Re: Bug#858973: wheezy-pu: package ejabberd/2.1.10-4+deb7u2

Hi Philipp, On Wed, Mar 29, 2017 at 09:13:43PM +0200, Philipp Huebner wrote: > Hi Guido, > > > The changes look sane to me. Could you upload to wheezy-security? If you > > don't want to prepare the DLA yourself I can do that but then it would > > be awesome if this cold happen on Friday earliest s

Re: Bug#858973: wheezy-pu: package ejabberd/2.1.10-4+deb7u2

Hi Philipp, On Sat, Apr 01, 2017 at 11:52:28AM +0200, Philipp Huebner wrote: > Hi, > > Am 31.03.2017 um 14:32 schrieb Guido Günther: > > > I've tested the package (ejabberdctl, connecting different clients) and > > it looks good. During the upgrade I g

Updating to thunderbird 45.8.0

Hi, it would be great if you could test the icedove / thunderbird packages at: https://people.debian.org/~agx/icedove-lts/ These include the icedove → thunderbird migration. We have one issue in wheezy when updatig to thunderbird in wheezy: The following dictionary packages have a unversione

LTS Activity report for March 2017

Hello, during March I only worked 4 of the allocated 8 hours on LTS. During this time I did the following: - qemu: prepared and released DLA-845-1 - LTS frontdesk - ejabberd: tested the package prepared by the maintainer and released DLA-881-1 Cheers, -- Guido

Call for testing: upcoming xen security update

Hi, credativ prepared a new Xen update to fix CVE-2017-7228. It would be great if you could give it some more testing: https://korte.credativ.com/~fge/xen/ Cheers, -- Guido

Re: Bug#858973: wheezy-pu: package ejabberd/2.1.10-4+deb7u2

Hi Markus, On Sun, Apr 16, 2017 at 08:43:36PM +0200, Markus Raab wrote: > Hello, > > Thanks for still maintaining wheezy. > > This security fix broke the N900 jabber (xmpp) client (included in Maemo). > > With 2.1.10-4+deb7u1 the N900 xmpp client was connecting without troubles, > since 2.1.10-

Re: Bug#858973: wheezy-pu: package ejabberd/2.1.10-4+deb7u2

On Sun, Apr 16, 2017 at 04:44:22PM -0400, PICCORO McKAY Lenz wrote: > does any other tested the pckage with real production clients? Yes we did. -- Guido > > i could test that but its better upgrade event use a unmantained package.. > > some times ago i try to mantain that package but the debi

Re: [SECURITY] [DLA 895-1] openoffice.org-dictionaries update

Hi, On Thu, Apr 20, 2017 at 12:14:10AM +0200, Pascal-liste wrote: > Hello, > > Le 14/04/2017 à 21:23, Guido Günther a écrit : > > Package: openoffice.org-dictionaries > > Version: 3.3.0~rc10-4+deb7u1 > > Debian Bug : #646693 > > > > Th

Please test qemu-kvm packages

Hi, I've backported the current cirrus code from current qemu to address several cirrus related CVEs. It would be great if somebody could test the packages at: https://people.debian.org/~agx/debian-lts/ Testing with non Linux and cirrus graphics would be very much appreciated. The whole s

xen packages up for test

Hi, credativ put updated xen packages to fix XSA-214, XSA-215, XSA-200 (CVE-2016-9932) and CVE-2017-7995 here: https://korte.credativ.com/~fge/xen/ If you run xen it would be great to see if it works for you too. Cheers, -- Guido

Re: xen packages up for test

y > * 1 domU under Centos 7 Thanks for you testing and feedback! -- Guido > > Thanks for your work :) > > Best, > > Hyacinthe Cartiaux > > > 2017-05-19 11:53 GMT+02:00 Guido Günther : > > Hi, > > credativ put updated xen packages to fix

Re: testing bind9 for Wheezy LTS

Hi, On Sat, May 20, 2017 at 04:57:52PM +0200, Thorsten Alteholz wrote: > Hi everybody, > > I uploaded version 9.8.4.dfsg.P1-6+nmu2+deb7u16 of bind9 to: > > https://people.debian.org/~alteholz/packages/wheezy-lts/bind9/amd64/ > > Please give it a try and tell me about any problems you met. I've

Re: Marking autotrace as unsuppported ?

On Fri, May 26, 2017 at 03:51:58PM +0200, Raphael Hertzog wrote: > Hello, > > we have a very large number of CVE on autotrace which has been dropped > from all Debian releases except wheezy. The package is not used by any > LTS sponsor and its popcon is rather low (~400 but with 35 active users >

Re: timetable for LTS support

Hi Jens, On Mon, May 29, 2017 at 07:54:30PM +0200, Jens Korte wrote: > Hi > I would like to update the timetable in [2], if nobody else does. I > would like to make sure, that I use the correct dates. Thanks for having a look! > > If Stretch is released on 2017-June-17 [1] Jessie gets oldstable.

Wheezy update of strongswan?

. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of strongswan updates for the LTS releases. Thank you very much. Guido Gün

Wheezy update of perl?

he updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of perl updates for the LTS releases. Thank you very much. Guido Günther, on behalf of the Debian LTS team. PS: A member of the LTS team m

Wheezy update of zookeeper?

r test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of zookeeper updates for the LTS releases. Thank you very much. Guido Günther, on behalf of the Debian LTS team. PS: A member of th

Wheezy update of chicken?

r test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of chicken updates for the LTS releases. Thank you very much. Guido Günther, on behalf of the Debian LTS team. PS: A member of the LTS

Wheezy update of picocom?

r test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of picocom updates for the LTS releases. Thank you very much. Guido Günther, on behalf of the Debian LTS team. PS: A member of the LTS

tiff and CVE-2016-10095

Hi Moritz, I'm trying to figure out the reasoning for @51764. This marks tiff as affected by CVE-2016-10095. However from the upstream bug and the changes we made in wheezy it looks like the changes we made already are sufficient to fix the issue. Do you have a hint why you think this is not the ca

Wheezy update of yodl?

he updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of yodl updates for the LTS releases. Thank you very much. Guido Günther, on behalf of the Debian LTS team. PS: A member of the LTS team m

Wheezy update of ming?

he updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of ming updates for the LTS releases. Thank you very much. Guido Günther, on behalf of the Debian LTS team. PS: A member of the LTS team m

Re: Marking autotrace as unsuppported ?

On Fri, Jun 02, 2017 at 10:06:32AM +0200, Raphael Hertzog wrote: > On Mon, 29 May 2017, Guido Günther wrote: > > > https://security-tracker.debian.org/tracker/source-package/autotrace > > > > Agreed. > > I updated the git repository of debian-security-support. S

Re: Wheezy update for Eglibc and libxml

Hi VigneshDhanraj G, On Fri, Jun 02, 2017 at 12:41:18PM +0530, VigneshDhanraj G wrote: > Hi Team, > > I have a query regarding the security updatesof eglibc and libxml, there > was a vulnerability in eglibc and libxml. Will we get any update or fix for > this vulnerabilities, I know that wheezy in

update of debian-security-support [was Re: Marking autotrace as unsuppported ?]

Hi, On Fri, Jun 02, 2017 at 11:32:07AM +0200, Raphael Hertzog wrote: > Hi, > > On Fri, 02 Jun 2017, Guido Günther wrote: > > > I updated the git repository of debian-security-support. Shall we release > > > an update of that package? > > > > We did not do s

Re: tiff and CVE-2016-10095

On Fri, Jun 02, 2017 at 11:02:06AM +0200, Moritz Muehlenhoff wrote: > On Fri, Jun 02, 2017 at 10:25:29AM +0200, Guido Günther wrote: > > Hi Moritz, > > I'm trying to figure out the reasoning for @51764. This marks tiff as > > affected by CVE-2016-10095. However fro

Re: update of debian-security-support [was Re: Marking autotrace as unsuppported ?]

On Fri, Jun 02, 2017 at 12:27:47PM +0200, Moritz Muehlenhoff wrote: > On Fri, Jun 02, 2017 at 12:21:01PM +0200, Guido Günther wrote: > > Hi, > > On Fri, Jun 02, 2017 at 11:32:07AM +0200, Raphael Hertzog wrote: > > > Hi, > > > > > > On Fri, 02 Jun 2017, Gu

Re: update of debian-security-support [was Re: Marking autotrace as unsuppported ?]

On Fri, Jun 02, 2017 at 01:11:31PM +0200, Moritz Muehlenhoff wrote: > On Fri, Jun 02, 2017 at 12:53:58PM +0200, Guido Günther wrote: > > On Fri, Jun 02, 2017 at 12:27:47PM +0200, Moritz Muehlenhoff wrote: > > > On Fri, Jun 02, 2017 at 12:21:01PM +0200, Guido Günther wrote: >

Adding entries to d{l,s}a-needed.txt

Hi, I was a bit embarassed by the fact the I didn't get the sorting correct (again) in dla-needed.txt: So I came up with this: https://github.com/agx/emacs-tools/commit/2028d7a5548fb9cae641e45dc6f3a659f3b1839a With that "C-, L" adds a new entry at the right position in dla-needed.txt (for ds

LTS Activity report for May 2017

Hi, during May I worked 8 of the allocated 8 hours on LTS. During this time I did the following: - qemu-kvm: Release DLA 939-1 fixing 3 video related CVEs. The actual work for this was mostly done in April already. - qemu-kvm: backport large parts of the 9pfs driver from qemu 2.8 to the wheezy

Re: tiff and CVE-2016-10095

Hi Raphael, On Tue, Jun 06, 2017 at 12:05:14PM +0200, Raphael Hertzog wrote: > Hi, > > On Fri, 02 Jun 2017, Guido Günther wrote: > > > but it's not worth arguing and providing that in jessie might be useful > > > for > > > building building custom tools s

Please test thunderbird packages

Hi, I've uploaded new thunderbird packages here: https://people.debian.org/~agx/icedove-lts/ Since this includes the switch to GTK+3 some more testing won't hurt. Note that this likely won't be the final package since upstream is looking into some gmail related fixes. Depending on when this w

Re: [Pkg-puppet-devel] Wheezy update of puppet?

On Tue, Jun 27, 2017 at 12:52:52PM -0400, Antoine Beaupré wrote: > On 2017-06-27 11:53:24, Antoine Beaupré wrote: > > Are you sure of this? From what I can tell agents haven't been sending > > YAML in a long time. If I understand things correctly, facts are sent in > > a format defined by the `pref

LTS Activity report for June 2017

Hi, during June I worked 9 of the allocated 9 hours on LTS. During this time I did the following: - Spent the second half of a week with LTS frontdesk duties. - Prepared a new debian-security-support package for wheezy, stretch and sid. The jessie update is prepared and pending review. - qemu-kv

Re: should ca-certificates certdata.txt synchronize across all suites?

On Fri, Jul 07, 2017 at 03:57:35PM +0200, Philipp Kern wrote: > On 07/06/2017 08:01 PM, Antoine Beaupré wrote: > > In looking at fixing #858539 (blocking WoSign and StartCom, in CC) for > > wheezy, I noticed the issue was also pending in jessie. Furthermore, the > > idea originally raised by pabs[1

Re: testing bind9 for Wheezy LTS

On Tue, Jul 11, 2017 at 10:22:03PM +0200, Thorsten Alteholz wrote: > Hi everybody, > > I uploaded version 9.8.4.dfsg.P1-6+nmu2+deb7u17 of bind9 to: > > https://people.debian.org/~alteholz/packages/wheezy-lts/bind9/amd64/ > > Please give it a try and tell me about any problems you met. It would b

Please test heimdal packages

vice name validation. +(Closes: #868208) + + -- Guido Günther Thu, 13 Jul 2017 09:56:50 +0200 + heimdal (1.6~git20120403+dfsg1-2) unstable; urgency=low * Enable libcap-ng-dev only on Linux. Fixes FTBFS on kfreebsd-* and diff --git a/debian/patches/CVE-2017-11103-Orpheus-Lyre-

Re: samba4 package didn't bundle Heimdal

Hi Andrew, On Thu, Jul 13, 2017 at 09:17:57PM +1200, Andrew Bartlett wrote: > https://security-tracker.debian.org/tracker/CVE-2017-11103 > > Back when samba4 (which has been eviscerated to a client) was a > package, it linked against the system heimdal. > > You can see this because it depends on

Wheezy update of memcached?

r test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of memcached updates for the LTS releases. Thank you very much. Guido Günther, on behalf of the Debian LTS team. PS: A member of th

Wheezy update of gsoap?

he updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of gsoap updates for the LTS releases. Thank you very much. Guido Günther, on behalf of the Debian LTS team. PS: A member of the LTS team m

Wheezy update of freeradius?

r test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of freeradius updates for the LTS releases. Thank you very much. Guido Günther, on behalf of the Debian LTS team. PS: A member of the LTS

Re: Wheezy update of freeradius?

do > > On Thu, Jul 20, 2017 at 6:25 PM, Guido Günther wrote: > > > Dear maintainer(s), > > > > The Debian LTS team would like to fix the security issues which are > > currently open in the Wheezy version of freeradius: > > https://security-tracker.

cacti CVE-2017-1000031

Hi security team, I looked at CVE-2017-131 yesterday. After failing to exploit it via a SQL injection getting "validation errors". I then contacted the maintainer Paul Gevers and he replied promptly that this looks like a duplicate of CVE-2014-4002. Do you agree that this can be marked as not a

Re: should ca-certificates certdata.txt synchronize across all suites?

Hi, On Fri, Jul 21, 2017 at 11:03:22PM +0200, Moritz Mühlenhoff wrote: > On Fri, Jul 21, 2017 at 09:51:45AM -0400, Antoine Beaupré wrote: > > On 2017-07-20 18:15:00, Philipp Kern wrote: > > > On 07/17/2017 09:41 PM, Antoine Beaupré wrote: > > >> Let's not jump the gun here. We're not shipping NSS i

Wheezy update of rbenv?

Thank you very much. Guido Günther, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-neede

Wheezy update of krb5?

he updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of krb5 updates for the LTS releases. Thank you very much. Guido Günther, on behalf of the Debian LTS team. PS: A member of the LTS team m

Wheezy update of libgd2?

r test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of libgd2 updates for the LTS releases. Thank you very much. Guido Günther, on behalf of the Debian LTS team. PS: A member of the LTS

Re: Wheezy update of krb5?

Hi Ben, On Mon, Jul 24, 2017 at 03:17:27PM -0500, Benjamin Kaduk wrote: > On Sat, Jul 22, 2017 at 06:47:25PM +0200, Guido Günther wrote: > > Dear maintainer(s), > > > > The Debian LTS team would like to fix the security issues which are > > currently open in the Wheezy

LTS Activity report for July 2017

Hi, during July I worked 10 of the allocated 10 hours on LTS. During this time I did the following: - fix CVE-2017-11103 (Orpheus' Lyre) in heimdal resulting in DLA-1027-1 - look at CVE-2017-11103 in samba4 (not affected) - test new bind9 packages prepared by Thorsten Altenholz - one week of CVE t

LTS team Bof at Debconf

Hi, Looking at the Debconf program I don't see a BoF scheduled for either the LTS nor the Security Team. Looking at last year's https://lists.debian.org/debian-lts/2016/07/msg00173.html we have tackled some of the points but others (DEP-8) are still open and we've already been discussing thin

Re: LTS team Bof at Debconf

Hi, On Sun, Aug 06, 2017 at 10:07:31PM -0300, Guido Günther wrote: > Hi, > Looking at the Debconf program I don't see a BoF scheduled for either > the LTS nor the Security Team. Looking at last year's > > https://lists.debian.org/debian-lts/2016/07/msg00173.html >

Re: LTS team Bof at Debconf

Hi, On Mon, Aug 07, 2017 at 08:13:24PM +0200, Sébastien Delafond wrote: > On Aug/07, Roberto C. Sánchez wrote: > > Would there be a willingness to allow remote participation via > > laptop+webcam? > > I don't know *how* it could be done, but Salvatore certainly would most > definitely be intereste

Re: LTS team Bof at Debconf

Hi, On Mon, Aug 07, 2017 at 03:47:41PM -0400, Roberto C. Sánchez wrote: > On Mon, Aug 07, 2017 at 04:36:40PM -0300, Guido Günther wrote: > > Hi, > > On Mon, Aug 07, 2017 at 08:13:24PM +0200, Sébastien Delafond wrote: > > > On Aug/07, Roberto C. Sánchez wrote: > > &g

Debconf 2017 LTS BoF Summary

Hi, here's a short summary from the BoF; * A internal review of the first commits to the security-tracker for new LTS team members by other LTS team members would be good. IMHO we should just do that. * The Security team requests help with keeping the list at https://security-tracker.debia

Re: Debconf 2017 LTS BoF Summary

Hi, On Wed, Aug 09, 2017 at 03:05:31PM +0200, Sébastien Delafond wrote: > On Aug/09, Markus Koschany wrote: > > I intend to submit a patch for reportbug to implement the first part > > of this idea. It basically asks an additional question before the > > question about bccing multiple e-mail addres

Re: [tracker] New sub-states for issues tagged no-dsa

Hi, On Fri, Aug 11, 2017 at 09:01:37PM +0200, Sébastien Delafond wrote: > After some discussion about what no-dsa really means, I've added 2 new > sub-states to the tracker, and they can be used as follows: > > CVE-2018-10012345 >- foo (bug #9876543) >[stretch] - shadow (Minor

wireshark CVEs in Jessie/Wheezy

Hi Balint, looking at https://security-tracker.debian.org/tracker/source-package/wireshark we have some CVEs open in Wheezy. Since Jessie ships the same version I wanted to check that you're not already working (or planning to work) on an update to avoid duplicate work. If not I'd start looki

Fixing CVE-2017-7526 in for wheezy / jessie

ncy=medium + + * Backport fixes for CVE-2017-7526 from STABLE-BRANCH-1-4 branch + + -- Guido Günther Mon, 28 Aug 2017 11:59:38 +0200 + gnupg (1.4.12-7+deb7u8) wheezy-security; urgency=high * Non-maintainer upload by the Debian LTS Team. diff --git a/debian/patches/security/CVE-2017-7526-rsa-Ad

Re: [pkg-gnupg-maint] Fixing CVE-2017-7526 in for wheezy / jessie

Hi Niibe-san, On Tue, Aug 29, 2017 at 09:57:51AM +0900, NIIBE Yutaka wrote: > Hello, Guido, > > Guido Günther wrote: > > I just looked into fixing CVE-2017-7526 for gnupg in wheezy. Based on > > https://dev.gnupg.org/D438 I backported what I deemed are the necessary > &

thunderbird/icedove packages up for test

Hi, please give the thunderbird packages https://people.debian.org/~agx/icedove-lts/ a try. I'll add a new enighmail soonish since the current version conflicts with the one in Wheezy. Cheers, -- Guido

Re: thunderbird/icedove packages up for test

Hi, On Thu, Aug 31, 2017 at 03:26:14PM -0300, Lucas Kanashiro wrote: > Hi Guido, > > I installed your thunderbird packages in my wheezy VM and tried to do the > basic stuff (configure an account, create folder to filter emails, receive > and send emails, create tasks and use the calendar) and ever

LTS Activity report for August 2017

Hi, during August I worked 10 of the allocated 10 hours on LTS. During this time I did the following: - Triaged 10+ Xen XSAs and forwarded the results to credativ so they can prepare an updated package. - Triaged sevaral qemu CVEs and released DLA-1070-1 and DLA-1071-1 to fix the ones that af

Re: Accepted icedove 1:52.3.0-4~deb7u1 (source amd64 all) into oldoldstable

Hi, On Wed, Sep 06, 2017 at 08:15:17PM +0200, Pascal Hambourg wrote: > Hello, > > The new icedove packages are not available for i386 yet. > If I understand correctly > > the i386 build failed. Yept, noticed already.

wheezy-security: New enigmail not showing up in arch Packages.gz

Dear ftp-masters, I had to upload a new enigmail to wheezy-security to unbreak it with recent thunderbird. Old enigmail (2:1.8.2-4~deb7u2) was arch any while the new one is arch all (2:1.9.8.1-1~deb7u1). This somehow makes the new version now show up as available. It shows correctly here: http

Re: wheezy-security: New enigmail not showing up in arch Packages.gz

Hi Ansgar, On Mon, Sep 11, 2017 at 10:38:00PM +0200, Ansgar Burchardt wrote: > Hi, > > Salvatore Bonaccorso writes: > > Explicitly adding ftp-masters (not sure if they just were bcc'ed) and > > full quoting below. AFAICT, the old packages need to be decrufted: > > The old arch-dep enigmail packag

Call for testing: upcoming xen security update

Hi, credativ prepared a new Xen update to fix several CVEs. It would be great if you could give it some more testing: https://korte.credativ.com/~fge/xen/ Cheers, -- Guido

Re: Wheezy update of tcpdump?

Hi Romain, On Sun, Sep 10, 2017 at 04:12:34PM +0200, Romain Francoise wrote: > Hi, > > On Fri, Sep 08, 2017 at 08:50:40PM +0200, Ola Lundqvist wrote: > > If that workflow is a burden to you, feel free to just prepare an > > updated source package and send it to debian-lts@lists.debian.org > > (via

Re: Wheezy update of tcpdump?

Hi, On Thu, Sep 14, 2017 at 08:00:45PM +0200, Romain Francoise wrote: > Hi, > > On Thu, Sep 14, 2017 at 02:24:19PM +0200, Guido Günther wrote: > > This gives a 404 and the Vcs-Git doesn't have it either. Can you git > > push your changes? I can then test it on a live wh

Please test new samba packages

Hi, I've uploaded new samba packages to fix 2 CVEs to https://people.debian.org/~agx/debian-lts/ Please give them a try. Cheers, -- Guido

Re: Adding autopkgtests for CVEs

Hi Chris, On Mon, Sep 25, 2017 at 08:08:19AM +0100, Chris Lamb wrote: > Hi -lts, > > I recently had some success adding an autopkgtest for a CVE and > thought I might share: > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=874059;filename=874059.diff.txt;msg=29 > > You generate t

Re: Adding autopkgtests for CVEs

Hi, On Mon, Sep 25, 2017 at 08:24:05AM +0100, Chris Lamb wrote: > Hi Guido, > > > Great! Could you tag these as "ease-lts" so we see bugs adding > > autopkgtests at a glimpse: > > What does "ease" here mean? "to ease s.th." == "to make s.th. simpler" or isn't this correct usage of the verb? Che

NMU debsecan for wheezy

+1,11 @@ +debsecan (0.4.16+nmu2) unstable; urgency=medium + + * Update tracker URL. +Based on upstream commit 0fca4c0af14fdd2fab74982985dd2387df3af26c +(Closes: #842428) + + -- Guido Günther Mon, 25 Sep 2017 13:33:12 +0200 + debsecan (0.4.16+nmu1) unstable; urgency=low * Non-maintainer upload.

Re: NMU debsecan for wheezy

Hi, On Mon, Sep 25, 2017 at 01:50:32PM +0200, Florian Weimer wrote: > * Guido Günther: > > > I'd like to update debsecan in Wheezy to fix #842428 with the attached > > debdiff and put out a corresponding DLA. O.k. ? > > Sure, please go ahead. Thanks for doing this. Uploaded, Thanks! -- Guido

Re: Call for testing: db

Hi, On Wed, Sep 27, 2017 at 06:48:07PM +0200, Emilio Pozuelo Monfort wrote: > Hi, > > I've prepared fixes for CVE-2017-10140 which affects src:db (5.1), src:db4.7 > and > src:db4.8 in wheezy. Of those, the most important one is src:db, which is the > one with actual reverse dependencies. However

Re: for LTS

Hi, On Sat, Sep 30, 2017 at 11:03:13AM +0200, Moritz Muehlenhoff wrote: > Hi, > when we're marking issues as for the suites supported > by the security team and if that issue is also marked in wheezy > (or whatever is LTS at the time), ok to also mark the LTS suite as > or do you want to do dea

CVE-2017-11735 in mp3split / libvorbis

Hi Ron, Looking at https://anonscm.debian.org/cgit/users/ron/mp3splt.git/commit/?id=18f018cd774cb931116ce06a520dc0c5f9443932 do you really mean CVE-2017-11333¹? Isn't this CVE-2017-11735²? Both where reported in the same message. I can confirm that this fixes CVE-2017-11735 for me. Security

Re: CVE-2017-11735 in mp3split / libvorbis

Hi Salvatore, On Sat, Sep 30, 2017 at 09:29:16PM +0200, Salvatore Bonaccorso wrote: > Hi Guido, > > On Sat, Sep 30, 2017 at 08:17:50PM +0200, Guido Günther wrote: > > Security team, if the CVE is in mp3splt not libvorbis do we need to give > > back the CVE and request a new o

Re: CVE-2017-11735 in mp3split / libvorbis

Hi Ron, On Sun, Oct 01, 2017 at 06:53:51AM +1030, Ron wrote: > On Sat, Sep 30, 2017 at 08:17:50PM +0200, Guido Günther wrote: > > Hi Ron, > > Looking at > > > > > > https://anonscm.debian.org/cgit/users/ron/mp3splt.git/commit/?id=18f018cd774cb931116ce06

LTS Activity report for September 2017

Hi, during September I worked 10 of the allocated 11 hours on LTS. During this time I did the following: * Prepared and tested an enigmail update to work with recent Thunderbird (DLA-1086-1) * Released the DLAs for Thunderbird and tcpdump prepared in August (DLA-1087-1, DLA-1090-1) * Fixed i38

Re: Call for testing: dnsmasq security update

Hi Ben, On Thu, Oct 05, 2017 at 05:31:09PM +0100, Ben Hutchings wrote: > I've prepared a security update for dnsmasq in wheezy, fixing the > relevant CVEs: > > * CVE-2017-14491: DNS heap buffer overflow > * CVE-2017-14492: DHCPv6 RA heap overflow > * CVE-2017-14494: Infoleak handling DHCPv6

Re: Call for testing: db

Hi, On Thu, Oct 05, 2017 at 10:53:26AM +0200, Emilio Pozuelo Monfort wrote: > On 29/09/17 20:55, Guido Günther wrote: > > Hi, > > On Wed, Sep 27, 2017 at 06:48:07PM +0200, Emilio Pozuelo Monfort wrote: > >> Hi, > >> > >> I've prepared fix

Re: CVE-2017-15185/mp3splt (was: Re: CVE-2017-11735 in mp3split / libvorbis)

Hi Salvatore, On Mon, Oct 09, 2017 at 09:33:42PM +0200, Salvatore Bonaccorso wrote: > Hi > > On Sun, Oct 01, 2017 at 12:07:11AM +0200, Guido Günther wrote: > > > and I'll check with Salvatore if it's appropriate to inform oss-security > > once we got a n

Re: CVE-2017-15185/mp3splt (was: Re: CVE-2017-11735 in mp3split / libvorbis)

Hi, On Tue, Oct 10, 2017 at 03:30:53PM +1030, Ron wrote: > On Mon, Oct 09, 2017 at 09:56:01PM +0200, Guido Günther wrote: > > Hi Salvatore, > > On Mon, Oct 09, 2017 at 09:33:42PM +0200, Salvatore Bonaccorso wrote: > > > Hi > > > > > > On Sun, Oct 01, 201

Re: Wheezy update of icedove?

Hi, On Sat, Oct 14, 2017 at 07:23:45PM +0200, Ola Lundqvist wrote: > Dear maintainers, > > The Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of icedove: > https://security-tracker.debian.org/tracker/source-package/icedove > > Would you like

Re: Wheezy update of icedove?

Hi Carsten, On Sun, Oct 15, 2017 at 09:46:15PM +0200, Carsten Schoenert wrote: > Hello Ola, > > Am 15.10.2017 um 13:59 schrieb Ola Lundqvist: > > Sounds good! I have updated dla-needed.txt now. > > I uploaded all thunderbird related packages within a new source package > named thunderbird to NEW

Re: Wheezy update of icedove?

Hi Carsten, On Tue, Oct 17, 2017 at 09:05:38PM +0200, Carsten Schoenert wrote: > Am 15.10.2017 um 23:24 schrieb Guido Günther: > > Hi Carsten, > > On Sun, Oct 15, 2017 at 09:46:15PM +0200, Carsten Schoenert wrote: > >> Hello Ola, > >> > >> Am 15.10.2017 um

Re: Wheezy update of icedove?

Hi, On Fri, Oct 20, 2017 at 01:10:56PM +0200, Moritz Muehlenhoff wrote: > On Fri, Oct 20, 2017 at 01:06:09PM +0200, Guido Günther wrote: > > Thanks. Looks good here on Wheezy. Any idea when the versions for Jessie > > and Stretch will be done? Wheezy was a straight rebuild

Re: KRACK update for wheezy

Hi Antoine, (trimming the cc: list a bit) On Mon, Oct 23, 2017 at 07:43:49PM -0400, Antoine Beaupré wrote: > Hi, > > I have looked at backporting the "KRACK" patches down into wheezy. I'm a > little concerned about the results: I don't have a good grasp of WPA2 > and particularly of the wpa_suppl

Re: Wheezy update of icedove?

Hi Carsten, On Fri, Oct 20, 2017 at 01:06:09PM +0200, Guido Günther wrote: > Hi Carsten, > On Tue, Oct 17, 2017 at 09:05:38PM +0200, Carsten Schoenert wrote: > > Am 15.10.2017 um 23:24 schrieb Guido Günther: > > > Hi Carsten, > > > On Sun, Oct 15, 2017 at 09:46:15PM

Re: Wheezy update of icedove?

Hi, On Mon, Oct 30, 2017 at 09:29:13AM +0100, Moritz Mühlenhoff wrote: > On Mon, Oct 30, 2017 at 08:06:27AM +0100, Guido Günther wrote: > > I've seen preparation mails for Stretch and Jessie. Is there anything > > missing that I can help with? > > The stretch version i

LTS Activity Report for October 2017

Hi, during October I worked 6.5 of the allocated 12 hours on LTS. During this time I did the following: * Triaged several qemu CVEs marking the unimportant ones as no-dsa and released DLA-1128-1 and DLA-1129-1 for qemu/qemu-kvm to fix CVE-2017-14167 and CVE-2017-15038. * Tested the dnsmasq pac

Call for testing: upcoming xen security update

Hi, credativ prepared a new Xen update to fix several CVEs. It would be great if you could give it some more testing: https://korte.credativ.com/~fge/xen/ Cheers, -- Guido

Re: Call for testing: upcoming xen security update

Hi Hyacinthe, On Fri, Nov 10, 2017 at 11:19:37AM +0100, Hyacinthe Cartiaux wrote: > Hi, > > Quickly tested on a devel server (replica of our production set up), > everything works: > > * paravirtualization mode only > * 2 network bridges > * pygrub > * 2 domU under Jessie > * 8 domU under Wheezy

Re: RFC: Peculiar dependency change in graphicsmagick

Hi apo, On Fri, Nov 10, 2017 at 08:17:33PM +, Chris Lamb wrote: > Hi, > > Well spotted! > > > Please disregard. I have discussed this with apo in IRC. Everything is > > in order with the packages I built and I will be uploading them shortly. > > As I was curious, I checked IRC — for poster

Re: RFC: Peculiar dependency change in graphicsmagick

Hi Markus, On Fri, Nov 10, 2017 at 10:22:51PM +0100, Markus Koschany wrote: > Hi Guido, > > Am 10.11.2017 um 21:34 schrieb Guido Günther: > > Hi apo, > > On Fri, Nov 10, 2017 at 08:17:33PM +, Chris Lamb wrote: > >> Hi, > >> > >> Well spotted

Re: RFC: Peculiar dependency change in graphicsmagick

Hi, On Fri, Nov 10, 2017 at 04:29:09PM -0500, Roberto C. Sánchez wrote: > On Fri, Nov 10, 2017 at 10:22:51PM +0100, Markus Koschany wrote: > > > > It's more like a handling error. When I use gbp like that: > > > > ARCH=amd64 git-buildpackage --git-dist=wheezy > > > > the build will fail in debia

Updates to LTS/Development

Hi, I've updated LTS/Development in the wiki a bit: - document "postponed" and "ignored" - clarify about security isssues in LTS affecting LTS+1, LTS+2 and sid as well. https://wiki.debian.org/LTS/Development?action=diff&rev2=151&rev1=150 I'd welcome any feedback, corrections. Cheers, -- Gu

Open libvorbis CVEs

Dear xiph maintainers, As part of fixing the open CVEs of vorbis in LTS I looked at: * CVE-2017-14633 https://gitlab.xiph.org/xiph/vorbis/issues/2329 As far as I understadn things the maximum number of channels is hardcoded in vorbis: https://github.com/xiph/vorbis/blob/master/lib/back

[PATCH 1/3] report-vuln: Use spaces instead of tabs

--- Hi, report-vuln has a mixture of tabs and spaces which made changing it hard so I changed everyting to spaces. O.k. to apply? Cheers, -- Guido bin/report-vuln | 292 1 file changed, 146 insertions(+), 146 deletions(-) diff --git a/bin

[PATCH 2/3] report-vuln: don't fail if description_from_list return None

If no description was found None is returned. This fixes Traceback (most recent call last): File "bin/report-vuln", line 237, in main() File "bin/report-vuln", line 234, in main gen_text(pkg, cve, affected=args.affected, blanks=args.blanks, severity=args.severity, cc=args.cc, cclist=

<    1   2   3   4   >