Hello Chris,
I will take care of it.
Regards
Anton
Am Do., 23. Mai 2019 um 07:33 Uhr schrieb Chris Lamb :
>
> Dear maintainer(s),
>
> The Debian LTS team would like to fix the security issues which are
> currently open in the Jessie version of freeimage:
> https://security-tracker.debian.org/tr
0191218.1+deb8u1/debian/changelog2020-03-10
20:18:47.0 +
@@ -1,8 +1,140 @@
-amd64-microcode (2.20160316.1~deb8u1) stable; urgency=critical
+amd64-microcode (3.20191218.1+deb8u1) UNRELEASED; urgency=high
- * This is exactly the same release as 2.20160316.1
+ * Non-maintainer
>
> On Wed, Mar 11, 2020 at 08:19:11PM +0100, Anton Gladky wrote:
> > After discussion with the maintainer I decided to backport the latest
> > upstream version, available in Debian (3.20191218.1). Prepared package
> > is available here [1]. Debdiff is attached.
> [...
020 21:06, Salvatore Bonaccorso wrote:
>> Hi,
>>
>> A smaller comment on the update:
>>
>> On Wed, Mar 11, 2020 at 08:19:11PM +0100, Anton Gladky wrote:
>>> After discussion with the maintainer I decided to backport the latest
>>> upstream version, a
u1) stable; urgency=critical
+amd64-microcode (3.20181128.1~deb8u1) jessie-security; urgency=high
- * This is exactly the same release as 2.20160316.1
+ * Non-maintainer upload by the LTS Security Team.
+ * New upstream release.
+ * Add IBPB support for family 17h AMD processors (CVE-2017-
Dear LTS team,
I am still preparing an update for amd64-microcode for Jessie to fix
CVE-2017-5715. Security team marked this issue as no-dsa for Stretch
[1], it can be fixed through next point release.
For Jessie I am not able to use now the package version
3.20181128.1~deb8u1, because it is high
I have filed #954023 and prepared upload for Debian Stretch to prevent
higher versions in older releases. Still no feedback from debian-release-team.
But in this particular case it should not be a problem, if Stretch
will have an older version for the moment. During the upgrade
Jessie->Stretch the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: mailman
Version: 1:2.1.18-2+deb8u5
CVE ID : CVE-2020-12137
A vulnerability was discovered in mailman. GNU Mailman 2.x before 2.1.30
uses the .obj extension for scrubbed application/octet-stream MIME
parts. This beha
Dear LTS team,
I prepared and uploaded python2.7_2.7.13-2+deb9u5, fixing
two CVEs.
Unfortunately it fails on i386 due to timeout during the network
test. I believe that one more try should fix the problem, because
most of the other archs are already green.
But in the security suite the givebacks
Thank you all for the very quick response and help!
It is built now successfully!
Have a nice weekend.
Anton
Am Sa., 17. Apr. 2021 um 18:53 Uhr schrieb Utkarsh Gupta :
> Hi Salvatore,
>
> On Sat, Apr 17, 2021 at 10:19 PM Salvatore Bonaccorso
> wrote:
> > > I have given it back to try a rebui
Hi Lynoure,
Thanks for pointing this out! DLA 2628-1 was released [1],
but the website update did not work well (not pushed). I have fixed
it and it should appear on the website shortly.
[1] https://lists.debian.org/debian-lts-announce/2021/04/msg00015.html
Best regards
Anton
Am Mo., 26. Apr.
Hi Emilio,
I have prepared a repo for bind9-lts-upload and salsa pipelines are passed
[2].
I needed to disable blhc-test though, but it should not be fixed by targeted
security upload.
[1] https://salsa.debian.org/lts-team/packages/bind9
[2] https://salsa.debian.org/lts-team/packages/bind9/-/pipe
I have added autopkgtest to the stretch-version of bind9 [1].
And the pipelines passed [2].
Feel free to commit there the following versions.
[1]
https://salsa.debian.org/lts-team/packages/bind9/-/tree/master-stretch/debian/tests
[2] https://salsa.debian.org/lts-team/packages/bind9/-/jobs/1620698
Hi Chris,
as you are having an FD-role this week, I would like
you to ask to add libgetdata to dla-needed. I have prepared
an update for sid/bullseye (waiting for approval) and would
like also to update a package for stretch.
Thank you
Anton
Hi Chris,
thank you. I needed to create a patch (for sid/bullseye) because the patch
is not available/hidden.
Best regards
Anton
Am Mo., 10. Mai 2021 um 11:11 Uhr schrieb Chris Lamb :
> Hi Anton,
>
> > as you are having an FD-role this week, I would like
> > you to ask to add libgetdata to dl
Hi Markus,
I have applied your patch and the pipelines are passed [1]. So, at least
nothing breaks from the "build side of view".
Yes, I took this package, but uf your are working on it, feel free to
reclaim it.
[1]
https://salsa.debian.org/lts-team/packages/libxstream-java/-/pipelines/292916
B
Hi Marc,
thanks for the note. Yes, I will add a short package description
next time to DLAs if it helps to make an update-decision.
Best regards
Anton
Am Sa., 2. Okt. 2021 um 14:34 Uhr schrieb Marc SCHAEFER <
schae...@alphanet.ch>:
> On Sat, Oct 02, 2021 at 01:45:33PM +0200, Ant
Hi Adrian,
well, I was thinking that upstream should request a CVE. Neverheless
I could not reproduce the issue with the modern GCC-versions.
Even on 32bit-systems.
Regards
Anton
Am Sa., 13. Nov. 2021 um 21:09 Uhr schrieb Adrian Bunk :
>
> On Fri, Sep 17, 2021 at 07:02:48AM +0200, Anton
Thanks, Vincent,
now I am able to reproduce the issue!
I will request CVE.
Regards
Anton
Am So., 14. Nov. 2021 um 15:44 Uhr schrieb Vincent Lefevre :
>
> On 2021-11-14 14:15:25 +0100, Anton Gladky wrote:
> > well, I was thinking that upstream should request a CVE. Neverheless
>
CVE-2021-43618 is assigned to this issue.
Adrian Bunk schrieb am Sa., 13. Nov. 2021, 21:09:
> On Fri, Sep 17, 2021 at 07:02:48AM +0200, Anton Gladky wrote:
> > Thanks, Vincent, for the information. I would still wait for CVE,
> > so we can apply a patch and track vulnerab
Hi Jeremiah,
> DLA 2839-1 (03 Dec 2021) (gerbv)
thanks, it was announced and just pushed to the website.
Will appear there soon.
Regards
Anton
Am Di., 7. Dez. 2021 um 01:05 Uhr schrieb Jeremiah C. Foster
:
>
> Hi,
>
> Today three packages were "unclaimed" for LTS, and two for ELTS;
>
> -firmwa
Dear all,
lighttpd security update was announced recently under the wrong DLA-number. The
proper one is [DLA-2887-1]. Sorry for inconvenience.
[DLA-2887-1] https://www.debian.org/lts/security/2022/dla-2887
Best regards
Anton
On 1/18/22 18:55, Anton Gladky wrote
Dear Otto,
thanks for providing this valuable information.
Providing new binaries in LTS release can potentially break some
stuff. But if both
10.1 and 10.3 can co-exist, it could be an option.
Another problem is that 10.3 provides a new ABI (libmariadb19 instead
of libmariadb18), so
basically t
I have followed the steps described in README.maintainer,
added my key to the team for stretch and imported keys.
It looks like everything works.Testing it.
Regards
Anton
Am Fr., 11. März 2022 um 14:28 Uhr schrieb Utkarsh Gupta
:
>
> Hi Jonathan,
>
> On Mon, Oct 11, 2021 at 6:24 AM Utkarsh Gupt
Hi Roberto,
I agree with Utkarsh basically. Fixing over 100 (or even over 20)
issues through patches drastically increases chances to make a
mistake. Backporting newer version also has downsides.
I would propose to declare it as EOL.
Best regards
Anton
Am Do., 14. Apr. 2022 um 17:22 Uhr schrie
Hi Sylvian,
thanks for your work! Could you please create a merge request,
so we can discuss this nice improvement there?
Regards
Anton
Am Mi., 20. Apr. 2022 um 17:33 Uhr schrieb Sylvain Beucler :
> Now with the patch.
>
> On Wed, Apr 20, 2022 at 05:08:20PM +0200, Sylvain Beucler wrote:
> >
Hi Anton,
>
> There's no need for a MR for this short lts-specific patch, and I
> believe this list has better visibility for the LTS team than the
> security-tracker salsa project (where lts-cve-triage.py resides).
>
> Cheers!
> Sylvain
>
> On 20/04/2022 18:09,
ed :)
>
> Cheers!
> Sylvain
>
> On 21/04/2022 08:15, Anton Gladky wrote:
> > I have just tested the patch and it really produces much more packages
> > to be triaged and they are really reasonable!
> >
> > I would propose to merge it into the master branch and
Hi Stefano.
congratulations on the first DLA! Good job!
Just a small advice. It would be good to add one line into the DLA
with a short description of the package. Something like this:
"Several issues were discovered in Twisted, an event-based framework
for internet applications..." .
You will f
Hi Enrico,
I do sometimes disable lintian and reprotest for the LTS releases.
We are mostly working on security issues and we do unlikely
introduce a new lintian error, providing the minimal patch for the
source code.
When I create a new repo on lts-packages group, I just check, whether
all "jobs
Hi Santiago,
well, from my point of view it is better to use the current lintian
the version which is available in the corresponding release, not the
latest one.
If we are working with stable/oldstable/oldoldstable and older versions
we do have to disable or override lintian warnings because the
Hi Enrico,
regarding the content of d/changelog only. I think it is good
and can be uploaded.
I am not sure, whether the mention "CVE-2021-3566" in
d/changelog will be parsed and this CVE will unintentionally
be closed again in the security database. Please double-check
when you generate DLA.
Be
Thanks, Philipp, for the information.
Andreas, please analyze, whether this failure is related to your changes.
If not - we can try to rebuild.
Regards
Anton
Am Mo., 16. Mai 2022 um 13:26 Uhr schrieb Emilio Pozuelo Monfort
:
>
> On 16/05/2022 11:04, Philipp Hahn wrote:
> > Hello Andreas,
> >
>
Hello Markus,
thanks for the update! Could you please push your last change into the
git-repo [1] and tag an upload?
gbp buildpackage --git-tag-only --git-sign-tags
--git-debian-branch=debian/stretch
Regards
[1] https://salsa.debian.org/lts-team/packages/libxml2
Anton
Am Di., 17. Mai 2022 um
As far as I understand all of those packages can be
added into the dla-needed without pre-review? Why not just
put all of them together.
OK, maybe with the short note "needs manual checking" or
similar.
Regards
Anton
Am Di., 17. Mai 2022 um 14:43 Uhr schrieb Sylvain Beucler :
>
> Hi,
>
> On 17/
I agree with Utkarsh, Even one CVE should be
fixed if there are no objective reasons not to do it.
Yes, if it is minor, it can be postponed, but not longer
over a reasonable amount of time.
Regards
Anton
Am Di., 17. Mai 2022 um 14:28 Uhr schrieb Utkarsh Gupta
:
>
> Hi Ola,
>
> On Tue, May 17, 2
Hi Enrico,
please pay attention that marking the CVE as no-dsa for LTS release
means that it still needs to be fixed!
We do not have point releases for o-o-stable so this state can just postpone
the upload, but it still needs to be fixed somehow.
If you feel that the patch is too destructive or
Hi Helmut,
I would propose that you are contacting the original openscad maintainer
and ask him, whether you can make a p-u upload for buster (if it is still
possible).
Thus you can get an experience with dealing of such uploads. Anyway, for
LTS we do not have any point releases. So basically it
Thanks, Utkarsh for fixing this!
That is one of the reasons, why we should migrate to the website.
Regards
Anton
Am Sa., 2. Juli 2022 um 08:58 Uhr schrieb Utkarsh Gupta <
guptautkarsh2...@gmail.com>:
> Hello,
>
> Someone (Ben Westover) made 2 (incorrect) revisions to the LTS wiki page:
> http
Hi Ola,
thanks for rising this very important question.
Please use this ticket [1] for the discussion. So we will
be able to formulate the common position and put everything
into the documentation.
[1] https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/38
Regards
Anton
Am Do., 14. J
Hi,
thanks for this information. We do not have buster under the LTS
control yet. But your information about possible vulnerable libxslt
is important. We will try to check it.
Regards
Anton
Am Fr., 29. Juli 2022 um 06:31 Uhr schrieb Akira Shibakawa <
arabishi...@gmail.com>:
> Hi,
> CVE-2019-5
Hi Holger,
thanks for taking care of it!
Regarding your question, if there are not other objections, I would say
please go ahead with an upload (despite python2.7).
Regards
Anton
Am Sa., 13. Aug. 2022 um 11:30 Uhr schrieb Holger Levsen <
hol...@layer-acht.org>:
> On Fri, Aug 12, 2022 at 12:
it remains versioned, well, I do not know then. Maybe it is
better to include them into the "debisan-security-support-limited".
Regards
Anton
Am Mo., 15. Aug. 2022 um 21:11 Uhr schrieb Holger Levsen <
hol...@layer-acht.org>:
> On Mon, Aug 15, 2022 at 07:51:56PM +0200, Anton Gla
Hi Carsten,
thanks for update! As the buster is now in LTS hands, would you want
us to release a DLA?
Best regards.
Anton
Am Mo., 29. Aug. 2022 um 17:58 Uhr schrieb Debian FTP Masters <
ftpmas...@ftp-master.debian.org>:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> Format: 1.8
> Dat
Hi Thomas,
thanks for the note. I have added the package into the data/dla_needed.txt
with
the corresponding message. So, somebody will take care of it.
Best regards
Anton
Am So., 11. Sept. 2022 um 12:51 Uhr schrieb Thomas Goirand :
> Hi,
>
> In the OpenStack team git, there are updates for
Hi Chris,
I am not sure whether you are able to access this repo [1].
If not - the md-file is in attachment, please update it
and feel free to send me.
b) I am not able to answer right now,. Maybe some other
team members will help.
[1] https://gitlab.com/freexian/organization/website/
Anton
Hi,
thanks for the information. AFAIK skipping releases is not supported.
You have to go through all releases step-by-step.
Regards
Anton
Am Mo., 24. Okt. 2022 um 05:42 Uhr schrieb Otto Kekäläinen :
> Hello LTS team!
>
> Users of Debian LTS are currently affected by a bug that prevents
> ski
Hi Stefano,
I would say we should rely only on release and security suites, Backports
are optional.
Just be sure to provide a smooth upgrade from both release and backport
suites.
Regards
Anton
Am So., 30. Okt. 2022 um 15:08 Uhr schrieb Stefano Rivera <
stefa...@debian.org>:
> I'm an uploa
Hi Tobias,
well, having a CI for most of the packages is the goal if it
is technically possible, but is not a dogma. If it is very
difficult or not possible feel free to deactivate some of
the tests or in the worst-case scenario just disable them
completely.
Regards
Anton
Am Di., 1. Nov. 2022
Hi Sylvain,
thanks for your feedback!
as you know one of our goals is to keep the git-history of all {E,L}TS
uploads. Some semi-automatic repo creation scripts are in a test phase
to ease this process. I have created some repos and
imported the last available security versions of packages into th
Hi Sergio,
armel is not being supported by the LTS as well
as some other platforms. One of reasons is that
we have limited resources so we can only support
only the subset of archs.
Best regards
Anton
Am Fr., 2. Dez. 2022 um 14:21 Uhr schrieb Sergio Callegari
:
>
> From the LTS web site, I see
Hello Scarlett,
thanks for your email!
Please prepare a fix for the package, upload it to your salsa repo, and let
us know.
We will take care of adding the package to the dla-needed list and
preparing all necessary
steps for that.
If you prefer to upload the package on your own, we can also supp
Hi Daniel,
congratulations on your first update!
Some notes:
1) to be consistent with all other updates please do not add the suffix
in the version number
2) t is not quite a team upload. Better use "dch --lts" which converts to
"* Non-maintainer upload by the LTS Security Team."
3) Please check
Hello Emilio,
thanks for this update! I will test it on a couple of projects in the
lts-team namespace
and if everything is OK, we will switch all of them per batch-update.
So, does it mean that we can drop the gitlab-ci.yml almost in all repos and
let it be there only for those, where fine-tunin
Hello Emilio,
could you please provide an example, how the pipeline can be prepared?
I set the value here [1], but it looks like the pipeline did not start.
[1] https://salsa.debian.org/lts-team/packages/389-ds-base/-/pipelines
Thanks
Anton
Am Do., 16. März 2023 um 10:34 Uhr schrieb Emilio Poz
Hi Bastien,
thanks for the information. If you add it into the
NOTES of the dla-needed, the automatic unclaim
will skip it.
Best regards
Anton
Am Mo., 10. Apr. 2023 um 17:18 Uhr schrieb Bastien ROUCARIES <
roucaries.bast...@gmail.com>:
> Hi,
>
> In order to avoid a semi automatic unclaim, I w
Hi,
two CVEs might be irrelevant for Debian systems. Can they be
tagged as "unaffected"? Or we have some systems, where
/dev/urandom is not existing?
Thanks
Anton
he
> device that provide randomness in the system.
>
> I would have marked them as "minor issue".
>
> Cheers
>
> // Ola
>
>
> On Fri, 23 Jun 2023 at 06:49, Anton Gladky wrote:
> >
> > Hi,
> >
> > two CVEs might be irrelevant fo
Hello,
I am looking into CVE-2023-33460 and I am not sure that ruby-yajl
is affected. There is no direct dependency on yajl, where the vulnerability
was detected.
Should ruby-yajl be unmarked as affected by this CVE?
Thank you
Anton
Thanks all for the discussion.
@Tobias, thanks for marking the CVE in the list.
Best regards
Anton
Am Mi., 5. Juli 2023 um 17:56 Uhr schrieb Tobias Frost :
> On Wed, Jul 05, 2023 at 09:06:15AM +, Bastien Roucaričs wrote:
> > Le mercredi 5 juillet 2023, 04:52:48 UTC Anton Gladk
not working and this has to be done in the case. Therefore I
> would request you to check the details:
>
> 1. DICOM HTTP status 200 OK .
>
> On Tue, Sep 12, 2023 at 1:50 PM Anton Gladky wrote:
>
>> -
61 matches
Mail list logo
