On Sun, Jul 13, 2025 at 01:17:36AM +0200, Santiago Ruano Rincón wrote:
> (CCing the actual security team address - team@s.d.o)
being lazy I'm replying to this mail though this is actual an reply to
> El 12/07/25 a las 22:04, Paul Gevers escribió:
> > The text about golang and rustc and chromium
hi,
I also should have thrown in some more URLs, namely:
https://jenkins.debian.net/userContent/debian-edu-doc/debian-edu-doc-en/debian-edu-bookworm-manual.html
https://jenkins.debian.net/userContent/debian-edu-doc/debian-edu-doc-en/debian-edu-bookworm-manual.pdf
https://jenkins.debian.net/userCon
On Mon, Jun 09, 2025 at 04:43:47PM +, Holger Levsen wrote:
> https://wiki.debian.org/DebianEdu/Documentation/Trixie (or Bookworm or many
> earlier relases) is an example where this is being done, using translations
> via
> .po files (nowadays mostly translated via weblate
Hi Noah,
On Mon, Jun 09, 2025 at 12:20:36PM -0400, Noah Meyerhans wrote:
> Most basically, I wonder if folks think this is a worthy idea.
I do think so! Thanks for your initiative, I do hope it will fly!
> My inclination is to primarily focus on general principles rather than
> try to document
package: developers-reference
x-debbugs-cc: debian-security@lists.debian.org
hi,
On Tue, Jul 11, 2023 at 10:46:20PM +0200, Moritz Mühlenhoff wrote:
> > I found the Securing Debian Manual
> > (https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html).
> > This version is from 2017.
On Wed, Mar 30, 2022 at 09:36:58AM +0200, Sylvestre Ledru wrote:
> Le 30/03/2022 à 07:07, Salvatore Bonaccorso a écrit :
> > Sylvestre and Holger, would you have time to include the bugfix as
> > well in the future bullseye point release?
> Sure, should be easy.
> Is there a timeline?
as the last
hey hey, hear hear!
On Mon, Nov 01, 2021 at 07:44:34PM +, Moritz Muehlenhoff wrote:
> -
> Debian Security Advisory DSA-5000-1 secur...@debian.org
WHHO!
that's *something* to *celebrate*!!1 Very
On Sun, Jun 27, 2021 at 04:52:26PM -0400, Boyuan Yang wrote:
> Besides, I believe end users are not supposed to know deb-src line for
> security repos.
sure, they do! and of course we provide source for our security updates!
> Adding such info provides zero benefit except for confusing
> users.
Package: libwebkit2gtk-4.0-37
Version: 2.32.1-1~deb10u1
Severity: normal
Dear Maintainer,
from #debian-security today, Salvatore asked me to file this as a bug.
< h01ger> DSA 4923 causes xdg-desktop-portal(-gtk) to be installed here, much
to my surprise and unhappyness
< h01ger> its a recommend
On Sun, May 16, 2021 at 05:21:50PM +0300, Serkan Özkan wrote:
> We are using Debian OVAL definitions but there are many tests, and states,
> that test for dpkg versions being less than 0.0 which is impossible in
> practice (right?).
no, it's possible:
0~1 is a valid version. It's smaller than zer
On Fri, Nov 13, 2020 at 12:06:50PM +0200, Georgi Guninski wrote:
> On Fri, Nov 13, 2020 at 10:21 AM Pavlos Ponos wrote:
> > BUT we should not forget to say a THANK YOU to these guys which give their
> > best in order all of us to use this OS for free ;-)
> I believe I am debian contributor too, s
hi,
(this started as a discussion whether to update radare2 in (old)stable
and has since then evolved into a discussion about the problem
summarized well by Raphael.)
On Thu, Aug 29, 2019 at 01:48:14PM +0200, Raphael Hertzog wrote:
> On Thu, 29 Aug 2019, Moritz Mühlenhoff wrote:
> > The upstream
On Fri, Aug 16, 2019 at 08:11:58PM +, Markus Koschany wrote:
> Markus Koschany pushed to branch master at Debian Security Tracker /
> security-tracker
>
> Commits:
> bc35662f by Markus Koschany at 2019-08-16T20:11:47Z
> Add radare2 to dla-needed.txt with comments.
>
> - - - - -
> 1 changed f
On Wed, Jun 12, 2019 at 03:05:13AM +1000, Andrew McGlashan wrote:
> Exploiting the flaws needs malicious code to be running on your box. If
> you are in total control over all VMs and processes on the box, then you
> should be good.
do you use a webbrowser with javascript enabled?
--
tschau,
Hi Roman,
the security team is not responsible for Debian LTS, I've thus added
debian-lts@lists.d.o to the mail recipients, so that they become aware
of your issue.
On Thu, Feb 14, 2019 at 06:06:34PM +0100, Roman Medina-Heigl Hernandez wrote:
> Hi security-fellows,
>
> I applied recent rssh sec
On Fri, Jan 18, 2019 at 01:58:12PM +0800, Paul Wise wrote:
> > To answer my own question, after PHP 5.5 the easter egg was removed already.
> So the issue would only be present in wheezy. I guess the ELTS folks
> might like to disable them.
I don't think the behaviour of php should be changed at t
On Tue, Nov 06, 2018 at 07:08:20PM +0800, Paul Wise wrote:
> Bug#908678: security-tracker - Breaks salsa.d.o
thank you.
--
cheers,
Holger
---
holger@(debian|reproducible-builds|layer-acht).org
On Tue, Nov 06, 2018 at 02:42:59PM +0800, Paul Wise wrote:
> Also, a much more important task is restructuring the git repo so that
> it doesn't cause responsiveness and resource usage issues with salsa.
is there a bug or wiki page describing the issues/requirements for that and
what has been trie
On Sun, Mar 04, 2018 at 04:07:14PM +0100, SZÉPE Viktor wrote:
> Why should one using an amd64 hardware update its kernel/reboot when changes
> are only for powerpc?
you should not. (or maybe you should so your monitoring will not
complain about running an outdated kernel.)
however, because the s
On Sat, Feb 17, 2018 at 02:35:22PM +0100, Moritz Mühlenhoff wrote:
> The update for gcc-4.9 has just been released.
> Test packages for gcc-6/stretch are now available at
> https://people.debian.org/~jmm/gcc6/
Thanks for your work on this, Moritz.
I have a stupid/uninformed question: is this gc
On Sun, Dec 03, 2017 at 01:11:50PM +0100, Bastian Blank wrote:
> It would still only need to compromise one machine: The one from where
> the keys are handled and distributed.
I rest my case. I'd secure the front door even if the side door (atm
still) can be compromised easy.
--
cheers,
On Sun, Dec 03, 2017 at 12:05:51PM +0100, Bastian Blank wrote:
> > in practice, this also has obvious flaws.
> Please elaborate.
for a start: one only needs to compromise one machine instead of many...
> > what's the technical reason
> > the buildds are n
On Sun, Dec 03, 2017 at 12:38:24PM +0800, Paul Wise wrote:
> The Debian buildds only do the first verification (due to all Debian
> package uploader keys not being installed) but the Debian archive
> verifies that all uploads match a known developer key before passing
> packages to the buildds. So
On Sat, May 13, 2017 at 10:48:18PM +0200, Aurelien Jarno wrote:
> The above change should now be deployed on most jessie based buildds,
> it's only missing on the buildds that are currently down.
cool, thank you!
--
cheers,
Holger
signature.asc
Description: Digital signature
On Sat, May 13, 2017 at 05:52:04PM +0200, Mattia Rizzolo wrote:
> On Sat, May 13, 2017 at 03:44:57PM +0100, Chris Lamb wrote:
> > a) Has anything changed in the meantime?
>
> Yes: sbuild stopped repeating the changelog time taking it from the last
> entry, and will instead generate a new timestam
On Mon, Jan 30, 2017 at 02:47:45PM +0100, Johannes Schauer wrote:
> > (the sbuild maintainer reads the above list which has been cc:ed so he
> > should be able to comment…)
>
> You were talking about buildd-tools-de...@lists.alioth.debian.org
yes
> You forgot to CC that one (I understood that wa
On Mon, Jan 30, 2017 at 01:10:12PM +0100, Mattia Rizzolo wrote:
> > Would reproducible-bui...@lists.alioth.debian.org be the correct mailing
> > list to discuss this?
the debian-buildd list or a bug against sbuild might be more
appropriate…
(the sbuild maintainer reads the above list which has b
On Sat, Jan 28, 2017 at 03:04:56PM +0100, Daniel Reichelt wrote:
> I highly suspect this stems from packages' rules files supporting
> reproducible builds.
I rather think this is due to binNMUs not modifying debian/changelog…
(in the source package while it's modified in the binary packages…)
--
On Wed, Nov 09, 2016 at 07:14:45PM +0100, W. Martin Borgert wrote:
> If users of testing or unstable have the malware installed now and
> the package gets removed from the archive, users are left with the
> malware, right?
yes
> That's why I thought about uploading an empty package to unstable,
On Wed, Nov 09, 2016 at 05:35:20PM +0100, W. Martin Borgert wrote:
> Quoting Holger Levsen :
> >I think so. And I also think this should be done.
> >and, who's gonna file the RM bug for unstable?
> I would RM for buster, because users of stretch might already be affected.
On Wed, Nov 09, 2016 at 04:17:58PM +0100, W. Martin Borgert wrote:
> Would NEWS.Debian be sufficient?
I think so. And I also think this should be done.
and, who's gonna file the RM bug for unstable?
--
cheers,
Holger
signature.asc
Description: Digital signature
On Thu, Aug 04, 2016 at 02:14:55AM +, Nick Boyce wrote:
> > Just don't use that crap. With the amount of zero days in Flash
> > you're subject to serious vulnerabilities even with an up-to-date
> > plugin.
> [...] Also I
> believe there are quite a few corporate intranet use-cases that *depend
On Wed, Aug 03, 2016 at 10:46:33PM +0200, Stefan Fritsch wrote:
> Maybe the flashplugin-nonfree package should even be replaced by a package
> that
> installs the ubuntu archive signing key, sets up the sources.list line, and
> tweaks the unattended-updates config to allow automatic updates from
On Tue, Aug 02, 2016 at 04:37:31PM +0200, Jakub Wilk wrote:
> Wiki is world-writable. It's safe to assume that everything there is
> nonsense unless proven otherwise.
It's also safe to assume that we'll al die one day, though that's also
not very helpful.
A useful first step to assess the qualil
Hi Christoph,
your email doesnt mention whether you searched the BTS for relevant bugs
about these issues. Have you?
And if there are no bugs filed yet, someone should file bugs.
:-)
--
cheers,
Holger
signature.asc
Description: Digital signature
Hi Drake,
On Tue, May 24, 2016 at 01:32:08PM +0800, Paul Wise wrote:
> > Lacking any obvious way to talk to the security team without potentially
> > making my
> > message look more urgent than it was, I leave it to whoever else can
> > navigate the
> > Debian social structure to take it up in t
On Wed, May 18, 2016 at 06:33:52PM +0200, Jakub Wilk wrote:
> Could you explain how any of these tools leak any information "without a
> user's consent/expectation"?
gnome-calculator contacts a web page/service with currency exchange
information *on every start*, I think that's a good example of t
Hi,
On Samstag, 13. Februar 2016, Paul Wise wrote:
> On Sat, Feb 13, 2016 at 2:51 AM, Wheeler, David A wrote:
> > Should Debian's security team ask for a Common Platform Enumeration (CPE)
> > id when a related CVE is found/reported fixed?
>
> The debian-security list is a general Debian security
Hi Wolfgang,
On Dienstag, 2. Februar 2016, Wolfgang Jeltsch wrote:
> • Where does the tracker talk about security policies? (I actually
> doubt that such information is in the tracker at all.)
That's out of scope for the tracker indeed, however right now I dont know
where to find such poli
Hi,
On Mittwoch, 20. Januar 2016, Bjoern Nyjorden wrote:
> Most appreciated. So, just to confirm; my take away on this is:
>
> * 1. "Wheezy" Linux kernels are NOT AFFECTED.
>
> * 2. "Wheezy" & "Jessie" BACKPORTS Linux kernels are VUNERABLE.
>
> If I have understood correctly?
yes!
cheer
Hi Bjoern (bcc:ed),
On Mittwoch, 20. Januar 2016, Bjoern Nyjorden wrote:
> Are the "Wheezy" Linux kernels affected as well, or are they currently
> okay as far as you know?
on debian-backports@l.d.o Ben wrote:
> [...] It's fixed in jessie and sid,
> and doesn't affect anything older. {wheezy,j
Hi,
On Donnerstag, 19. März 2015, Patrick Schleizer wrote:
> > I think you probably just need to run "apt-get update" before "apt-get
> > install"...
> I did that, I am sure of it. Reproduced this on two different systems.
can you put the output of "apt-get update" and "apt-cache policy" on
past
Hi,
I think you probably just need to run "apt-get update" before "apt-get
install"...
It's definitly not a security issue deserving the attention of the security
team.
cheers,
Holger
signature.asc
Description: This is a digitally signed message part.
On Samstag, 7. Februar 2015, Jan Wagner wrote:
> it would be great if you would open a bug against the
> debian-security-support package if there isn't one pending yet.
#776904 please mark chromium as unsupported in wheezy
signature.asc
Description: This is a digitally signed message part.
Hi,
On Donnerstag, 5. Februar 2015, Paul van der Vlis wrote:
> There was always a year security support for oldstable.
you are right with that.
cheers,
Holger
signature.asc
Description: This is a digitally signed message part.
Hi,
On Donnerstag, 5. Februar 2015, Paul van der Vlis wrote:
> Iceweasel support for oldstable stopped at 24 Mar 2009:
> Icedove support for oldstable stopped at 12 Jul 2009:
> Icedove security support for oldstable stopped at 09 Mar 2011:
> The security support of Iceweasel for oldstable stopped
Hi,
On Donnerstag, 18. September 2014, Holger Levsen wrote:
> I'm working on getting
> https://security-tracker.debian.org/tracker/status/release/stable-backport
> s meaningful for this task. Give me some more days... ;-)
for those not familar with the current security-tracker de
Hi,
On Donnerstag, 18. September 2014, Henrique de Moraes Holschuh wrote:
> There is one thing that would be of great value: We need someone to go
> over the debian-backports packages for pending security updates, and
> notify the maintainers of the backports or the backports ML.
I'm working on
Hi Hans,
On Mittwoch, 16. Juli 2014, Hans-Christoph Steiner wrote:
> What I'm talking about already exists in Debian, but is rarely used.
> dpkg-sig creates a signature that is embedded in the .deb file. So that
> means no matter how the .deb file got onto a system, that signature can be
> verif
Hi,
On Mittwoch, 16. Juli 2014, Michael Stone wrote:
> Yes you are--what you described is exactly how the Release files work.
Well, there are (many) other .debs on the net which are not part of our
releases, so it still seems to me that making .changes files accessable in
standardized ways coul
Hi,
On Dienstag, 15. Juli 2014, Michael Stone wrote:
> Except that you haven't addressed *at all* why the current mechanism is
> insufficient, except that you don't like it and want to do something
> else instead.
AIUI Hans-Christoph wants something else _also_, not instead. And technically
I t
Hi,
as I've just been affected by "#700266 fetchmail: --sslfingerprint uses MD5"
I wonder if someone is tracking all the bugs related to using md5 hashes kind
of like how we track bugs in software not supporting ipv6.
User debian-security@lists.debian.org
Usertag 700266 md5
maybe?
cheers,
Hi Paul,
On Montag, 5. August 2013, Paul Henning wrote:
> Yes, kick Kurt Roeckx from his admin privileges to start. It's the easiest
> most basic thing you can do. [more FUD deleted]
are you paid by some three or four letter agency to spread FUD?
cheers & sorry, I couldnt resist,
Holger
Hi,
On Dienstag, 19. Februar 2013, Alex Antener wrote:
> > mama fragt ob wir am sonntag zum lasagne essen kommen wollen :-)
> Gern! - Ort & Zeit?
are we invited as well? Whats the exact address? (But beware, this list has
>10k subscribers :-)
cheers,
Holger
--
To UNSUBSCRIBE, email
Dear Russell,
On Freitag, 30. Dezember 2011, Russell Coker wrote:
> I can't imagine what the benefit would be in using "official" packages that
> I created and uploaded to Debian over using "unofficial" packages that I
> created and couldn't get in a Squeeze update
Frankly, your lack of imaginat
On Sonntag, 11. Dezember 2011, Matthias Klose wrote:
> the DLJ bundles were created because you are not allowed to re-distribute
> the jdk packages from oracle. Did that change recently?
I believe inside an organisation I can rebundle their bundles to my prefered
kind of bundle, that is, form of
Hi,
I forgot:
On Sonntag, 11. Dezember 2011, Holger Levsen wrote:
> $ debdiff sun-java6_6.26-3.dsc sun-java6_6.29-1.dsc|diffstat
> debian/changelog |8
> debian/rules |6
> jdk-6u26-dlj-linux-amd64.bin |327520
> ---
@@
+sun-java6 (6.29-1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * New upstream version to fix
+
http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html#AppendixJAVA
+
+ -- Holger Levsen Wed, 23 Nov 2011 18:49:02 +0100
+
sun-java6 (6.26-3) unstable
Hi,
On Montag, 10. Januar 2011, Hugh McDonald wrote:
> This advisory would be more useful to an administrator if package "nss"
> were known to "http://www.debian.org/packages";, or if it contained
> references to the affected debian package or packages.
http://packages.qa.debian.org/nss and/or
Hi,
On Freitag, 20. März 2009, Eduardo M KALINOWSKI wrote:
> So as if vacation messages were not enough, now we have nonsense replies?
and yet more nonsense replies. if you mind those mistakes (which happen
because 3 people are subscribed to d-s-a and people are people), why do
you annoy 35
Hi,
On Donnerstag, 12. Februar 2009, Michael S. Gilbert wrote:
> I'll wait for lenny to
> get out the door rather than submitting these apparently complex and
> difficult security (and hence release-critical) issues at the last
> minute.
Please dont hesitate to file bugs (unless the issue at hand
Hi Sheldon,
this sounds like an interesting project, please keep us posted!
On Mittwoch, 7. Januar 2009, Sheldon Hearn wrote:
> On Wednesday 07 January 2009 00:24:09 R. W. Rodolico wrote:
> > I have a package that we have been working on for a while that might
> > be a good starting point.
> >
>
Hi Kovács,
On Wednesday 08 October 2008 10:25, Kovács Zoltán wrote:
> I would call the attention to my contributed work, a Wiki at
> http://free.coedu.hu/ describing a step-by-step install procedure making
> a (relatively) safe Debian Etch LAMP server. The procedure contains:
What you write here
Hi,
On Wednesday 23 April 2008 13:24, Rolf Kutz wrote:
> Ack. But there should be a way to fix rc-bugs even
> after release.
There is. Even for ("only") important bugs.
The howto in short: have a bug with patch in the BTS, send mail to
debian-release and ask about this bug to be allowed to be
Hi,
[removed some of the cc:s]
On Sunday 13 April 2008 02:23, Andrea Barisani wrote:
> We already agreed that CC-BY-NC is not open enough, that's why we will
> consider CC-BY.
>
> I believe that license address your concerns, right?
If its CC-BY 3.0, yes. 2.5 is not good enough, afaik ;)
regar
Hi Marc,
and everybody else: please dont feed the troll. He was well known from
debian-release@, now debian-www@ and debian-security@ know him as well and he
will probably proceed to another channel.
Business as usual on the internet. I expect you received silly spam today too,
do you want to
Hi,
On Friday 28 September 2007 14:45, Johannes Wiedersich wrote:
> IIRC, this should apply only to upgrades from sarge. It's covered in
> Etch's release notes [1].
I stand corrected, thanks for pointing this out.
> [1]
> http://www.de.debian.org/releases/stable/i386/release-notes/ch-upgrading.e
Hi,
On Friday 28 September 2007 14:32, Marcin Owsiany wrote:
> It's just a warning, so not _that_ bad...
Not that bad, but everytime I see it, I think "bad QA", which is bad.
regards,
Holger
pgp2YO9Lmyjk8.pgp
Description: PGP signature
Hi,
On Friday 28 September 2007 11:18, Jan Wagner wrote:
> > Running postinst hook script /sbin/update-grub.
> > You shouldn't call /sbin/update-grub. Please call /usr/sbin/update-grub
> > instead!
> you need to modify /etc/kernel-img.conf!
I believe this happens with a freshly installed etch sys
Hi Noah,
On Wednesday 07 February 2007 17:36, Noah Meyerhans wrote:
> The errors have already been corrected:
> http://www.debian.org/security/2007/dsa-1258
This is great, as the work of the security team usually is. But still, people
are subscribed to the lists and it would be nice, if they cou
Hi,
On Wednesday 07 February 2007 14:07, Martin Schulze wrote:
> Lalala
WTF? At least you used a proper from:-header...
Could you *please* correct your errors (which are no problem per se) correct
in a professional way?
Thanks.
regards,
Holger
pgpICbKzWByXh.pgp
Description: PGP
Hi,
On Saturday 29 October 2005 05:53, Horms wrote:
> On Fri, Oct 28, 2005 at 04:26:43PM +0100, Steve Kemp wrote:
> > If it is useful I could begin sending out a form response, something
> > like "Yes we recieved your report, yes we will fix it, please have
> > patience".
> I think some sort o
Hi,
On Wednesday 18 May 2005 16:18, Thomas Bushnell BSG wrote:
> Declan Mullen <[EMAIL PROTECTED]> writes:
> > I need to develop appropriate tripwire policy rules for the files and
> > directories under "/var/" on Sarge. Being new to Debian, I would
> > appreciate receiving any example policy rule
73 matches
Mail list logo
