Hello,
Thanks for the update, I will upload it next week if that's ok
/Nicolas
7 juill. 2024 14 h 55 min 41 s Jonathan Wiltshire :
> Control: tag -1 confirmed
>
> Hi,
>
> Sorry about the long delay; if this is still of interest, please go ahead.
> The next point release of bullseye will be th
Le 2024-04-22 à 13 h 08, Jonathan Wiltshire a écrit :
Please go ahead.
Thanks, it's uploaded
Le 2024-04-06 à 18 h 38, Jonathan Wiltshire a écrit :
Sorry for the delay; please go ahead.
Thanks, it's uploaded!
/Nicolas
-0500
@@ -1,3 +1,12 @@
+glewlwyd (2.7.5-3+deb12u1) bookworm; urgency=medium
+
+ * d/patches: Fix CVE-2023-49208
+possible buffer overflow during FIDO2 credentials validation
+ * d/patches: Fix CVE-2024-25715
+open redirection via redirect_uri
+
+ -- Nicolas Mora Thu, 23 Nov 2023 17:12:13
Control: tag +1 moreinfo
Thanks,
Control: tag -1 moreinfo
Thanks,
Control: tag - moreinfo
Thanks,
Sorry, it seems that I'm not very well aware of the BTS process,
according to [1] this is how I should untag the bug.
[1] https://www.debian.org/Bugs/server-control
:07.0 -0500
@@ -1,3 +1,10 @@
+libssh2 (1.9.0-2+deb11u1) bullseye; urgency=medium
+
+ * Fix CVE-2020-22218: missing check in _libssh2_packet_add() allows
+attackers to access out of bounds memory.
+
+ -- Nicolas Mora Wed, 29 Nov 2023 07:00:07 -0500
+
libssh2 (1.9.0-2) unstable; urgency
) bullseye; urgency=medium
+
+ * d/patches: Fix CVE-2020-22218
+
+ -- Nicolas Mora Wed, 29 Nov 2023 07:00:07 -0500
+
libssh2 (1.9.0-2) unstable; urgency=medium
* d/control: Fix VCS URIs
diff -Nru libssh2-1.9.0/debian/patches/CVE-2020-22218.patch
libssh2-1.9.0/debian/patches/CVE-2020-22218.patch
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libs...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:libssh2
[ Reason ]
Fix CVE-2020-22218
https://security-tracker.debian.org/tracker/CVE-
: Fix CVE-2023-49208:
+ possible buffer overflow during FIDO2 signature validation
+ in webauthn registration
+
+ -- Nicolas Mora Fri, 24 Nov 2023 08:15:30 -0500
+
glewlwyd (2.5.2-2+deb11u2) bullseye; urgency=medium
* d/patches: Fix possible privilege escalation (Closes: #1001849)
diff
registration
+
+ -- Nicolas Mora Fri, 24 Nov 2023 08:15:30 -0500
+
glewlwyd (2.5.2-2+deb11u2) bullseye; urgency=medium
* d/patches: Fix possible privilege escalation (Closes: #1001849)
diff -Nru glewlwyd-2.5.2/debian/control glewlwyd-2.5.2/debian/control
--- glewlwyd-2.5.2/debian/control
/CVE-2023-49208.patch 1969-12-31 19:00:00.0 -0500
+++ glewlwyd-2.7.5/debian/patches/CVE-2023-49208.patch 2023-11-23 17:12:13.0 -0500
@@ -0,0 +1,21 @@
+Description: Fix CVE-2023-49208 for bookworm
+Author: Nicolas Mora
+Forwarded: not-needed
+--- a/src/scheme/webauthn.c
b/src
Hello,
On Tue, 21 Nov 2023 13:30:31 + Steve McIntyre wrote:
Source: libssh2
Version: 1.9.0-2
Severity: serious
Tags: ftbfs patch
Hi!
Building libssh2 using debuild in a clean local chroot, I get test
failures and even a core dump!
Thanks for reporting the bug, although I have concerns o
table; urgency=medium
+
+ * Install config.json as config-2.7.json (Closes: #1035503)
+ * d/glewlwyd-debian.conf.properties: disable user_middleware_module_path
+
+ -- Nicolas Mora Thu, 04 May 2023 07:21:27 -0400
+
glewlwyd (2.7.5-2) unstable; urgency=medium
* d/control: add adduser as gle
x27;s
+implemtation of arc4random, thanks z...@debian.org!
+(Closes: #1023284)
+ * d/control: upgrade Standards-Version to 4.6.2
+ * d/copyright: update year to 2023
+
+ -- Nicolas Mora Wed, 04 Jan 2023 15:28:26 -0500
+
+libevent (2.1.12-stable-7) experimental; urgency=medium
+
+ * d/co
Hello team,
I've uploaded the package libevent 2.1.12-stable-8 to unstable to fix
the RC bug #1023284 (libevent: FTBFS with glibc 2.36) on march 3rd.
Now the package migration status is blocked because it needs an approval
[1]. According to the freeze policy [2], The package needs to be
unbl
Hello team,
I've made a bullseye-pu for the package glewlwyd/2.5.2-2+deb11u3 a few
months ago, but it seems that the bug has been lost somewhere. The bug
is #1007884.
The new package fixes 2 CVEs.
I think I did something wrong in the bug and it was lost in the pile of
pu packages, if so cou
Le 2022-11-07 à 07 h 31, Nicolas Mora a écrit :
I was also told to change the package name, it would also make the
package cleaner.
So uploading to experimental with the name libevent-2.1-12 instead of
libevent-2.1-7 would do it? Let's go with it then.
My mistake, renaming the pa
Hello,
Thanks for your help!
Le 2022-11-07 à 05 h 44, Graham Inggs a écrit :
A test rebuild of reverse-dependencies was done in Ubuntu, and the
transition went ahead.
I was also told to change the package name, it would also make the
package cleaner.
So uploading to experimental with the n
Hello release team,
I have a bug tagged serious in the package libevent I maintain [1], I've
been told the solution is to start a transition workflow.
As mentioned in the transition doc [2], I uploaded the fixed package in
experimental, but I'm wondering what does "Check the auto-generated
"
/patches/aesgcm.patch: Fix aesgcm buffer overflow
+
+ -- Nicolas Mora Sun, 26 Jun 2022 17:27:39 -0400
+
rhonabwy (0.9.13-3+deb11u1) bullseye; urgency=medium
* d/patches/bugfixes: apply upstream bugfixes
diff -Nru rhonabwy-0.9.13/debian/patches/aesgcm.patch
rhonabwy-0.9.13/debian/patches
Control: tags -1 - moreinfo
Can you please review the last debdiff?
tches: Fix CVE-2022-29967
+ static_compressed_inmemory_website_callback.c in Glewlwyd
+ through 2.6.2 allows directory traversal
+ * d/glewlwyd-common.install: copy bootstrap, jquery, fork-awesome
+instead of linking it
+
+ -- Nicolas Mora Thu, 17 Mar 2022 21:13:09 -0400
+
glewlwyd (2.5.2-2+deb11u2) bullseye
Hello,
Is it possible to review the patch, so the package in bullseye can be in
p-u?
Thanks!
r overflow during webauthn signature assertion
+
+ -- Nicolas Mora Thu, 17 Mar 2022 21:13:09 -0400
+
glewlwyd (2.5.2-2+deb11u2) bullseye; urgency=medium
* d/patches: Fix possible privilege escalation (Closes: #1001849)
diff -Nru glewlwyd-2.5.2/debian/patches/series
glewlwyd-2.5.2/debian/patc
The CVE ID is CVE-2022-27240
fixed in unstable
[ Changes ]
Check the length of the signature before verifying it
[ Other info ]
CVE ID request pending
Description: Fix buffer overflow
Author: Nicolas Mora
Forwarded: not-needed
--- a/src/scheme/webauthn.c
+++ b/src/scheme/webauthn.c
@@ -2336,12 +2336,24 @@
break
Also, the bug is only for 2.x versions.
The package glewlwyd 1.4.9-1 in oldstable isn't vulnerable
Hello,
On Fri, 24 Dec 2021 14:39:14 -0500 Nicolas Mora
wrote:
Hello Salvatore,
Le 2021-12-24 à 14 h 36, Salvatore Bonaccorso a écrit :
>
> Any news on the CVE assignment? Did MITRE respond?
>
The CVE has been attributed for this bug: CVE-2021-45379
Hello Salvatore,
Le 2021-12-24 à 14 h 36, Salvatore Bonaccorso a écrit :
Any news on the CVE assignment? Did MITRE respond?
Not yet, still waiting for the submission to be reviewed according to
the mitre...
/Nicolas
) bullseye; urgency=medium
+
+ * d/patches: Fix possible privilege escalation (Closes: #1001849)
+
+ -- Nicolas Mora Fri, 17 Dec 2021 07:51:46 -0500
+
glewlwyd (2.5.2-2+deb11u1) bullseye; urgency=medium
* d/patches: Fix CVE-2021-40818
diff -Nru glewlwyd-2.5.2/debian/patches/auth.patch
glewlwyd
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
A bug has been fixed in Glewlwyd 2.6.1 to avoid possible possible privilege
escalation
[ Impact ]
Users accounts might be compromised
[ Changes ]
Remove a misplaced se
Hello team,
Any chance those proposed-updates are allowed to be uploaded before the
freeze date?
bullseye
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994880
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994881
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994885
buster
https://b
/changelog 2021-09-20 08:15:27.0 -0400
@@ -1,3 +1,9 @@
+ulfius (2.5.2-4+deb10u1) buster; urgency=medium
+
+ * d/patches: Fix CVE-2021-40540
+
+ -- Nicolas Mora Mon, 20 Sep 2021 08:15:27 -0400
+
ulfius (2.5.2-4) unstable; urgency=medium
* debian/rules: remove override_dh_auto_test
+++ glewlwyd-2.5.2/debian/changelog 2021-09-22 08:42:59.0 -0400
@@ -1,3 +1,11 @@
+glewlwyd (2.5.2-2+deb11u1) bullseye; urgency=medium
+
+ * d/patches: Fix CVE-2021-40818
+ possible buffer overflow during FIDO2 signature validation
+ in webauthn registration
+
+ -- Nicolas Mora
07:29:46.0 -0400
@@ -1,3 +1,11 @@
+rhonabwy (0.9.13-3+deb11u1) bullseye; urgency=medium
+
+ * d/patches/bugfixes: apply upstream bugfixes
+ jwe cbc tag computation error
+ jws alg:none signature verification issue
+
+ -- Nicolas Mora Wed, 22 Sep 2021 07:29:46 -0400
+
rhonabwy
/changelog
--- ulfius-2.7.1/debian/changelog 2021-01-03 09:03:05.0 -0500
+++ ulfius-2.7.1/debian/changelog 2021-09-19 15:39:39.0 -0400
@@ -1,3 +1,9 @@
+ulfius (2.7.1-1+deb11u1) bullseye; urgency=medium
+
+ * d/patches: Fix CVE-2021-40540 (Closes: #994763)
+
+ -- Nicolas
bian/changelog 2021-09-19 15:39:39.0 -0400
@@ -1,3 +1,9 @@
+ulfius (2.7.1-1+deb11u1) bullseye; urgency=medium
+
+ * d/patches: Fix CVE-2021-40540
+
+ -- Nicolas Mora Sun, 19 Sep 2021 15:39:39 -0400
+
ulfius (2.7.1-1) unstable; urgency=medium
* New upstream release
diff -Nru ulfiu
Hello,
I would like to upload new versions for my packages ulfius, rhonabwy and
glewlwyd in buster-updates for ulfius and bullseye-updates for the 3 of
them.
The goal is to fix the following bugs:
- ulfius: CVE-2021-40540 (Bug #993851)
- rhonabwy: Bug #993866
- glewlwyd: CVE-2021-40818: weba
Salut Pierre-Elliott, thanks for your help!
Le 2021-07-04 à 06 h 12, Pierre-Elliott Bécue a écrit :
Have a look at [0].
Yes, that's why I'm asking for help. The full freeze is close but the
bugs fixed are quite important, and since rhonabwy is a crypto library,
they can lead to security iss
Hello release team,
I'm maintaining the package rhonaby [1] in the debian IoT tem, as well
as being the upstream author.
Recently, I've fixed two bugs in the library that I'd like to backport
to the debian package in the bullseye release, I consider them to be
important bugfixes.
Do I have
Hello team,
Le 2021-04-02 à 16 h 28, Paul Gevers a écrit :
Let's not do that this late in the release. We'll have the full bookworm
release to iron out corner case issues.
I agree, there's no rush
The license issue can be discussed again when bullseye is released,
meamwhile the package shou
Hello team,
I'm the maintainer of libssh2 [1]. There was an old bug with this
package asking to switch from libgcrypt to openssl [2].
The issue was with the license openssl that had consequences with its rdeps.
The ftp-master team came up with a solution for the OpenSSL license [3].
This sol
44 matches
Mail list logo
