clickhouse - Please review

Hi, I'm currently working on clickhoue for LTS and imported the repository to the lts-team group [0]. As per git workflow instructions I ask for an exception to enable CI: I can't get CI working as during linking it seems to go OOM on the salsa workers. I've tried disabling lto (the package does

pngcheck - use new upstream version?

Hi, I was analyzing pngcheck this morning and I'm unsure how to proceed so any advice would be appreciated :) pngcheck has one CVE open [1], however it seems that there are multiple vulnerabilities, as upstream changelog [2] and homepage [3] mentions them. Unfortuntatly upstream did major refact

Re: pngcheck - use new upstream version?

Hi, On Sat, Dec 10, 2022 at 01:50:48PM +0100, Salvatore Bonaccorso wrote: > Hi Tobias, > > Speaking of rebasing to 3.0.3, this is in fact what will happen for > pngcheck to be released as DSA by Moritz. He did rebuild pngcheck > 3.0.3-1 for bullseye (versioned 3.0.3-1~deb11u1). Thanks for your i

(E)LTS report for December 2022

After completing on-boarding in November, I've worked during December  on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and our sponsors [2] for providing this opportunity! LTS: - virglrenderer -- DLA 3232-1, fixing CVEs: CVE-2019-18388 CVE-2019-18389   CVE-20

(E)LTS report for January 2023

I've worked during January 2023 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and our sponsors [2] for providing this opportunity! LTS: - liapreq2: DLA-3269-1 (CVE-2022-22728) - libde265: DLA-3260-1 (see ELA for CVE list) - modsecurity-apache: DLA-3280-1

(E)LTS report for February 2023

I've worked during February 2023 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and our sponsors [2] for providing this opportunity! LTS: - wireshark/stretch: DLA-3313-1 (CVE-2022-4345 CVE-2023-0411 CVE-2023-0412 CVE-2023-0413 CVE-2023-0415 CVE-2023-0417)

(E)LTS report for March 2023

I've worked during March 2023 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and our sponsors [2] for providing this opportunity! LTS: libde265: DLA-3352-1 (10 CVEs, see ELA for details) wireless-regdb: DLA-3356-1 (updating to newer version, for full suppor

Re: Incomplete: firmware-nonfree (20190114+really20220913-0+deb10u1) buster-security

Hi Philipp, thanks for the notice! On Wed, Apr 05, 2023 at 02:27:03PM +0200, Philipp Hahn wrote: > Hello Tobias, > > According to > > you uploaded the package to "buster-security", but only

(E)LTS report for April 2023

I've worked during April 2023 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and our sponsors [2] for providing this opportunity! non-packaging = preparing "Forking repositories for the LTS namespace" LTS: intel-mircocode: DLA-3379-1 (paperwo

Re: (E)LTS report for April 2023

in "Re: (E)LTS report for April 2023": > > On Mon, May 01 2023 at 12:33:51 +0200, Tobias Frost scribbled > > in "(E)LTS report for April 2023": > > > I've worked during April 2023 on the below listed packages, for Freexian > > > LTS/ELTS [1]

Re: nvidia-graphics-drivers in DLA needed?

Hi, (this thread is linked in dla-needed.txt and such) I'm not sure about the status of the nvidia drivers in LTS, so I thought it is better to ask if or not we support nvidia-drivers Said that I've juse claimed them from dla-needed.txt and will work on them, unless someone tells me not to do so

Re: nvidia-graphics-drivers in DLA needed?

On Wed, May 10, 2023 at 10:00:11AM +0200, Emilio Pozuelo Monfort wrote: > On 07/05/2023 10:20, Tobias Frost wrote: > > Hi, > > > > (this thread is linked in dla-needed.txt and such) I'm not sure > > about the status of the nvidia drivers in LTS, so I thought it &

Re: nvidia-graphics-drivers in DLA needed?

On Wed, May 10, 2023 at 06:09:16PM +0200, Emilio Pozuelo Monfort wrote: > On 10/05/2023 11:42, Tobias Frost wrote: > > On Wed, May 10, 2023 at 10:00:11AM +0200, Emilio Pozuelo Monfort wrote: > > > On 07/05/2023 10:20, Tobias Frost wrote: > > > > Hi, > > > &

(E)LTS report for May 2023

I've worked during May 2023 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and our sponsors [2] for providing this opportunity! non-packaging = continuing on "Forking repositories for the LTS namespace" LTS: nvidia-graphics-driver: Triaging a

nvidia-cuda-toolkit for buster

Hi, I'm currently triaging nvidia-cuda-toolkit for buster: buster has 9.2.148-7+deb10u1, which is upstream version 9.2.148 with patch 1 [1] This seems to be the latest upstream version from the 9.2 series, and 9.2.x seem to be EOL, so there is no new upstream release expected to target any bugs or

Re: RFC: php-cas

(As suggested, I'm moving the discussion to debian-lts@lists.debian.org, CC'ing the security team) > On 19/06/2023 18:17, Tobias Frost wrote: > > Hey, > > > > As I am currently preparing a fix for php-cas to tackle CVE-2022-39369 [1], > > and > > a

Re: RFC: php-cas (CVE-2022-39369)

ted behind an authenticated HTTP zone) [a] https://github.com/fusiondirectory/fusiondirectory/blob/919b407cdf5c409b20c500e6eadecf0c62270aac/include/login/class_LoginCAS.inc#L48C16-L48C16 On Tue, Jun 20, 2023 at 04:14:42PM +0200, Tobias Frost wrote: > (As suggested, I'm moving the discussion to deb

Re: RFC: php-cas (CVE-2022-39369)

e security team -- Cheers, tobi On Sat, Jun 24, 2023 at 01:43:12PM +0200, Tobias Frost wrote: > Hi, > > (Adding yadd as suggested on IRC, solicating yadd's input as well) > > Some updates on php-cas: > > I've continued to work on php-cas to better assess > the si

Re: RFC: php-cas (CVE-2022-39369)

/ (The buster php-cas has been updated to include a NEWS file, but is otherwise unchanged. Those are available from https://people.debian.org/~tobi/php-cas/) cheers, -- tobi On Tue, Jun 27, 2023 at 08:46:25PM +0200, Tobias Frost wrote: > Hi, > > time for an small update: > > Pleas

(E)LTS report for June 2023

I've worked during June 2023 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and our sponsors [2] for providing this opportunity! LTS: nvidia-cuda-tools: Triaging with the result that an update probably does not make sense as fixed for CVEs are not availabl

Re: [SECURITY] [DLA 3478-1] yajl security update

On Sun, Jul 02, 2023 at 01:11:11PM +0200, Tobias Frost wrote: > - > Debian LTS Advisory DLA-3478-1debian-lts@lists.debian.org > https://www.debian.org/lts/security/ Tobias Fro

Re: CVE-2023-33460, ruby-yajl affected?

Am 5. Juli 2023 04:52:48 UTC schrieb Anton Gladky : >Hello, > >I am looking into CVE-2023-33460 and I am not sure that ruby-yajl >is affected. There is no direct dependency on yajl, where the vulnerability >was detected. > >Should ruby-yajl be unmarked as affected by this CVE? > >Thank you > >Anton

Re: CVE-2023-33460, ruby-yajl affected?

On Wed, Jul 05, 2023 at 09:06:15AM +, Bastien Roucariès wrote: > Le mercredi 5 juillet 2023, 04:52:48 UTC Anton Gladky a écrit : > > Hello, > > > > I am looking into CVE-2023-33460 and I am not sure that ruby-yajl > > is affected. There is no direct dependency on yajl, where the vulnerability

(E)LTS report for July 2023

I've worked during July 2023 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and our sponsors [2] for providing this opportunity! LTS: renderdoc: DLA-3501-1 - CVE-2023-33863, integer overflow possibly allowing RCE - CVE-2023-33864, integer underflow, possib

(E)LTS report for August 2023

I've worked during July 2023 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! LTS: zabbix - DLA-3538-1 (see advisory for details.) A noteworthy change is for CVE-2013-7484, which changes the way the pass

suricata

Hi Adrian, I've just claimed "suricata" for LTS, and the log says that you've already worked on the package. Unfortunatly I could not find any repository for your LTS changes, if there are some already, can you advice where to look? -- Cheers, tobi signature.asc Description: PGP signature

Re: suricata

Hi Adrian, On Mon, Sep 25, 2023 at 03:06:52PM +0300, Adrian Bunk wrote: > On Sun, Sep 24, 2023 at 11:34:55AM +0200, Tobias Frost wrote: > > Hi Adrian, > > Hi Tobias, > > > I've just claimed "suricata" for LTS, and the log says that you've > > al

(E)LTS report for September 2023

I've worked during September 2023 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! ELTS: zabbix - ELA-945-1, ELA-957-1 After zabbix has been released in August for buster (DLA-3538-1), I've continued to wor

(E)LTS report for October 2023

I've worked during October 2023 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! ELTS: firmware-nonfree - ELA-981-1 This was a contiunation of DLA-3596-1, which I've released in September, this time for EL

Re: tinymce git repository

Am 30. November 2023 09:29:32 UTC schrieb Sean Whitton : >Hello Anton, > >Ola added tinymce to dla-needed.txt. > >I found . > >Could you let me know why the repository was archived? > >Thanks. > the repositiory was one of those with an

(E)LTS report for November 2023

I've worked during November 2023 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! LTS: freerdp2: (DLA-3654-1) Third time is a charme. After tackling it in September and October, with DLA-3606-1 fixing a lo

(E)LTS report for December 2023

I've worked during December 2023 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! opendkim - DLA-3680-1 (This is ELA-1017-1, but for buster) On mentors.d.n a RFS caught my eyes; the package maintainer has worked o

(E)LTS report for January 2024

I've worked during January 2024 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! LTS and ELTS - paramiko - CVE-2023-48795 Unfortunatly only _after_ backporting the patch for CVE-2023-48795 (terrapin) and fighting wi

(E)LTS report for February 2024

I've worked during February 2024 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! ELTS and LTS: nss (WIP) = nss has currently three (buster) and four (jessie,stretch) open vulnerabilties. Some of the patc

(E)LTS report for March 2024

I've worked during March 2024 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! ELTS and LTS: nss (DLA 3757-1, ELA-1054-1) Completed testing on nss and uploaded the package to LTS and

(E)LTS report for April 2024

I've worked during March 2024 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! ELTS and LTS: expat (ELTS) Last month I've woCVE-2023-5242rked on expat for LTS, and the work continued for ELTS - jessi

(E)LTS report for May 2024

I've worked during May 2024 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! ELTS and LTS: gnutls28 (ELA-1090-1) = This involved a lot of triaging and some verdicts were that the version in EL

(E)LTS report for August 2024

I've worked during August 2024 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! frr (DLA-3865-1) I've previously uploaded frr for buster; this is bascially a revisit of a previous upload, DLA-3797-1,

(E)LTS report for September 2024

I've worked during September 2024 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! firmware-nonfree (ELA-1179-1) = (As already announced in August), at that time still WIP, the upload upda

(E)LTS report for October 2024

I've worked during September 2024 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! php-horde-turba (DLA-3923-1) Fixing an arbitrary object deserialization vulnerability in php-horde- turb

intel-microcode update for stable, LTS and ELTS

Hi Henriquie, I've just claimed intel-microcode for LTS and ELTS, I'm going to prepare the packages for jessie to bullseye, based on your latest upload to sid (with the changes from trixie reverted that need reverting) In the course of this I can also prepare a upload to stable-proposed-updates,

Re: [SECURITY] [DLA 3909-1] zabbix security update (updated information to previous announcement)

00, Tobias Frost wrote: > - > Debian LTS Advisory DLA-3909-1debian-lts@lists.debian.org > https://www.debian.org/lts/security/ Tobias Frost > October 03, 2024

(E)LTS report for January 2025

I've worked during January 2025 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! busybox (DLA-4019-1 ELA-1311-1) === This month I worked on busybox for LTS and ELTS, fixing 12-14 CVEs per

Re: LTS version > stable or wait?

Hi Adrian, I've just saw that you have claimed freerdp2 for bullseye. Would you mind if I take that package? Background is https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/187, basically I was in contact with Santiago via IRC to coordinate the update for freerdp2 for stable and figure

(E)LTS report for November 2024

I've worked during November 2024 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! smarty3 (DLA-3956-1, ELA-1237-1) Fixed threeCVEs for smarty3, a PHP templating engine. CVE-2018-2504

Review busybox for bullseye

Hi everyone, I've prepared a candidate for busybox, (currently ready for bullseye, next would be buster but as it has a lots of synergy it makes sense to call for testing already now)) As busybox is, well, a very important package I'd appreciate to have some extra quality control on that one, so

(E)LTS report for December 2024

I've worked during December 2024 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! intel-microcode (DLA-4002-1, ELA-1276-1) As reported in Nomveberm additional fixes introduced

(E)LTS report for March 2025

I've worked during March 2025 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! intel-microcode (DLA-4095-1, ELA-1364-1) Intel updated their provided microcodes, this update sy

Re: CVE-2025-27773 / #1100595 / Re: simplesamlphp 2.x for trixie? (Re: Bug#1088816: Current version not supported)

Hi Joost,   I've been woking on simplesmalphp yesterday, and the current status of my backport of the patch for CVE-2025-27773 is in the lts team repo [1] [1] https://salsa.debian.org/lts-team/packages/simplesamlphp/-/tree/debian/bullseye/   Help in testing the changes would be very helpful, so

(E)LTS report for April 2025

I've worked during April 2025 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! abseil (DLA-4116-1) === Started in March, I've finished the work on abseil to address CVE-2025-0838. I've also uploaded

(E)LTS report for February 2025

I've worked during February 2025 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! freerdp2 (DLA-4053-1, DLA-4070-1, stable The situation for freerdp2 was that there were many

Regression in DLA 4053-1 - freerdp2

I've got report that there is a regression introduced by 2.3.0+dfsg1-2+deb11u2. The issue is related to drive sharing and is reported to not working anymore. The reporter analysed the issue as: > Drive sharing does not work for us any longer using version > 2.3.0+dfsg1-2+deb11u2, but it works

(E)LTS report for May 2025

I've worked during May 2025 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! abseil == (Follow up on the work from April), abseil has been fixed in stable as well, via the stable-proposed-updated mechanism, and a

EOLing nvidia-graphics-drivers for bullseye?

Hi, I was triaging nvidia-graphics-drivers, as they have a few CVEs open. However, the version in bullseye, version 470.256.02, is no longer supported by nvidia (since July 2024) and there simply not enough information available to actually fix the issues. Therefore I'd suggest to drop support

Re: EOLing nvidia-graphics-drivers for bullseye?

On Tue, Jun 24, 2025 at 11:15:14PM +0200, Andreas Beckmann wrote: > On 6/24/25 19:46, Santiago Ruano Rincón wrote: > > I plan to contact directly the sponsor to study the impact of > > (officially) stopping supporting nvidia-graphics-driver. But before > > that, it would be helpful to know if a fu

(E)LTS report for May 2025

I've worked during June 2025 on the below listed package, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! nvidia-graphics-drivers === Triaged & started a discussion on how to support the nivdia-graphics-driver package, as the