On Wed, May 29, 2019 at 10:16:56AM +, Mike Gabriel wrote:
> HI Thijs,
>
> On Di 28 Mai 2019 18:17:39 CEST, Thijs Kinkhorst wrote:
>
> > On Tue, May 28, 2019 16:01, Chris Lamb wrote:
> > > Mike Gabriel wrote:
> > >
> > > > The Debian LTS team would like to fix the security issues which are
>
On Tue, Jun 25, 2019 at 01:33:48PM +0200, Thomas Goirand wrote:
> Hi Ben and everyone else,
>
> Is $subject plan, and what's the ETA?
ETA: -7 days: https://lists.debian.org/debian-lts-announce/2019/06/msg00011.html
Cheers,
Moritz
On Sat, Aug 10, 2019 at 10:03:38AM +0200, Hugo Lefeuvre wrote:
> Hi,
>
> I am taking a look at clamav's zip bomb issue[0] in jessie. This issue is
> no-dsa in buster/stretch: "ClamAV is updated via -updates".
>
> What is this -updates mechanism? I might have missed something, does clamav
> have a
On Thu, Nov 28, 2019 at 12:03:25PM +, Holger Levsen wrote:
> - for stretch, I will upload to stretch-security and that's it.
Sounds good, I'll take care of releasing that.
Cheers,
Moritz
[debian-security@ is totally unrelated here, if you want to reach the
Security team the correct address is t...@security.debian.org]
On Wed, Mar 18, 2020 at 06:14:36PM +0100, Sylvain Beucler wrote:
> I excluded 3 out of 8 packages. I only added packages that actually
> contain the impacted code (V
On Thu, Mar 19, 2020 at 08:29:19PM +0100, Miroslav Skoric wrote:
> On 3/19/20 1:01 PM, Simon McVittie wrote:
>
> >
> > If you do not have a specific reason to stay on Debian 8 'jessie',
> > also consider upgrading to Debian 9 'stretch', and then from there to
> > Debian 10 'buster', which is the
On Tue, Jun 09, 2020 at 12:05:33PM +0200, Sylvain Beucler wrote:
> Do you plan to send a DSA?
Yeah, should go out tomorrow.
Cheers,
Moritz
On Tue, Jun 16, 2020 at 07:25:42AM +1000, Brian May wrote:
> Holger Levsen writes:
>
> > for d-s-s in jessie i'm still unsure, which version number to use
> > (see https://lists.debian.org/debian-release/2020/06/msg00136.html
> > for a summary of the problem). allocating and issuing the DLA will
On Wed, Jul 01, 2020 at 11:27:38AM +0200, Ansgar wrote:
> Hi,
>
> since LTS for Jessie has ended according to [1], can we disable uploads
> and prepare for archiving the release?
>
> I want to:
>
> 1. Stop accepting anything.
> 2. Have one Release with no Valid-Until for archive.d.o (to try to
>
On Wed, Jul 01, 2020 at 09:20:51PM +0530, Utkarsh Gupta wrote:
> 1. imagemagick/oldstable
>
> Right now, this package has been claimed in dla-needed.txt by Markus
> and in dsa-needed.txt by jmm.
Yeah, this is currently WIP and should be released soon. The buster-security
update is already release
> Security support for Stretch LTS will be handed over on July 18, 2020,
> after the last point release.
What's that supposed to mean? Support for oldstable ends on the 6th
And why was this not send to team@s.d.o?
Cheers,
Moritz
On Thu, Jul 09, 2020 at 10:52:18AM +0100, Chris Lamb wrote:
> However, as I understand it, this pu bug has not been confirmed yet
> and this would actually update the version in oldstable to the
> 0.8.x branch anyway, i.e. larger than my 0.7.4-2+deb9u1. I therefore
> conclude that this is fine *thi
On Fri, Jul 10, 2020 at 11:55:37AM +0200, Sylvain Beucler wrote:
> Hi,
>
> On 10/07/2020 10:28, Moritz Mühlenhoff wrote:
> > On Wed, Jul 08, 2020 at 12:45:08PM +0200, Sylvain Beucler wrote:
> >> Hi,
> >>
> >> - buster update
> >>
> >> I now "up-ported" my stretch work at:
> >> https://www.beuc.net
On Mon, Jul 13, 2020 at 08:16:03PM +1000, Brian May wrote:
> Sylvain Beucler writes:
>
> > On 07/07/2020 12:01, Emilio Pozuelo Monfort wrote:
> >> - it was brought up that some DLAs include personal signatures at the end
> >
> > In what context did you receive this feedback?
>
> I have found tha
On Tue, Sep 01, 2020 at 04:35:42PM +0200, Emilio Pozuelo Monfort wrote:
> On 01/09/2020 14:05, Christoph Martin wrote:
> > Hi,
> >
> > I am not shure if I can help, but I can try and have a look at it.
> >
> > Yes please upload your LLVM9 and wasi-libc backports.
>
> fwiw I started to look at th
On Wed, Sep 02, 2020 at 05:25:28AM +0900, Mike Hommey wrote:
> Note Firefox doesn't need wasi-libc at the moment. Neither does
> thunderbird AFAICT.
Not Firefox/Thunderbird itself, but rustc in the versions needed by ESR 78
build depends on it.
Cheers,
Moritz
On Wed, Nov 25, 2020 at 07:25:57PM +0530, Utkarsh Gupta wrote:
> Hello,
>
> On Wed, Nov 25, 2020 at 2:57 PM Sylvain Beucler wrote:
> > Consequently I believe we're not in a position to offer MongoDB security
> > support in LTS nor ELTS, and we need to drop it from our supported packages.
> >
> >
Hi,
CVE-2019-20218 isn't fixed in Stretch/LTS. Running the reproducer:
CREATE TABLE v0 (a);
CREATE VIEW v2 (v3) AS WITH x1 AS (SELECT * FROM v2) SELECT v3 AS x, v3 AS y
FROM v2;
SELECT * FROM v2;
On Thu, Dec 17, 2020 at 09:10:44PM +0100, Emilio Pozuelo Monfort wrote:
> Hi,
>
> There's a regression in both buster and stretch in the last update of lxml
> when running under Python 2:
>
> >>> import lxml.html.clean
> Traceback (most recent call last):
> File "", line 1, in
> File "/usr/l
On Wed, Dec 30, 2020 at 11:33:12PM +0100, Ola Lundqvist wrote:
> Hi
>
> Today I worked some on wireshark and concluded that all CVEs were postponed
> for buster.
See the README.Debian.security file shipped in the wirehark package for
context.
Cheers,
Moritz
On Mon, Apr 19, 2021 at 02:40:56PM +0200, Markus Koschany wrote:
> Hi,
>
> Am Montag, den 19.04.2021, 13:15 +0530 schrieb Utkarsh Gupta:
> > Hello,
> >
> > There are 18 no-dsa marked entries for jackson-databind for buster,
> > the same ones I fixed for jessie and also the same ones that I intend
On Mon, May 17, 2021 at 11:54:05AM +0200, Ola Lundqvist wrote:
> Hi firmware-nonfree maintainers
>
> I have a question from an LTS perspective about the possible security
> updates we have for the firmware-nonfree package.
>
> You can find them here:
> https://security-tracker.debian.org/tracker/
Ola Lundqvist wrote:
> I only briefly looked at the CVEs.
If you haven't even looked the issues properly don't waste other people's time.
On Wed, May 19, 2021 at 08:59:16PM +0200, Ola Lundqvist wrote:
> In any case, thank you for your help. Now I know that there are no such
> plans and you would not object to the LTS team doing an update on
> stable/buster. This was exactly what I wanted to know.
*sigh*, ofc you should _not_ look in
Hi Enrico,
> in the Developers's reference[1] it says, in boldface, that security
> updates should be built with "urgency=high".
This is incorrect advice and I have idea where it came from. The urgency
is completely irrelevant for any security upload to LTS/oldstable/stable,
only for testing-secu
On Tue, May 31, 2022 at 05:42:00AM +, Mike Gabriel wrote:
> Hi Moritz, Salvatore, Sylvain,
>
> On Mo 30 Mai 2022 20:04:14 CEST, Moritz Mühlenhoff wrote:
>
> > Am Sun, May 29, 2022 at 09:36:43AM +0200 schrieb Salvatore Bonaccorso:
> > > While this is discouraged in general, we could opt here
On Mon, Jun 27, 2022 at 04:01:46PM +0200, Enrico Zini wrote:
> Hello,
>
> every once in a while I have a look at sox, which has many CVEs open and
> no updates since 3 months, wondering what could be done about it.
>
> It seems that all the CVEs have reproducers but not patches. Should I
> try to
On Wed, Jul 20, 2022 at 10:52:48AM +0100, Simon McVittie wrote:
> Control: unarchive -1
> Control: tags -1 + bookworm sid
>
> On Fri, 06 May 2022 at 15:25:00 +0100, Neil Williams wrote:
> > CVE-2022-27470[0]:
> > | SDL_ttf v2.0.18 and below was discovered to contain an arbitrary
> > | memory write
On Wed, Sep 07, 2022 at 09:32:15AM -0700, Noah Meyerhans wrote:
> The cloud team publishes images for various cloud environments
> (OpenStack, Amazon EC2, etc). The primary (and most popular, from the
> data I have) images use the main kernel, but we publish alternative
> images that boot the back
On Wed, Sep 14, 2022 at 11:34:57AM +0200, Santiago Ruano Rincón wrote:
> If I am not wrong, DLAs should be claimed/announced once the upload has
> been completed and accepted. I think this is documented here:
>
> https://wiki.debian.org/LTS/Development#Announce_the_update
>
> "Only when you have
On Thu, Sep 29, 2022 at 09:09:29AM +0200, Emilio Pozuelo Monfort wrote:
> On 28/09/2022 23:54, Ola Lundqvist wrote:
> > Hi Sylvain
> >
> > Took me a month to get down here in the email backlog. I think your
> > reasoning makes sense.
> > I have added the following to the LTS/Development page.
> >
On Sun, Oct 23, 2022 at 08:23:20PM -0700, Otto Kekäläinen wrote:
> Hello LTS team!
>
> Users of Debian LTS are currently affected by a bug that prevents
> skipping Debian releases. If skipping a release is not possible in an
> upgrade, it makes using LTS kind of moot.
Skipping a release has never
Version: 0.103.8+dfsg-0+deb10u1
On Tue, Feb 21, 2023 at 08:12:54PM +0100, Sebastian Andrzej Siewior wrote:
> +LTS
>
> On 2023-02-20 12:22:48 [+0200], Andries Malan wrote:
> > Hi There
> Hi,
>
> > Would you be so kind as to provide an ETA for the above mentioned bug that
> > was reported.
> > Thi
On Wed, Apr 12, 2023 at 10:58:15PM +0200, Salvatore Bonaccorso wrote:
> > - For python2.7, AFAIU you would be inclined to associate CVEs to that
> > package more often, for the duration of buster-lts, which would help a lot.
> > On the LTS side we'd like to associate all the past python3.x CVEs to
On Sat, Apr 22, 2023 at 04:12:53PM +0200, Salvatore Bonaccorso wrote:
> This is more a personal view: I do not see much benefit in keeping
> sqlite supported.
Agreed, while you're free to add entries for sqlite, it
feels without practical benefit.
Cheers,
Moritz
On Wed, Jun 07, 2023 at 01:43:26PM +0530, Utkarsh Gupta wrote:
> Hi Chris,
>
> On Wed, Jun 7, 2023 at 12:56 PM Salvatore Bonaccorso
> wrote:
> > Can you please have a look, as this seems to be caused by the DLA
> > issued as DLA-3447-1.
>
> This has been caused by the ruby2.5 update.
It's defi
On Mon, Jun 19, 2023 at 07:40:30PM +0200, Ben Hutchings wrote:
> On Mon, 2023-06-19 at 11:02 +, roucaries bastien wrote:
> > Le dim. 18 juin 2023 à 19:16, Ola Lundqvist a écrit :
> > [adding security team]
> [...]
> >
> > > You mention rebuild all reverse dependencies. Well I do not find any
On Fri, Jun 23, 2023 at 06:48:23AM +0200, Anton Gladky wrote:
> Hi,
>
> two CVEs might be irrelevant for Debian systems. Can they be
> tagged as "unaffected"? Or we have some systems, where
> /dev/urandom is not existing?
They are already marked as non-issues:
CVE-2023-31124 (c-ares is an asynch
On Thu, Jul 20, 2023 at 01:30:32PM +0300, Michael Tokarev wrote:
> Hi!
>
> It come to my attention that a discussion is happening about samba
> and LTS (and the same applies to oldstable too).
It's also worth noting that support for running Samba as an AD domain
controller was already EOLed two
On Sat, Aug 19, 2023 at 09:22:14PM +0530, Utkarsh Gupta wrote:
> Hey,
>
> On Sat, Aug 19, 2023 at 9:12 PM Vincent wrote:
> > It would be very appreciated if someone complete the
> > build of intel-microcode for the buster-security/non-free.
>
> Yep, I've uploaded the source but will upload the a
On Thu, Dec 21, 2023 at 07:30:51PM -0300, Santiago Ruano Rincón wrote:
> So let me ask you: are you interested in addressing the infrastructure
> limitations to handle those kind of packages? and having some help for
> that?
Foremost this is an infrastructure limitation that needs to be resolved:
On Fri, Dec 22, 2023 at 10:19:15AM -0300, Santiago Ruano Rincón wrote:
> El 22/12/23 a las 09:54, Moritz Muehlenhoff escribió:
> > On Thu, Dec 21, 2023 at 07:30:51PM -0300, Santiago Ruano Rincón wrote:
> > > So let me ask you: are you interested in addressing the infrastructure
[ You missed the correct mailing list. debian-security is _not_
the correct way to reach the security team, fixing ]
On Sun, Dec 24, 2023 at 09:12:04AM +, Sean Whitton wrote:
> Hello,
>
> I have taken responsibility for fixing these CVEs in libssh in buster,
> as part of Freexian-funded LTS
On Mon, Mar 18, 2024 at 01:13:15PM +0100, Emilio Pozuelo Monfort wrote:
> [ Adding debian-dak@ to Cc ]
> > One solution which has been discussed in the past is to import a full copy
> > of stable towards stable-security at the beginning of each release cycle,
> > but that is currently not possible
Emilio Pozuelo Monfort wrote:
> Small nitpick: a CVE 'ignored' for (old)stable can still be fixed via point
> release. The sec-team could be contacted to update that triaging, but that's
> only ignored for (old)stable-security, not for (old)stable, where other
> criteria applies. The reason followi
Thorsten Alteholz wrote:
[ Adding DSA to the CC list ]
> On Mon, 18 Mar 2024, Emilio Pozuelo Monfort wrote:
> > > One solution which has been discussed in the past is to import a full copy
> > > of stable towards stable-security at the beginning of each release cycle,
> > > but that is currently
Hi Adrian,
> >...
> > > debdiffs contain only changes to debian/
> >
> > The bookworm/bullseye debdiffs looks good, please upload to
> > security-master, thanks!
>
> both are now uploaded.
DSA has been released, thanks!
> > Note that both need -sa, but dak needs some special attention when
>
On Mon, Apr 08, 2024 at 01:59:55PM +0200, Sylvain Beucler wrote:
> Hi,
>
> I think this requires a bit of coordination:
> - the package is basically dead upstream, there hasn't been a fix in the
> official repos, neither Debian or other distros attempted to fix them
Some of the past fixes got add
On Fri, Aug 09, 2024 at 06:35:19AM -0300, Santiago Ruano Rincón wrote:
> Indeed, that sound like a sensible approach. I can file the removal bug,
> if that is OK to you.
Please do so, thanks.
Cheers,
Moritz
On Sat, Aug 10, 2024 at 11:19:24AM -0300, Santiago Ruano Rincón wrote:
> (I had tried to answer from the web debian-lts archive, and I don't know
> why firefox ended up sending four empty emails to the list. Really sorry
> for the noise)
>
> El 31/05/22 a las 05:42, Mike Gabriel escribió:
> > Hi M
On Wed, Sep 07, 2016 at 08:25:36AM -0400, Roberto C. Sánchez wrote:
> On Wed, Sep 07, 2016 at 11:07:16AM +0200, Bálint Réczey wrote:
> >
> > I have not found however the proposed fix on the list thus I did not
> > know if you used the upstream fix.
> >
> > I think it would be a good idea to send
On Thu, Sep 08, 2016 at 06:45:28AM -0400, Roberto C. Sánchez wrote:
> On Thu, Sep 08, 2016 at 07:29:55AM +0200, Guido Günther wrote:
> >
> > If you find useful information on e.g. howto reproduce the bug or about
> > the proper upstream fix use
> >
> >NOTE:
> >
> > See e.g. this entry from t
On Mon, Sep 12, 2016 at 12:52:32PM +0200, Hugo Lefeuvre wrote:
> Hi,
>
> > I'm counting 22 open CVEs for libav at the moment. Which of them do you
> > intend to address with your fixes? Do you mind working together with
> > Hugo Lefeuvre on some issues? I could imagine you both could pool your
> >
Markus Koschany wrote:
> Just to be clear a new upstream libav doesn't need to coincide with a
> Debian security update. It wouldn't do any harm though. Important is
> that we only fix security related issues and leave possible features out
> that are not strictly needed to fix the CVEs.
This is n
On Thu, Oct 20, 2016 at 05:00:36PM +0200, Guido Günther wrote:
> Please file these bugs! The security team has asked for help on this
> task on several occasions. It's on the LTS TODO list since the BoF at
> Debconf16:
>
>
> https://wiki.debian.org/LTS/TODO#Update_documentation_on_frontdesk
On Wed, Oct 26, 2016 at 11:09:54PM -0400, Roberto C. Sánchez wrote:
> On Tue, Oct 25, 2016 at 09:54:01PM +0200, Salvatore Bonaccorso wrote:
> > Hi Roberto
> >
> > Could you double-check/confirm if you see the same
> > https://bugs.debian.org/840691 in wheezy? Note although the bug is
> > still ass
On Thu, Oct 27, 2016 at 06:31:43AM -0400, Roberto C. Sánchez wrote:
> On Thu, Oct 27, 2016 at 08:54:39AM +0200, Moritz Muehlenhoff wrote:
> >
> > Salvatore mentioned that the same bug occurs when unstable has the security
> > patches merged (which hasn't happened so far
On Wed, Dec 21, 2016 at 05:27:30PM -0500, Antoine Beaupré wrote:
> Hi,
>
> We (the LTS team, but mainly me and buxy) are working on an update to
> the NSS package for wheezy, and we just packaged the upstream 3.26.2
> release since it was a minimal diff that was easy to review.
>
> We can't reall
On Fri, Feb 03, 2017 at 10:58:35AM +0100, Guido Günther wrote:
> Hi,
> while looking at the recent changes in data/CVE/list I noticed a bunch
> of gstreamer issues being added but not showing up in the output
> produced by lts-cve-triage. Reason was that they're marked as
> undetermined. The attach
On Fri, Mar 24, 2017 at 03:55:23PM +0100, Guido Günther wrote:
> Hi Roberto,
> On Fri, Mar 24, 2017 at 10:45:44AM -0400, Roberto C. Sánchez wrote:
> > On Fri, Mar 24, 2017 at 03:16:28PM +0100, Mathieu Parent wrote:
> > > Please wait a bit before uploading.
> > >
> > > There is a regression in jess
On Tue, Mar 28, 2017 at 03:11:41PM +0200, Raphael Hertzog wrote:
> Hello,
>
> So it looks like we have to tweak our worflow and/or build something
> to make sure that we do not miss to handle issues in such packages.
> What do you think ? What would be the proper approach ?
I'd suggest a cron job
On Tue, Mar 28, 2017 at 03:55:12PM +0200, Raphael Hertzog wrote:
> On Tue, 28 Mar 2017, Moritz Muehlenhoff wrote:
> > I'd suggest a cron job running once or twice per day, which keeps
> > a table of (current source package name / old source package name(s))
> > and a
On Tue, Mar 28, 2017 at 04:08:19PM -0400, Antoine Beaupré wrote:
> I constantly find myself struggling to find the actual DLA announcements
> when I browse the security tracker. Take for example:
>
> https://security-tracker.debian.org/tracker/CVE-2016-8743
>
> If you click on the DSA there:
>
>
On Thu, Apr 27, 2017 at 10:55:51AM +0200, Bolesław Tokarski wrote:
> I'm curious to see the version scope/some proof of a particular version not
> being affected by CVE-2016-10328.
See https://security-tracker.debian.org/tracker/CVE-2016-10328
> The reason I'm asking is because I'm maintaining
On Thu, Apr 27, 2017 at 01:04:54PM +0200, Bolesław Tokarski wrote:
> Hi,
>
> > See https://security-tracker.debian.org/tracker/CVE-2016-10328
>
> Nice, I see it's in 'fixed' state in 2.5.2-3+deb8u1 already. I guess it was
> not
> clear that this does not affect that version last time I checked
On Fri, May 19, 2017 at 04:23:25PM +, Hugo Lefeuvre wrote:
> Author: hle
> Date: 2017-05-19 16:23:25 + (Fri, 19 May 2017)
> New Revision: 51756
>
> Modified:
>data/CVE/list
> Log:
> CVE triage for libav in wheezy by Diego Biurrun
That's no okay. Why do you remove several entries?
Ch
On Fri, May 19, 2017 at 06:34:10PM +0200, Hugo Lefeuvre wrote:
> Hi Moritz,
>
> On Fri, May 19, 2017 at 06:25:43PM +0200, Moritz Muehlenhoff wrote:
> > On Fri, May 19, 2017 at 04:23:25PM +, Hugo Lefeuvre wrote:
> > > Author: hle
> > > Date: 2017-05-19
On Fri, Jun 02, 2017 at 10:25:29AM +0200, Guido Günther wrote:
> Hi Moritz,
> I'm trying to figure out the reasoning for @51764. This marks tiff as
> affected by CVE-2016-10095. However from the upstream bug and the
> changes we made in wheezy it looks like the changes we made already are
> suffici
On Fri, Jun 02, 2017 at 12:21:01PM +0200, Guido Günther wrote:
> Hi,
> On Fri, Jun 02, 2017 at 11:32:07AM +0200, Raphael Hertzog wrote:
> > Hi,
> >
> > On Fri, 02 Jun 2017, Guido Günther wrote:
> > > > I updated the git repository of debian-security-support. Shall we
> > > > release
> > > > an up
On Fri, Jun 02, 2017 at 12:53:58PM +0200, Guido Günther wrote:
> On Fri, Jun 02, 2017 at 12:27:47PM +0200, Moritz Muehlenhoff wrote:
> > On Fri, Jun 02, 2017 at 12:21:01PM +0200, Guido Günther wrote:
> > > Hi,
> > > On Fri, Jun 02, 2017 at 11:32:07AM +0200, Raphae
Hi,
when we're marking issues as for the suites supported
by the security team and if that issue is also marked in wheezy
(or whatever is LTS at the time), ok to also mark the LTS suite as
or do you want to do deal with that by yourself?
Specific example of such a change: r56270
Cheers,
On Fri, Oct 20, 2017 at 01:06:09PM +0200, Guido Günther wrote:
> Thanks. Looks good here on Wheezy. Any idea when the versions for Jessie
> and Stretch will be done? Wheezy was a straight rebuild of your work so
> Jessie and Stretch should be the same. I'd like to avoid having a newer
> version in
On Sat, Jan 27, 2018 at 05:34:00PM -0500, Roberto C. Sánchez wrote:
> I am in the process of preparing an update for clamav.
>
> I am curious as to what others might think of including an additional
> fix that is not technically security-related. It fixes a rather serious
> bug that causes clamd
On Thu, Feb 15, 2018 at 12:33:12PM +0100, Raphael Hertzog wrote:
> On IRC I learned that Moritz Muehlenhoff (jmm) started the work of
> bakcporting retpoline to gcc-4.9 for jessie. We need to do the same
> for gcc-4.6 (and maybe gcc-4.7) in wheezy. gcc-4.6 is used for the
> kernel bui
On Fri, Mar 09, 2018 at 11:45:58AM +0100, Santiago R.R. wrote:
> Hi,
>
> El 02/03/18 a las 23:36, Sebastian Andrzej Siewior escribió:
> > On 2018-03-02 02:19:04 [+], Scott Kitterman wrote:
> > > Conveniently, upstream just released 0.99.4 that addresses this and some
> > > other issues. I'd
On Wed, Mar 14, 2018 at 10:07:40AM +0100, Mathieu Parent wrote:
> 2018-03-14 10:00 GMT+01:00 Paul Wise :
> > On Wed, Mar 14, 2018 at 4:42 PM, Mathieu Parent wrote:
> >
> >> See the attached patch for CVE-2018-1050 on samba 3.6. CVE-2018-10507
> >> is on the AD DC code which is not part of samba 3.6
On Sun, Apr 01, 2018 at 07:48:55AM -0400, Roberto C. Sánchez wrote:
> Additionally, when I checked the PTS for information on the recent jessie
> upload it
> was a binary upload built for amd64.
Source uploads to the security archive are only possible from stretch onwards.
Cheers,
Moritz
On Thu, Apr 12, 2018 at 03:44:36PM +0200, Ola Lundqvist wrote:
> I do not think we really have the possibility to postpone issues in LTS,
> right?
Why would you not?
Hugo Lefeuvre wrote:
I added a few more ming CVEs earlier the day, BTW.
> > > Second question: Even if Ming isn't present in unstable, the tracker
> > > still mentions (unstable) - (unfixed) in the second table. IMO this
> > > row makes no sense, is it a bug ?
> >
> > Then you can put:
> >
> >
On Tue, May 22, 2018 at 11:56:00AM +0200, Markus Koschany wrote:
> Hi all,
>
> we are approaching the end of Wheezy LTS on May 31. As usual we intend
> to communicate the end and start of a new LTS cycle on various channels.
> I have created the following draft which I intend to submit to the
> Pu
On Fri, May 25, 2018 at 10:16:43PM +0200, Markus Koschany wrote:
> Hi all,
>
> It is true that https://deb.freexian.com/extended-lts is not available
> yet but I assumed this will change on May 31. If not I can also delete
> the sentence about ELTS for now and add "More information will follow
> s
On Thu, Jun 07, 2018 at 08:08:06AM -0400, Antoine Beaupré wrote:
> On 2018-06-07 04:45:06, Chris Lamb wrote:
> > Hi Antoine,
> >
> >> A peculiar thing with the patchset is that it adds the --debug flag to
> >> the test suite: I don't know why, but it's the only way to make it pass
> >> the (new) te
On Tue, Jun 12, 2018 at 05:40:34PM +1000, Brian May wrote:
> 1. Tagging with / instead of .
Nothing of those can automated. The basic point of is that
we lack data to make a proper assessment.
The correct way to handle these is to triage
https://security-tracker.debian.org/tracker/status/undete
On Wed, Jun 13, 2018 at 05:19:40PM +1000, Brian May wrote:
> "as I said in the mailing list discussion, I don't like the usage of the
> undetermined tag... we use it to hide stuff we can't investigate under
> the carpet, I would much prefer that we put it as directly
> when it's the case, or othe
On Fri, Jun 15, 2018 at 05:21:55PM +1000, Brian May wrote:
> Brian May writes:
>
> > So we could write a script, lets say:
> > bin/list-potential-packages-affected-by-code-copies
>
> In investigating the possibility of this, I noticed the scripts in
> lib/python/sectracker use legacy python codi
On Fri, Jun 15, 2018 at 04:34:14PM +1000, Brian May wrote:
> Moritz Muehlenhoff writes:
>
> > On Wed, Jun 13, 2018 at 05:19:40PM +1000, Brian May wrote:
> >> "as I said in the mailing list discussion, I don't like the usage of the
> >> undetermined
B0;115;0cOn Thu, Jul 05, 2018 at 05:24:22PM +0200, Ola Lundqvist wrote:
> Hi Sebastian
>
> With this reasoning we cannot assume that a later release include fixes for
> earlier releases for any package. Jetty seems to be actively and sanely
> maintained so I think the risk you point out is very lo
On Wed, Aug 08, 2018 at 11:14:52AM +0200, Gennaro Oliva wrote:
> Hi,
> I have prepared a regression update of my package slurm-llnl in jessie,
> because of:
To everyone working on LTS, there's also a process gap here; anyone who
releases a DLA should keep an eye on the BTS for about a week
after
On Wed, Aug 08, 2018 at 04:26:04PM +0100, Chris Lamb wrote:
> Dear Moritz,
>
> > > I have prepared a regression update of my package slurm-llnl in jessie,
> > > because of:
> >
> > To everyone working on LTS, there's also a process gap here; anyone who
> > releases a DLA should keep an eye on th
On Thu, Aug 16, 2018 at 05:12:11PM +1000, Brian May wrote:
> Note: This is only being sent to debian-LTS.
>
> > I am currently investigating CVE-2016-4975 for Apache2. The issue is
> > already two years old but was only made public yesterday. [1] I skimmed
> > through old commit messages but I cou
On Wed, Oct 17, 2018 at 03:57:50AM +0100, Ben Hutchings wrote:
> On Wed, 2018-10-17 at 03:18 +0100, Ben Hutchings wrote:
> > I've pushed backported fixes to a jessie-security branch at <
> > https://salsa.debian.org/debian/libssh>; and uploaded packages to <
> > https://people.debian.org/~benh/pack
On Mon, Oct 22, 2018 at 01:23:21PM +0200, Markus Koschany wrote:
> Hi,
>
> Several security vulnerabilities were discovered in Ghostscript in
> recent weeks. Although all known issues were fixed, there is still a
> chance that there are more of them, yet undiscovered. The security
> researcher who
On Sun, Oct 28, 2018 at 10:19:34PM -0700, Noah Meyerhans wrote:
> On Mon, Oct 22, 2018 at 11:23:50AM -0400, Antoine Beaupré wrote:
> > Ping! Any update here? Do you want us to help with the jessie or stretch
> > update?
>
> I'll be posting a message about the stretch update to debian-release
> sho
Hi,
if you fix any issues which were formerly tagged in a DLA, make sure
to remove the no-dsa in CVE/list as well, e.g. in the DLA-1568-1 for curl.
Cheers,
Moritz
On Tue, Nov 06, 2018 at 08:16:21PM +0100, Markus Koschany wrote:
> Am 06.11.18 um 20:09 schrieb Moritz Muehlenhoff:
> > Hi,
> > if you fix any issues which were formerly tagged in a DLA, make
> > sure
> > to remove the no-dsa in CVE/list as well, e.g. in the DLA-1568-1
On Wed, Nov 07, 2018 at 04:59:05PM +1100, Brian May wrote:
> I see libdatetime-timezone-perl is in dla-needed.txt, but I can't see
> *any* security vulnerabilies in
> https://security-tracker.debian.org/tracker/source-package/libdatetime-timezone-perl
There's no security issue in libdatetime-timez
On Thu, Nov 08, 2018 at 10:05:39AM +0100, Raphael Hertzog wrote:
> On Tue, 06 Nov 2018, Moritz Muehlenhoff wrote:
> > On Tue, Nov 06, 2018 at 08:16:21PM +0100, Markus Koschany wrote:
> > > Am 06.11.18 um 20:09 schrieb Moritz Muehlenhoff:
> > > > Hi,
> >
On Mon, Nov 19, 2018 at 03:43:59PM -0500, Antoine Beaupré wrote:
> and I haven't
> heard any negative (or positive) feedback on the build, so I'm going
> under the assertion that it doesn't cause too much trouble.
Realistically that means that noone tested them.
Cheers,
Moritz
On Wed, Nov 28, 2018 at 12:59:11PM +0100, Peter Dreuw wrote:
> Hi out there,
> Another option would be backporting the Xen
> 4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10 (and following) package from
> Stretch to Jessie.
What would be the point? If you migrate to a complete new Xen release,
then you ca
Wrt https://lists.debian.org/debian-lts-announce/2018/12/msg0.html
The internal IDs from the tracker _not_ meant for external publication,
this will only lead to stupid chain reactions where external parties
pick them up and then they perpetuate.
Either simply write "no CVE allocated" or rath
1 - 100 of 186 matches
Mail list logo
