you saying I should not worry about uploading my package at this
point in time?
--
Brian May
diff -u binutils-2.22/debian/changelog binutils-2.22/debian/changelog
--- binutils-2.22/debian/changelog
+++ binutils-2.22/debian/changelog
@@ -1,3 +1,20 @@
+binutils (2.22-8+deb7u3) wheezy-security; urgency=
g a combination of "minor" issues can be
> combined to allow more severe attacks. If the fixes are safe, I think they
> should be released.
I have a version available for testing:
https://people.debian.org/~bam/debian/pool/main/b/binutils/
--
Brian May
Brian May writes:
> I have a build of binutils for all pending CVEs except CVE-2016-4491,
My suspicion is that the wheezy version is vulnerable to CVE-2016-4491.
However in more recent versions d_print_comp has been split up into two
functions: d_print_comp which calls d_print_comp_inner t
Brian May writes:
> I have a build of binutils for all pending CVEs except CVE-2016-4491,
I had another look at CVE-2016-4491. Looks like the following patch from
upstream git is a prerequisite. Unfortunately this patch does not apply
cleanly either. So I found a potential prerequisite for t
.cmx
MLOPTdomain.cmx
MLOPTdomains.cmx
MLOPTconnection.cmx
File "connection.ml", line 117, characters 32-56:
Error: Unbound module Xenbus
make[7]: *** [connection.cmx] Error 2
--
Brian May
Raphael Hertzog writes:
> So I would suggest that you go for this and provide some Xen tree free
> of known security issues, then Brian (or someone else) can build test
> packages and we can ask some users to test the update.
This does sound like the best approach.
--
Brian May
the patch from the current version, below
is a URL to a version available for testing.
https://people.debian.org/~bam/debian/pool/main/b/binutils/
I have not found any regressions in my testing of this package.
If there are no objections I plan to upload this next Monday (18th).
--
Brian May
t this is a question that should be
asked first.
Regards
--
Brian May
uld be reasonably straight forward (famous last words?) to
apply the changes manually to the wheezy version, although the files
have moved (and automatic patching failed). If nobody takes this up by
next month I should have some time then to continue this.
--
Brian May
nse to rebase wheezy on latest 1.4.x (in
> particular since 1.4.x was a LTS version).
I am out of time for this month, however should be able to look at this
next month if nobody already has done so.
--
Brian May
g to the failing list however.
--
Brian May
Brian May writes:
> seem to be getting to the failing list however.
s/failing list/mailing list/
--
Brian May
Bastian Blank writes:
> Here you go:
>
> https://korte.credativ.com/~bbl/xen/xen_4.1.6.lts1~e98efe58-1.dsc
Thanks.
I don't have time right now, however will look at this early next week.
--
Brian May
-2016-4492_CVE-2016-4493.patch: Read/write access violations
* CVE-2016-6131.patch: Libiberty Demangler segfaults
* CVE-2016-.patch: Stack buffer overflow when printing bad bytes in
Intel Hex objects
* Researched security fix for kde4libs. In particular CVE-2016-6232.
--
Brian May
start off without
git. If there is any demand I can move things across (including prior
revisions) to git later.
--
Brian May
Brian May writes:
> In any case I am looking at doing this now, will start off without
> git. If there is any demand I can move things across (including prior
> revisions) to git later.
Attached is my current patch. It only includes changes to
debian/*. Still needs more work. In part
Hello,
I have a version of python-django 1.4.22 for wheezy-security available
for testing at:
https://people.debian.org/~bam/debian/pool/main/p/python-django/
Patch is basically the same as before, except I now include
CVE-2016-2513.diff and removed all the unused patches.
Regards
--
Brian
Raphael Hertzog writes:
> Yes, please.
Wheezy security has version 1.4.5-1+deb7u17
Git has version 1.4.5-1+deb7u12
So far I haven't found the missing versions in between, however will
keep looking.
--
Brian May
Brian May writes:
> So far I haven't found the missing versions in between, however will
> keep looking.
It helps if you look in the correct place :-)
http://snapshot.debian.org/package/python-django/
(I was getting confused and looking under archives.debian.org)
--
Brian May
ed on
the header value."
There are a number of projects in Debian that use twisted, should we
check each one?
Sure would be good if I had an example application that was confirmed
vulnerable.
--
Brian May
Brian May writes:
> Attached is my latest debdiff patch, only includes changes to debian/*.
I just uploaded this to wheezy-security. Not 100% certain my upload will
get accepted yet, my first attempt failed due to timeout error.
Do I need to publish a DLA for this? If so what should I say?
_GROUP': 'brian', 'SCHROOT_ALIAS_NAME': 'wheezy-amd64-default',
'_': '/usr/bin/python'}
I get similar results when testing on stretch. It looks like sid is the
same version 16.3.0-1.
I am inclined to say that no version of twisted, by itself, has this
vulnerability. However like I said earlier it is possible that
applications that use twisted have this vulnerability.
--
Brian May
Salvatore Bonaccorso writes:
> Hi,
>
> Just a quick comment on:
>
> On Mon, Aug 08, 2016 at 06:29:30PM +1000, Brian May wrote:
>> I am inclined to say that no version of twisted, by itself, has this
>> vulnerability. However like I said earlier it is possible th
load.
No, I can't reupload existing files, I get permission denied errors.
So I tried deleting the files, however didn't receive any notifications.
I tried uploading again, looks like it might have worked.
Thanks
--
Brian May
stribution, which is the usual reason for
these prefixes.
(besides, wouldn't a good time to mention this have been before I
uploaded, when I was asking for people to test it?)
--
Brian May
es that I know
of. Otherwise I would have listed them.
See https://lists.debian.org/debian-lts/2016/07/msg00069.html for the
reason why I uploaded.
Also see https://lists.debian.org/debian-lts/2016/08/msg00088.html.
--
Brian May
t one can easily read it in the mail client…
I was considering sending the text here and asking for help. This would
have delayed the DLA by up to 24 hours however, my experience has been
that people get upset fast if the DLA isn't sent immediately.
I think in future I will just delay the DLA anyway.
--
Brian May
501 - 527 of 527 matches
Mail list logo
