce/2018/02/msg8.html
[2
ot validate the
-import path (get/vcs.go only checks for "://" anywhere in
-the string), which allows remote attackers to execute arbitrary
-OS commands via a crafted web site. Backported from
-upstream development branch.
-
- -- Abhijith PA Sun, 25 Feb 2018 13:31:35
Hi.
On Wednesday 28 February 2018 11:50 AM, Sebastiaan Couwenberg wrote:
> LTS team,
>
> On 02/23/2018 11:30 AM, Sebastiaan Couwenberg wrote:
>> Dear Security & LTS Teams,
[..]
>> Are these OK to upload?
>
> The jessie & stretch updates have been uploaded to security-master after
> the OK from
ax in exec.c
+ * Fix CVE-2014-10072: buffer overflow when scanning very long
+directory paths for symbolic links
+ * Fix CVE-2016-10714: off-by-one error resulted in undersized buffers
+that were intended to support PATH_MAX
+ * Fix CVE-2017-18206: symlink expansion has buffer overflow
+
On Thursday 08 March 2018 10:35 AM, Chris Lamb wrote:
> Hi Abhijith,
>
>> I prepared an update[1] for zsh. Debdiff attached along with the mail.
>> It would be great if you do some testing.
>
> Works for me... :)
>
>
> Regards,
>
It will be helpful if some could upload zsh. Once it accepted
pointer dereference vulnerability
+(closes: #892590)
+
+ -- Abhijith PA Sat, 17 Mar 2018 08:44:25 +0530
+
graphite2 (1.3.10-1~deb7u1) wheezy-security; urgency=high
* Non-maintainer upload by the LTS team.
diff -Nru graphite2-1.3.10/debian/patches/CVE-2018-7999.patch
graphite2-1.3.10/debian
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi. Gero Treuner
On Sunday 18 March 2018 02:32 PM, Gero Treuner wrote:
> Hi all,
>
> Attached is a wheezy patch for a security issue:
> https://security-tracker.debian.org/tracker/CVE-2018-7490
>
Thanks for the patch :)
> The upstream patch was
On Sunday 18 March 2018 06:40 PM, Gero Treuner wrote:
[..]
>> +// fix docroot
>> +if (uphp.docroot) {
>> +char *orig_docroot = uphp.docroot;
>> +uphp.docroot = uwsgi_expand_path(uphp.docroot,
>> strlen(uphp.docroot), NULL);
>> +if (!uphp.docroot) {
>>
On Monday 26 March 2018 04:14 PM, Gero Treuner wrote:
> Hi Abhijith,
>
> On Fri, Mar 23, 2018 at 07:39:58PM +0530, Abhijith PA wrote:
>> I couldn't find php plugin for uwsgi in wheezy. What are the other ways
>> to test around it.
>
> You are absolutely ri
(Closes: #894045)
+
+ -- Abhijith PA Thu, 29 Mar 2018 22:55:20 +0530
+
libvncserver (0.9.9+dfsg-1+deb7u2) wheezy-security; urgency=high
* CVE-2016-9941: Fix a heap-based buffer overflow that allows remote servers
diff -Nru libvncserver-0.9.9+dfsg/debian/patches/CVE-2018-7225.patch
libvncserver
Drop rene@, jmm@, 892...@bugs.debian.org.
On Tuesday 20 March 2018 01:47 AM, Moritz Mühlenhoff wrote:
> On Mon, Mar 19, 2018 at 05:04:17PM +0100, Rene Engelhard wrote:
>> I am not going over the .-release procedure for this, I'd have uploaded
>> to security, though, but...
>>
>> I don't think we
1 - 100 of 174 matches
Mail list logo
