expression in the
+re_attr variable.
+The exploitation of this vulnerability could be triggered
+via the parse function.
+Fix CVE-2022-21222, CVE-2021-33587 (Closes: #989264, #1032188)
+
+ -- Bastien Roucariès Wed, 01 Mar 2023 15:33:15 +
+
node-css-what (2.1.0-1) unstable
triggered
+via the parse function.
+Fix CVE-2022-21222, CVE-2021-33587 (Closes: #989264, #1032188)
+
+ -- Bastien Roucariès Wed, 01 Mar 2023 15:33:15 +
+
node-css-what (2.1.0-1) unstable; urgency=medium
* new upstream version
diff -Nru node-css-what-2.1.0/debian/patches/0001-Partial
Le lundi 20 mars 2023, 08:31:59 UTC Emilio Pozuelo Monfort a écrit :
Hi,
> On 19/03/2023 07:50, Bastien Roucariès wrote:
> > Le jeudi 16 mars 2023 09:34:17 UTC, vous avez écrit :
> > Hi,
> >> Hi,
> >>
> >> I have been working in improving our Sal
Hi,
Here is my public monthly report.
Thanks to our sponsors for making this possible, and to Freexian for
handling the offering.
https://www.freexian.com/services/debian-lts.html#sponsors
In march (my first month) I spend my time on LTS as
- creating the right environment (pbuilder, tools) to
Hi,
Here is my public monthly report.
Thanks to our sponsors for making this possible, and to Freexian for
handling the offering.
https://www.freexian.com/services/debian-lts.html#sponsors
In april I spend my time on LTS as:
- fixing apache2 CVE-2023-25690 CVE-2023-27522. CVE-2023-25690 created
Hi,
This month activity consisted to:
- release UWSGI fixing CVE-2023-27522 initially reported against apache2 but
than may affects old version of uwsgi. I have reported this finding to the CVE
database and CVE was updated.
- the main part of the work was on imagemagick package:
* CVE-2021-36
Hi,
The last two hours I tried to fix CVE-2022-46871 by backporting the timer
handling patch by patch until I get something approximativly sane.
If believe it is not really the way to go:
- it is quite fragile
- upstream does not correctly create separate commit and create periodic merge
from F
Hi,
I want to discuss about CVE-2023-2884[0-2].
In order to be vulnerable host kernel need to disable the xt_u32 module.
Moreover upstream drop for newer version support of xt_u32 see
https://github.com/moby/moby/commit/4d04068184cf34af7be43272db1687143327cdf7
Do we support only xt_bpf in bust
Le jeudi 22 juin 2023, 13:51:54 UTC Ben Hutchings a écrit :
> On Thu, 2023-06-22 at 10:37 +0000, Bastien Roucariès wrote:
> > Hi,
> >
> > I want to discuss about CVE-2023-2884[0-2].
> >
> > In order to be vulnerable host kernel need to disable the xt_u32 module.
Le vendredi 23 juin 2023, 12:44:59 UTC Bastien Roucariès a écrit :
> Le jeudi 22 juin 2023, 13:51:54 UTC Ben Hutchings a écrit :
> > On Thu, 2023-06-22 at 10:37 +, Bastien Roucariès wrote:
> > > Hi,
> > >
> > > I want to discuss about CVE-2023-2884[0-2].
&g
Le mardi 27 juin 2023, 18:46:25 UTC Tobias Frost a écrit :
> Hi,
>
> time for an small update:
>
> Please note that the packages offered below are WIP status and are intended
> for testing only.
>
> php-cas
> ===
>
> I've verified my patched version of php-cas against the apereo CAS
> imple
Hi,
This month activity consisted to:
- release ELA-865-1 for imagemagick
- release ELA-869-1 for php-phpseclib including introducing a test suite.
- release ELA-875-1 for libxpm
- Triage yajl. Fix was not release but yajl is embed in other package. Check if
this CVE affects other package and
Source: docker.io
Version: 18.09.1+dfsg1-7.1+deb10u3
Severity: serious
Justification: FTBFS
X-Debbugs-Cc: debian-lts@lists.debian.org
Dear Maintainer,
The current security version FTBFS for me with
-- FAIL: TestCheckoutGit (0.52s)
gitutils_test.go:188: assertion failed: error is not nil: exit
Le mercredi 5 juillet 2023, 04:52:48 UTC Anton Gladky a écrit :
> Hello,
>
> I am looking into CVE-2023-33460 and I am not sure that ruby-yajl
> is affected. There is no direct dependency on yajl, where the vulnerability
> was detected.
ruby-yajl include a old version of yajl 1.01.12
The vuln cod
Hi,
I have uploaded a docker.io package under https://people.debian.org/~rouca/apt/
I will like some testing, and review particularly swarm mode.
Code is available as usual under git
https://salsa.debian.org/lts-team/packages/docker.io
Review of
https://salsa.debian.org/lts-team/packages/dock
I've worked during July 2023 on the below listed packages, for Freexian
LTS/ELTS [1]
Many thanks to Freexian and our sponsors [2] for providing this opportunity!
LTS:
docker.io:
* I have continued my work on docker.io and investigate FTBFS #1040141
linked to fallout of CVE-2022-39253. This
I've worked during August 2023 on the below listed packages, for Freexian
LTS/ELTS [1]
Many thanks to Freexian and our sponsors [2] for providing this opportunity!
LTS:
===
docker.io:
* Santiago is trying to test my release. Testing is especially complicated due
to lack of integration test case
Hi
I am trying to fix the CVE for SALT
Unfortunatly this will need a backport of salt 3002.9 that in turn need:
python3-saltfactories >= 0.907 (that need python3-setuptools (>= 50.3.2),
python3-setuptools-scm (>= 3.4) to be investigated)
python3-attr (>= 19.1)
I believe the first one used only
Hi,
I tried to fix CVE-2021-32686 by using patch from upstream.
I think the problem is hard to solve:
- patch does not apply cleanly and backport will be difficult (moreover it is
hard to test this kind of race condition)
- ring use a heavy patched PJSIP. A solution will be to use the repackage
Le jeudi 28 septembre 2023, 22:46:41 UTC Bastien Roucariès a écrit :
Hi,
An update
> Hi
>
> I am trying to fix the CVE for SALT
Salt need to be updated due to a failure on the custom crypto protocol what was
broken. Both server and client need to be updated due to protoc
I've worked during September 2023 on the below listed packages, for Freexian
LTS/ELTS [1]
Many thanks to Freexian and our sponsors [2] for providing this opportunity!
ELTS:
My work this month was concentrated on libreoffice. This a huge package (with a
lot of line of code), that take a lo
Le vendredi 6 octobre 2023, 19:31:43 UTC Roberto C. Sánchez a écrit :
> Hi Bastien,
>
> On Fri, Sep 29, 2023 at 09:12:57PM +, Bastien Roucariès wrote:
> > Hi,
> >
> > I tried to fix CVE-2021-32686 by using patch from upstream.
> >
> > I think the pro
Hi,
I have a FTBFS that I do not achieve to fix on batik
https://salsa.debian.org/lts-team/packages/batik/-/commit/b91844ef6472d9e5ddada7593f844a9c23d55b6c
I have tried to add maven.compiler.source=1.7 without success
Any idea how to solve ?
Bastien
signature.asc
Description: This is a digit
Le jeudi 12 octobre 2023, 08:07:48 UTC Bastien Roucariès a écrit :
Hi,
> Hi,
>
> I have a FTBFS that I do not achieve to fix on batik
>
> https://salsa.debian.org/lts-team/packages/batik/-/commit/b91844ef6472d9e5ddada7593f844a9c23d55b6c
Solved thanks to all
Bastien
>
>
I've worked during September 2023 on the below listed packages, for Freexian
LTS/ELTS [1]
Many thanks to Freexian and our sponsors [2] for providing this opportunity!
LTS
===
prometheus-alertmanager
---
I have released DLA 3609-1 following fixes from previous
I've worked during november 2023 on the below listed packages, for Freexian
LTS/ELTS [1]
Many thanks to Freexian and our sponsors [2] for providing this opportunity!
ELTS:
python3.5
---
Folowing previous month work, I have finalized to fix testsuite, by
regenerating certifica
I've worked during november 2023 on the below listed packages, for Freexian
LTS/ELTS [1]
Many thanks to Freexian and our sponsors [2] for providing this opportunity!
ELTS:
The work consisted to fix libreoffice both for stretch and jessie.
I have fixed CVE-2020-12801 CVE-2020-12802 CVE-2020
Le mardi 2 janvier 2024, 14:53:22 UTC Bastien Roucariès a écrit :
Hi,
Obviously the report should be read for decembre 2023
> I've worked during november 2023 on the below listed packages, for Freexian
> LTS/ELTS [1]
>
> Many thanks to Freexian and our sponsors [2] for providing
I've worked during january on the below listed packages, for Freexian
LTS/ELTS [1]
Many thanks to Freexian and our sponsors [2] for providing this opportunity!
ELTS:
tinyxml
--
Fix CVE-2023-34194 and release ELA-1029-1.
Note that this project is dead upstram, but a fork seems ac
Le mardi 27 février 2024, 05:31:01 UTC Sean Whitton a écrit :
> Hello Bastien,
>
> Is there someway I could help with imagemagick under LTS? It looks like
> the status has been unchanged for some months. I'm not an expert but I
> can review things. Thanks!
>
>
Hi sean
I have made a few relea
I've worked during february on the below listed packages, for Freexian
LTS/ELTS [1]
Many thanks to Freexian and our sponsors [2] for providing this opportunity!
LTS
===
sudo
---
I have released DLA 3732-1, following previous month work.
Ansible
--
Following previous month work, I h
I've worked during mars on the below listed packages, for Freexian
LTS/ELTS [1]
Many thanks to Freexian and our sponsors [2] for providing this opportunity!
LTS
===
composer
--
I triaged #1063603/CVE-2024-24821 and confirmed that this CVE does not affect
buster.
I backported local
I've worked during april on the below listed packages, for Freexian
LTS/ELTS [1]
Many thanks to Freexian and our sponsors [2] for providing this opportunity!
LTS
===
Putty
I have tested putty against terrapin and released DLA 3794-1
Fix of CVE-2024-31497 are proposed and wait review
Hi
Could you test shim that is here
https://salsa.debian.org/efi-team/shim/-/tree/buster/updates?ref_type=heads
I will like to test this on real hardware and kvm.
However, I fail to test the non signed version, and I could not found
documentation of how to test.
Due to particular nature of the
I've worked during may on the below listed packages, for Freexian
LTS/ELTS [1]
Many thanks to Freexian and our sponsors [2] for providing this opportunity!
LTS
===
apache2
I investigate the port of bullseye proposed by yadd the maintainer, and made
some change in order
to get apac
Hi,
After a few hours I get the impression that fixing CVE-2024-0914 even for
bookworm will be extremly hard (lack of constant time operation, massive code
change...)
I suppose the best way is to a full bakport of unstable way to buster and for
ELTS to stretch/jessie
What it your point of vi
I've worked during may on the below listed packages, for Freexian
LTS/ELTS [1]
Many thanks to Freexian and our sponsors [2] for providing this opportunity!
LTS
===
sendmail
-
Following previous month fix and in order to avoid regression during upgrade
from buster to bullseye/bookwo
I've worked during july on the below listed packages, for Freexian
LTS/ELTS [1]
Many thanks to Freexian and our sponsors [2] for providing this opportunity!
LTS
===
imagemagick
Following previous month fix and in order to avoid regression during upgrade
from buster to bull
Le lundi 12 août 2024, 00:27:17 UTC Mike Gabriel a écrit :
> Hi Moritz, hi Santiago,
>
> On So 11 Aug 2024 12:57:23 CEST, Moritz Muehlenhoff wrote:
>
> > On Sat, Aug 10, 2024 at 11:19:24AM -0300, Santiago Ruano Rincón wrote:
> >> (I had tried to answer from the web debian-lts archive, and I don'
Le lundi 12 août 2024, 16:15:53 UTC Bastien Roucariès a écrit :
> Le lundi 12 août 2024, 00:27:17 UTC Mike Gabriel a écrit :
> > Hi Moritz, hi Santiago,
> >
> > On So 11 Aug 2024 12:57:23 CEST, Moritz Muehlenhoff wrote:
> >
> > > On Sat, Aug 10, 2024 at 11:
I've worked during august on the below listed packages, for Freexian
LTS/ELTS [1]
Many thanks to Freexian and our sponsors [2] for providing this opportunity!
LTS
===
MariaDB
Following triaging work fot LTS/ELTS I proposed a NEWS entry for
for breaking change CVE-2024-21096. I hel
Le samedi 7 septembre 2024, 03:43:24 UTC Otto Kekäläinen a écrit :
Hi,
I can also review here
bastien
> Hi!
>
> I am willing to do the minor version security/bugfix imports for
> MariaDB 10.5.x and Galera 4.x to Bullseye, but to ensure highest
> quality and good process, I am seeking somebody wh
Le samedi 5 octobre 2024, 21:46:06 UTC Bastien Roucariès a écrit :
Hi mike,
> Could you test this
> https://salsa.debian.org/horde-team/php-horde-editor/-/merge_requests/1
>
> Please fix syntax error my phpskills are old
>
> It will only normaly run an editor other thing ma
Le lundi 30 septembre 2024, 16:18:51 UTC Bastien Roucariès a écrit :
Hi,
a gentle remainder about libreoffice
> Hi,
>
> Can someone test why libreoffice fail under bullseye ?
>
> Branch
> debian/bullseye
>
> repo
> g...@salsa.debian.org:lts-team/packages/libreoffice.
Le mercredi 2 octobre 2024, 09:54:16 UTC Mike Gabriel a écrit :
> Hi Bastien,
>
> On Di 01 Okt 2024 19:48:02 CEST, Bastien Roucariès wrote:
>
> > Le mardi 1 octobre 2024, 17:02:40 UTC Sylvain Beucler a écrit :
> >> Hello Mike,
> >>
> >> On
/ Ola
>
> On Mon, 30 Sept 2024 at 18:19, Bastien Roucariès wrote:
>
> > Hi,
> >
> > Can someone test why libreoffice fail under bullseye ?
> >
> > Branch
> > debian/bullseye
> >
> > repo
> > g...@salsa.debian.org:lts-team
Le mardi 15 octobre 2024, 07:40:40 UTC Sylvain Beucler a écrit :
> Hi Bastien,
>
> On 11/10/2024 21:38, Bastien Roucariès wrote:
> > Le samedi 5 octobre 2024, 21:46:06 UTC Bastien Roucariès a écrit :
> >> Could you test this
> >> https://salsa.debia
Le mercredi 16 octobre 2024, 00:22:28 UTC Bastien Roucariès a écrit :
Hi Mike,
Could you get a glimpse at it ?
Bastien
> Le mardi 15 octobre 2024, 07:40:40 UTC Sylvain Beucler a écrit :
> > Hi Bastien,
> >
> > On 11/10/2024 21:38, Bastien Roucariès wrote:
> > > L
I've worked during October on the below listed packages, for Freexian
LTS/ELTS [1]
Many thanks to Freexian and our sponsors [2] for providing this opportunity!
LTS
===
apache2
I fixed regression in unstable
I fixed a regression in bookworm DSA 5729-2
I fixed a regression in bullseye
Hi,
Can someone test why libreoffice fail under bullseye ?
Branch
debian/bullseye
repo
g...@salsa.debian.org:lts-team/packages/libreoffice.git
Note that current bullseye fail
Same error:
osl_Profile::oldtests::test_profile finished in: 1ms
(anonymous namespace)::Test::test finished in: 0ms
os
Le mardi 1 octobre 2024, 17:02:40 UTC Sylvain Beucler a écrit :
> Hello Mike,
>
> On 12/08/2024 18:40, Santiago Ruano Rincón wrote:
> > El 12/08/24 a las 00:27, Mike Gabriel escribió:
> >> On So 11 Aug 2024 12:57:23 CEST, Moritz Muehlenhoff wrote:
> >>> On Sat, Aug 10, 2024 at 11:19:24AM -0300, S
I've worked during September on the below listed packages, for Freexian
LTS/ELTS [1]
Many thanks to Freexian and our sponsors [2] for providing this opportunity!
LTS
===
Cacti
---
I backported bookworm fixes
I fix autopkgtest suite
I Investigate status of CVE-2024-27082
I Fix CVE-2022-41444
Hi,
Can someone see the build and patch of mpg123/bullseye
https://salsa.debian.org/multimedia-team/mpg123/-/tree/debian/bullseye?ref_type=heads
Thanks
Bastien
signature.asc
Description: This is a digitally signed message part.
I've worked during October on the below listed packages, for Freexian
LTS/ELTS [1]
Many thanks to Freexian and our sponsors [2] for providing this opportunity!
LTS
===
ansible
---
This package is complicated due to splitted between ansible and ansible-core
upstream, and massive code
pa
s copy?
> https://security-tracker.debian.org/tracker/source-package/node-dompurify
Oh I forget about this one
We should add entry to tracker.
I suppose the easier/safer is fix the embed copy
Bastien
>
> Cheers!
> Sylvain
>
> On 26/12/2024 21:55, Bastien Roucariès wrote:
&g
s copy?
> https://security-tracker.debian.org/tracker/source-package/node-dompurify
Done
>
> Cheers!
> Sylvain
>
> On 26/12/2024 21:55, Bastien Roucariès wrote:
> > Hi,
> >
> > I have just pushed a bookworm/bullseye cacti on git
> >
> > https
Le vendredi 11 octobre 2024, 19:38:46 UTC Bastien Roucariès a écrit :
Hi Mike
A gentle remainder for testing
Bastien
> Le samedi 5 octobre 2024, 21:46:06 UTC Bastien Roucariès a écrit :
> Hi mike,
>
> > Could you test this
> > https://salsa.debian.org/horde-
Hi,
I have just pushed a bookworm/bullseye cacti on git
https://salsa.debian.org/debian/cacti
Can you review ?
Thanks
signature.asc
Description: This is a digitally signed message part.
Hi,
Why knot resolver was added ?
Do we have particular CVE to solve ?
Bastien
signature.asc
Description: This is a digitally signed message part.
Le mardi 11 février 2025, 13:10:13 UTC Lucas Kanashiro a écrit :
Ok and ELTS 2.5 is also affected I suppose..;
Will do
Bastien
> Hi,
>
> A regression in the latest ruby2.7 update was found by a Ubuntu user and
> reported here:
>
> https://bugs.launchpad.net/ubuntu/+source/ruby2.7/+bug/2097527
I've worked during October on the below listed packages, for Freexian
LTS/ELTS [1]
Many thanks to Freexian and our sponsors [2] for providing this opportunity!
LTS
===
ruby2.7
--
* I Clarified with upstream status of CVEs and commit fixing the CVES
* I fix CVE-2024-35176, CVE-2024-4194
Le mercredi 29 janvier 2025, 12:59:43 UTC Sylvain Beucler a écrit :
> Hi Bastien,
>
> On 26/01/2025 18:27, Bastien Roucariès wrote:
> > I think I have fixed cacti but someone could test cacti/bookworm and and
> > cacti/bullseye ?
> >
> > https://salsa.debian.org
Hi,
Can someone review
https://salsa.debian.org/ruby-team/ruby/-/commits/debian/bullseye ?
I do not fix CVE-2025-0306 because it is in fact on openssl bug (security team
notified)
Thanks
bastien
signature.asc
Description: This is a digitally signed message part.
Le dimanche 12 janvier 2025, 16:50:05 UTC Tobias Frost a écrit :
Hi
I have reviewed patches only against upstream for now
CVE-2023-42364-part2.patch; I think you could remove the why comment
+ if (t_info == TI_TERNARY) /* "?" operator */
//TODO: why?
Other patches seems o
Hi,
I think I have fixed cacti but someone could test cacti/bookworm and and
cacti/bullseye ?
https://salsa.debian.org/debian/cacti
Thanks
Bastien
signature.asc
Description: This is a digitally signed message part.
---
> > Debian LTS Advisory DLA-4018-1debian-lts@lists.debian.org
> > https://www.debian.org/lts/security/ Bastien Roucariès
> > January 17, 2025 https://wiki.debian.org/LTS
> > -
I've worked during October on the below listed packages, for Freexian
LTS/ELTS [1]
Many thanks to Freexian and our sponsors [2] for providing this opportunity!
LTS
===
Ansible
---
I Fix CVE-2024-11079
I am Investigating autopkgtest failure
gstreamer
---
I Fix CVE-2024-47537
Hi,
I believe CVE-2024-23944 should be marked ignored for older release:
- Persistent (and p-recursive) watches were introduced by ZOOKEEPER-1416, which
only exists in 3.6+. This is needed for exploit
- according to upstream classical watches are used (<< 3.6), it seems that to
trigger for nod
Le vendredi 20 décembre 2024, 08:03:49 UTC Adrian Bunk a écrit :
> Hi,
>
> could someone with more knowledge about PHP look at the following:
>
> https://security-tracker.debian.org/tracker/CVE-2024-22640
> https://github.com/zunak/CVE-2024-22640
> https://security-tracker.debian.org/tracker/CVE-
Le dimanche 23 février 2025, 22:52:57 UTC Adam D. Barratt a écrit :
> On Sun, 2025-02-23 at 23:45 +0100, Hilmar Preusse wrote:
> > The patch solves an annoying issue:
> >
> > Proftpd does use the same server port for multiple passive FTP
> > connections.
> > Even when executing multiple simultaneo
I've worked during february on the below listed packages, for Freexian
LTS/ELTS [1]
Many thanks to Freexian and our sponsors [2] for providing this opportunity!
LTS
===
ruby2.7
---
I have fixed a regression and a previous DSA
cacti
---
Fix CVE and release a DSA 5862-1
krb5
--
71 matches
Mail list logo
