Re: Security support for chromium in jessie

On Tue, Aug 15, 2017 at 1:09 PM, Emilio Pozuelo Monfort wrote: > I think we should do this for as long as it's reasonably possible, given > firefox > updates will get harder and harder (they will require newer versions of rustc, > which may need to be bootstrapped) so having another supported brow

Security support for chromium in jessie

Hi all, I do not have enough free time to be able to keep up with security updates to chromium in jessie (oldstable) any more. It is technically feasible to keep it working in a jessie environment, but each update has been more and more work. I expect that to continue. Anyway, if anyone would l

Re: Should we be alarmed at our state of security support?

John Goerzen wrote: > You know, Mike, *explicit* in my original email was a question of what > help is needed. I was willing to pitch in and help. I may still be. If your goal is to help, then that's really cool. > But how else is someone going to learn that when security-tracker says > "vulner

Re: Should we be alarmed at our state of security support?

On Wed, Feb 18, 2015 at 9:11 AM, John Goerzen wrote: > On this machine, it found 472 vulnerabilities. Quite a few of them fit > into the remotely exploitable, high urgency category. Many date back to > last year, some as far back as 2012. I've included a few examples at > the end. I'm not sure

Re: Missing tiff3 patch in security repo

On Wed, Feb 18, 2015 at 12:50 PM, John Goerzen wrote: >> [wheezy] - tiff3 (the changes that [a]ffect the library are just >> hardening, converting uses of sprintf to snprintf. those can be rolled >> into the next tiff3 update, but a separate dsa isn't needed) >> >> > I saw that too, though the bug

Re: Security EOL within Debian Stable

On Wed, Feb 4, 2015 at 8:09 PM, Stephen Dowdy wrote: > So, if a user installs said package, but fails to notice any EOL DSA > on it, the package gets left in place in a potentially VULNERABLE > state. I.E. if a known exploit comes out, and the package is still > installed, the end-user could get a

Re: [SECURITY] [DSA 3148-1] chromium-browser end of life

On Wed, Feb 4, 2015 at 3:38 PM, Paul van der Vlis wrote: >> The backports team expects backporters to have demonstrated competence >> with the packages that they're planning to upload. Anyone considering >> this should first get involved with the package maintenance teams >> first and help with a

Re: [SECURITY] [DSA 3148-1] chromium-browser end of life

On Mon, Feb 2, 2015 at 11:46 AM, Paul van der Vlis wrote: > I think it's a good idea to do a backport of the build-system after > freeze-time of testing. Then we know what the new build-environment is > for the coming release. > > I can understand that Michael does not have the time and motivation

Re: [SECURITY] [DSA 3148-1] chromium-browser end of life

On Sun, Feb 1, 2015 at 9:52 PM, Russell Coker wrote: > On Sun, 1 Feb 2015 11:18:43 PM Paul Wise wrote: >> chromium was already being backported to wheezy for security updates, >> the latest versions need newer compilers so we can't backport any >> more. > > Why can't we backport the compilers too?

Re: [SECURITY] [DSA 3148-1] chromium-browser end of life

On Sun, Feb 1, 2015 at 12:15 AM, Chris Frey wrote: > Can someone please point me to the upstream announcement for > dropping gcc 4.7 support? I can't seem to find it, and I'd like > to read up on the details why. The answer is in the previous mail I sent. The short answer is C++11. Best wishes,

Re: [SECURITY] [DSA 3148-1] chromium-browser end of life

On Sat, Jan 31, 2015 at 5:44 PM, Darius Jahandarie wrote: >> Security support for the chromium web browser is now discontinued >> for the stable distribution (wheezy). Chromium upstream stopped >> supporting wheezy's build environment (gcc 4.7, make, etc.), so >> there is no longer any practical w

Re: [SECURITY] [DSA 2939-1] chromium-browser security update

On Sat, May 31, 2014 at 3:13 PM, Andrew McGlashan wrote: > Google did have OCSP, but they deliberately removed it recently. > > FWIW, Steve Gibson has a very good take on all of this. > > The OCSP server not found issue is rare, in the past the /main/ CA's got > together to discuss the OCSP issue a

Re: [SECURITY] [DSA 2939-1] chromium-browser security update

On Sat, May 31, 2014 at 1:46 PM, Andrew McGlashan wrote: > We may see certificate stapling as an answer, but that won't be enough > if it cannot be certified to /require/ stapling in the cert itself. > There may be other solutions in time. > > You are right in saying that the whole certificate revo

Re: [SECURITY] [DSA 2939-1] chromium-browser security update

On Sat, May 31, 2014 at 12:19 PM, Kurt Roeckx wrote: > This is a manual, I currently see no need to automate it. Does buildd.debian.org provide any information about the up to dateness of its chroots? If this kind of information were available, it would help to determine whether a request for upd

Re: [SECURITY] [DSA 2939-1] chromium-browser security update

On Sat, May 31, 2014 at 11:28 AM, Kurt Roeckx wrote: >> It could be nice if the stable buildds were kept more up to date. >> I've CC'd am...@buildd.debian.org to get their opinion on that. > > I've just updated the chroots. But there is reason to be > concerned that it was build against when there

Re: [SECURITY] [DSA 2939-1] chromium-browser security update

On Sat, May 31, 2014 at 7:44 AM, Andrew McGlashan wrote: > Does Chromium suffer from the Google decision to make use of OCSP > impossible? Therefore, an untrustworthy browser. Basically, the answer is the design of certificate revocation is fundamentally flawed, and Google have their own security

Re: [SECURITY] [DSA 2939-1] chromium-browser security update

On Sat, May 31, 2014 at 5:27 AM, Georgi Naplatanov wrote: > When I choose "About Chromium" menu item it says: > > Version 35.0.1916.114 Built on Debian 7.1, running on Debian 7.5 (270117) > > Is that true that package for AMD64 is built on Debian 7.1? > If yes, is using of this package secure? Yes

Re: Debians security features in comparison to Ubuntu

> The problem is, that Debian lacks a page similar to: > https://wiki.ubuntu.com/Security/Features > > As you can see, that https://wiki.ubuntu.com/Security/Features page > looks impressive to new users. I guess Debian is losing a few users to > Ubuntu, because Debian does not have such a page. Mo

Re: Enhancements/enabled hardening flags in Wheezy pkgs/release.

On Thu, Jan 2, 2014 at 6:36 PM, Daniel Curtis wrote: > > Hello everyone, > > Michael web site with a statistic I've watching for time to > time. Also Debian Hardening wiki page I studied a couple of > time. > >> There is a lintian check for setuid binaries (...) >> There isn't really any group effo

Re: Enhancements/enabled hardening flags in Wheezy pkgs/release.

On Wed, Jan 1, 2014 at 12:24 PM, Daniel Curtis wrote: > Hi Moritz, > > 90 percent of the hardening via 'dpkg-buildflags'? That's > a good information. I'd hoped, that the majority of all base > packages and that's security-sensitive will be protected > well. It's really a huge satisfaction. You ca

Re: MIT discovered issue with gcc

On Sat, Nov 23, 2013 at 4:52 PM, Jann Horn wrote: > On Sat, Nov 23, 2013 at 08:14:34AM -0500, Brad Alexander wrote: >> Any program at a level not very much above Hello World >> in the language of your choice is likely to have bugs. > > Isn't that a bit extreme? I think that a good programmer who se

Re: [SECURITY] [DSA 2797-1] chromium-browser security update

On Sun, Nov 17, 2013 at 10:42 AM, Michael Gilbert wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > - - > Debian Security Advisory DSA-2797-1 secur...@debian.org > http://www.d

Re: How (un)safe would Debian be when only using the security.debian.org repository?

On Mon, Nov 11, 2013 at 11:20 PM, Paul Wise wrote: > On Tue, Nov 12, 2013 at 6:30 AM, Michael Gilbert wrote: > >> Which confirms my point. That asterisk update, for example, required >> no new package dependencies outside the security archive. > > You said no deps outs

Re: How (un)safe would Debian be when only using the security.debian.org repository?

On Mon, Nov 11, 2013 at 5:06 PM, Bastian Blank wrote: > On Mon, Nov 11, 2013 at 04:56:27PM -0500, Michael Gilbert wrote: >> That isn't quite right since excepting mistakes, security updates will >> never require packages outside the security archive. > > This is incorrec

Re: How (un)safe would Debian be when only using the security.debian.org repository?

On Mon, Nov 11, 2013 at 6:17 AM, Norbert Kiszka wrote: > Missing dependencies can break upgrade. For ex. one package from > security-update can depend on other package, so it will not be > installed. Unless You install it by hand. That isn't quite right since excepting mistakes, security updates w

Re: How (un)safe would Debian be when only using the security.debian.org repository?

On Sun, Nov 10, 2013 at 2:50 PM, adrelanos wrote: > Hi! > > How (un)safe would it be...? When using Debian while... > > Not using: > deb http://ftp.us.debian.org/debian stable main contrib non-free > deb http://security.debian.org stable/updates main contrib non-free > > Only using: > deb http://se

Re: [SECURITY] [DSA 2698-1] tiff security update

On Wed, Jun 19, 2013 at 4:35 PM, Kurt Roeckx wrote: > On Wed, Jun 19, 2013 at 06:55:57PM +, Roland Karch wrote: >> Indeed I am. And I got it from wheezy: >> >> http://packages.debian.org/wheezy/libtiff4 >> >> >> And me running the version just between those was, well... part of why I >> asked

Re: [SECURITY] [DSA 2695-1] chromium-browser security update

On Sun, Jun 2, 2013 at 11:51 AM, Nick Boyce wrote: > On Sunday 02 Jun 2013 16:13:43 Michael Gilbert wrote: > >> On Sun, Jun 2, 2013 at 9:32 AM, Nick Boyce wrote: >> >> > On Wednesday 29 May 2013 15:23:54 Michael Gilbert wrote: >> > >> >> or po

Re: [SECURITY] [DSA 2695-1] chromium-browser security update

On Sun, Jun 2, 2013 at 9:32 AM, Nick Boyce wrote: > On Wednesday 29 May 2013 15:23:54 Michael Gilbert wrote: > >> or possibly have unspecified other impact via unknown vectors. > > I'm just wondering ... is that Google language for "or possibly allow remote > c

Re: flashplugin-nonfree get-upstream-version.pl security concern

On Wed, Dec 12, 2012 at 11:41 PM, Jason Fergus wrote: > On Wed, 2012-12-12 at 17:26 -0500, Michael Gilbert wrote: >> On Wed, Dec 12, 2012 at 12:52 PM, adrelanos wrote: >> > What is Debian policy on code execution from user websites? >> >> Unfortunately there is none.

Re: flashplugin-nonfree get-upstream-version.pl security concern

On Wed, Dec 12, 2012 at 12:52 PM, adrelanos wrote: > What is Debian policy on code execution from user websites? Unfortunately there is none. I've tried to gain consensus that at a minimum things downloaders like this need to stay out of main, but that thought hasn't really gained traction. The

Re: CVE-2011-1521 and CVE-2011-3389 - fixed packet

On Mon, Oct 1, 2012 at 12:34 PM, Arne Wichmann wrote: > Hi, > > First: Could somebody perhaps enlighten me why all these issues show up > as unimportant in [2] but up to medium in the separate pages (e.g. [3]) That seems to be a tracker bug (possibly involving [squeeze],etc release-specific tags).

Re: CVE-2011-1521 and CVE-2011-3389 - fixed packet

On Mon, Sep 24, 2012 at 4:27 AM, Arne Wichmann wrote: > begin quotation from Michael Gilbert (in ): >> On Fri, Sep 21, 2012 at 11:40 AM, Arne Wichmann wrote: >> > Ok, I just created one more fixed version of python2.6 for my own use. >> > Whoever is interested can

Re: CVE-2011-1521 and CVE-2011-3389 - fixed packet

On Fri, Sep 21, 2012 at 11:40 AM, Arne Wichmann wrote: > Ok, I just created one more fixed version of python2.6 for my own use. > Whoever is interested can find it at [1] for the time being. If anybody has > comments or improvements I am also interested. Would you mind attaching a debdiff so we ca

Re: Removal of email address from security announcement list

On Thu, Sep 13, 2012 at 1:40 PM, wrote: > Pease remove the following address from any debian mail lists: You have the ability to do that yourself: http://www.debian.org/MailingLists/unsubscribe Best wishes, Mike -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subj

Re: CVE-2012-1033 (bind9)

On Thu, Jul 26, 2012 at 10:50 AM, Mike Ashton wrote: > Hello folks, > > If we look here: > > http://security-tracker.debian.org/tracker/CVE-2012-1033 > > it appears as though this CVE has been written off as a DNS protocol > flaw, I believe based on the original ISC announcement here: Hi, this had

Re: Please ensure an RC bug is open when DSA fixes are missing in testing/unstable

On Thu, Jul 26, 2012 at 5:54 PM, Adrian Bunk wrote: > Many DSA's contain "For the unstable (sid) and testing (wheezy) > distribution, this problem will be fixed soon." > > When there is an unfixed version in testing and/or unstable, please > ensure an RC bug is open. Otherwise there is the possibil

Re: Audit of Debian/Ubuntu for unfixed vulnerabilities because of embedded code copies

On Mon, Jul 2, 2012 at 1:59 PM, Petter Reinholdtsen wrote: > > [Silvio Cesare] >> I recently ran the tool and cross referenced identified code copies with >> Debian's security tracking of affected packages by CVE. I did this for all >> CVEs in 2010, 2011, and 2012. > > This sound like a job that co

Re: Xorg: Security past client auth.

On Sun, Jun 10, 2012 at 12:03 PM, Mike Mestnik wrote: > To be honest I can't say one way or another about weather there are > security issues in X if one has malicious clients connected. > > However I'm not having success discussing these matters over at > xorg-de...@lists.x.org.  I'm not the most

Re: CVE-2011-1521 - python update for squeeze?

On Mon, Apr 23, 2012 at 4:12 AM, Andrea Zwirner wrote: > I would be glad to make this one my first contribute to debian, can you just > route me to the right manuals to do it? Here is a link to info about proposed-updates: http://www.debian.org/releases/proposed-updates Here is a link to the info

Re: CVE-2011-1521 - python update for squeeze?

On Sun, Apr 22, 2012 at 1:13 PM, Arne Wichmann wrote: > Hi... > > Is there an intention or interest to create a python update which fixes > CVE-2011-1521 for squeeze? >From what I'm aware, there is currently no plan for that; although anyone interested in the problem can take the initiative to pre

Re: Samba Root CVE-2012-1182 - Possibly countered with hardening@compiletime ?

On Tue, Apr 17, 2012 at 6:15 AM, Crusty Saint wrote: > Hi, > > Regarding https://www.samba.org/samba/security/CVE-2012-1182 > > I'm currently step-by-step looking into compiling my own debs and > recompiling existing once ( ignoring that optimisations are often > overrated ) What i'm most intereste

Re: Security response: how are we doing?

On Thu, Dec 1, 2011 at 6:11 AM, wrote: > On the other hand, at least from my point of view, things are not looking so > bright. I have on my watchlist 4 buffer overflows (CVE-2011-3193, > CVE-2011-3194, CVE-2011-1071, CVE-2011-1097), one DoS (CVE-2011-1659) and a > number of lesser problems (#6288

Re: [SECURITY] [DSA 2351-1] wireshark security update

On Tue, Nov 22, 2011 at 12:36 AM, wrote: > I tried to contact with them to remove autoreply. Unfortunately they didn't > reply me at all. > Seems there is nobody who reads this e-mail. Usually I would argue that its wrong to forcibly unsubscribe an address, but in this case since these have come

Re: CVE-2011-1930: klibc 1.5.12-3 not available for lenny

On Sat, Nov 5, 2011 at 7:31 AM, Jörg Sommer wrote: > Hi, > > the security tracker says there was a version 1.5.12-3 released to fix > the issue CVE-2011-1930 for lenny, but I can't find this version in the > archive and on snapshot. Has the security tracker wrong informations? The version number e

Re: Debian LTS?

On Thu, 6 Oct 2011 17:50:18 -0700 jor...@envygeeks.com wrote: > > On Thu, 6 Oct 2011 09:50:12 +0100 Dominic Hargreaves wrote: > > If money were available, I'm sure there are plenty of skilled project > > participants that are more than willing to accept it. It could even be > > incentive- rather

Re: Debian LTS?

On Thu, 6 Oct 2011 09:50:12 +0100 Dominic Hargreaves wrote: > On Wed, Oct 05, 2011 at 06:41:32PM -0700, Noah Meyerhans wrote: > > I agree. Long-term support is not sexy, and it's not something that > > most FLOSS developers (or developers in general, in my experience) have > > any interest in wor

Re: ksplice for debian kernel DSA's

Sergey B Kirpichev wrote: > Hi, > > Does anyone have used ksplice to patch standard debian > kernels? How do you prepare an update for regular kernel DSA's? > > Some time ago Oracle have bought Ksplice and now their > Ksplice Uptrack for Debian is available for legacy customers > only. Probabl

Re: libpng CVE-2006-7244/CVE-2009-5063

Henri Salo wrote: > There is two open vulnerabilities in libpng 1.2.27-2+lenny4 as you can see > from: > > http://security-tracker.debian.org/tracker/source-package/libpng > > The issues I am concerned about are CVE-2006-7244 and CVE-2009-5063. Notes of > the issues are: "package libpng is vul

Re: CVE-2011-1071 / #615120 - security fix in stable?

Arne Wichmann wrote: > Hi, > > I see that CVE-2011-1071 (#615120) is done in testing - shouldn't it be > fixed in stable, too? Yes, Debian security is done by volunteers with limited time, so the best way to get things fixed is to volunteer to do the work yourself (especially in cases like this

Re: aptitude upgrade vs. apt-get upgrade

On Thu, 31 Mar 2011 13:44:59 -0400 Michael Gilbert wrote: > On Thu, 31 Mar 2011 15:28:21 +0100 Hector Oron wrote: > > > Hi, > > > > 2011/3/31 Riku Valli : > > > > > apt-get is now preferred method over aptitude at Squeeze. However at > &g

Re: aptitude upgrade vs. apt-get upgrade

On Thu, 31 Mar 2011 15:28:21 +0100 Hector Oron wrote: > Hi, > > 2011/3/31 Riku Valli : > > > apt-get is now preferred method over aptitude at Squeeze. However at > > Lenny aptitude is preferred over apt-get. > > > > You should use apt-get with Squeeze and aptitude with Lenny. > > It is recommen

Re: CVE-2010-3847 fixed or not?

On Tue, 22 Mar 2011 16:11:33 +0100 Arne Wichmann wrote: > Hi, > > The situation around CVE-2010-3847 confuses me a bit. The security-tracker > says CVE-2010-3847 is still open, but the corresponding bug #600667 is > closed. The same of cource applies for CVE-2011-0536. > > Is there anything I ca

Re: how to apply DSA-2157-1

On Sun, 06 Feb 2011 15:50:26 +0100 Edoardo Panfili wrote: > good morning, > > I am usiong postgres on squeeze. > > Reading DSA-2157-1 I can see that I must upgrade to 8.4.7-0squeeze1 but > I can't find that package using http://www.debian.org/distrib/packages > or apt. Unfortunately, the squ

Re: some feedback about security from the user's point of view

On Mon, 24 Jan 2011 17:30:31 +0100, Naja Melan wrote: > We can start with a first step, namely changing the instructions at > http://debian.org/CD/faq/#verify > If someone with the authority of changing the debian website would tell me > that if I wrote a proposition to change those instructions th

Re: some feedback about security from the user's point of view

On Sun, 23 Jan 2011 20:22:34 -0600 Raphael Geissert wrote: > Michael Gilbert wrote: > > There is no need to worry about additional load on the mirrors since > > the only thing that needs to be verifiable are the checksums > > themselves, and that could easily be hosted o

Re: some feedback about security from the user's point of view

On Sun, Jan 23, 2011 at 12:34 PM, AK wrote: > Hi all, > > a small disclaimer first, I am not affiliated with debian in any way, I > am, as the original author would have put it a user. I would like to > play devil's advocate in a few of the quite interesting points that Naja > raises: > > 1) Why is

Re: Starting point for contributing to debian-security

On Mon, 03 Jan 2011 15:05:43 +0100, Yves-Alexis Perez wrote: > On mar., 2010-12-21 at 22:52 +0100, Yves-Alexis Perez wrote: > > Starting january, I think I'll be able to dedicate some time to debian > > security team. > > Ok, so we're now at beginning of january :) > > Is there any starting speci

Re: [SECURITY] [DSA 2134-1] Upcoming changes in advisory format

On Sat, 18 Dec 2010 16:47:47 -0800 Vagrant Cascadian wrote: > will it include a list of affected binary packages (in addition to source > packages)? Just as a point of reference, you can use the debsecan package (or the security-tracker site [0]) right now to determine whether various package ver

Re: Bind security announce

On Thu, 02 Dec 2010 08:34:40 -1000, Debian security wrote: > Hello, > > ISC published new versions of their DNS server: bind. > This version is corrects bug and one security issue (classified as High) > that impacts the version shipped in Debian Lenny. > It has been published yeterday and I still

Re: [SECURITY] [DSA 2038-3] New pidgin packages fix regression

On Mon, 15 Nov 2010 13:59:01 +0100, Gerfried Fuchs wrote: > Hi! > > * Thijs Kinkhorst [2010-11-15 13:32:16 CET]: > > On Mon, November 15, 2010 12:24, Gerfried Fuchs wrote: > > > * Thijs Kinkhorst [2010-11-13 20:37:28 CET]: > > >> Since a few months, Microsoft's servers for MSN have chang

Re: non-executable stack (via PT_GNU_STACK) not being enforced

On Thu, 14 Oct 2010 16:39:57 -0500, Jordon Bedwell wrote: > On Thu, 2010-10-14 at 17:39 -0400, Jordan Metzmeier wrote: > > There is not only issues of legacy hardware but virtual machines. I > > signed up for the RHEL 6 beta. Downloaded my copy and fired it up in > > virtualbox, only to find that i

Re: non-executable stack (via PT_GNU_STACK) not being enforced

On Mon, 11 Oct 2010 17:18:34 -0500 Marsh Ray wrote: > > You would need to convince the kernel team that the bigmem kernel > > should be the default on i386 systems. > > "Please?" Don't ask this list, ask the kernel team (via bug report and/or mailing list message). Note that ubuntu uses some kin

Re: non-executable stack (via PT_GNU_STACK) not being enforced

On Mon, 11 Oct 2010 11:50:54 -0500, Marsh Ray wrote: > On 10/10/2010 12:40 PM, Kees Cook wrote: > > > > On Sun, Oct 10, 2010 at 01:35:10PM -0400, Brchk05 wrote: > >> this means that my CPU supports nx but I do > >> not have the right type of kernel, i.e., one that uses PAE > >> addressing, to suppo

Re: [SECURITY] [DSA-2115-2] New moodle packages fix several vulnerabilities

On Mon, 11 Oct 2010 10:39:37 -0500, Jordon Bedwell wrote: > On Mon, 2010-10-11 at 11:15 -0400, Michael Gilbert wrote: > > I highly doubt that there is anything malicious going on here, and there > > is always the "Debian does not hide problems" mantra. The simp

Re: [SECURITY] [DSA-2115-2] New moodle packages fix several vulnerabilities

On Mon, 11 Oct 2010 09:46:04 -0500, Jordon Bedwell wrote: > On Mon, 2010-10-11 at 10:40 -0400, Michael Gilbert wrote: > > The problem here appears to be the jump to the new upstream version > > (1.8.2 to 1.8.13), which has a different dependency set. New > > upstreams are

Re: [SECURITY] [DSA-2115-2] New moodle packages fix several vulnerabilities

On Mon, 11 Oct 2010 14:14:41 +0100, Ian Jackson wrote: > Florian Weimer writes ("[SECURITY] [DSA-2115-2] New moodle packages fix > several vulnerabilities"): > > DSA-2115-1 introduced a regression because it lacked a dependency on > > the wwwconfig-common package, leading to installations problems

Re: CVE-2009-3555 not addressed in OpenSSL

On Tue, 28 Sep 2010 15:04:04 -0500, Marsh Ray wrote: > On 09/24/2010 02:45 AM, Simon Josefsson wrote: > > Marsh Ray writes: > > > >> As a long-term Debian user myself, I appeal to Debian's sense of > >> enlightened self-interest and urge that RFC 5746 support be backported > >> to stable. > > > >

Re: CVE-2009-3555 not addressed in OpenSSL

On Wed, 29 Sep 2010 14:13:37 -0700, Kyle Bader wrote: > > Debian, being a volunteer organization, has it's upsides and > > downsides.  The downside here being without an active volunteer > > interested in this problem, nothing has happened. > > > > What is needed here is someone to step up to the p

Re: CVE-2009-3555 not addressed in OpenSSL

On Wed, Sep 29, 2010 at 4:57 PM, Jordon Bedwell wrote: > There is a bug against openssl and mod_ssl for apache already they simply > just block renegotiation (unless they did a better patch later that I don't > recall seeing) and one was challenged (if I remember right openssl) because > it was mis

Re: CVE-2009-3555 not addressed in OpenSSL

On Tue, 28 Sep 2010 15:04:04 -0500, Marsh Ray wrote: > On 09/24/2010 02:45 AM, Simon Josefsson wrote: > > Marsh Ray writes: > > > >> As a long-term Debian user myself, I appeal to Debian's sense of > >> enlightened self-interest and urge that RFC 5746 support be backported > >> to stable. > > > >

Re: [SECURITY] [DSA 2110-1] New Linux 2.6.26 packages fix several issues

On Fri, 17 Sep 2010 11:02:13 -0700, Kyle Bader wrote: > > Package        : linux-2.6 > > Vulnerability  : privilege escalation/denial of service/information leak > > Problem type   : local > > Debian-specific: no > > CVE Id(s)      : CVE-2010-2492 CVE-2010-2954 CVE-2010-3078 CVE-2010-3080 > >      

Re: [Fwd: Re: [SECURITY] [DSA-2010-1] New kvm packages fix several vulnerabilities]

On Wed, 10 Mar 2010 17:21:45 -0500, Daniel Kahn Gillmor wrote: > We recommend that you upgrade your kvm package. If your system is > currently using a kvm-modules package built from previous versions of > the kvm-source package, we recommend that you upgrade your kvm-source > package, re-build a n

Re: Linux 2.6 update for Etch

On Thu, 18 Feb 2010 14:53:14 +0200 Peter Pentchev wrote: > Hi, > > First of all, apologies if this is sent to the wrong list, or if this > information is already available somewhere; also, I'm aware that > security support for Debian Etch ended a couple of days ago. > > In the recent DSA-1996-1

Re: CVE-2004-0230 RST DoS vulnerability in Lenny?

On Thu, 11 Feb 2010 14:55:15 -0600 JW wrote: > Recently we've had a scanning vendor tell us our Debian Lenny 5.0.3 is > vulnerable to CVE-2004-0230: > > TCP/IP Sequence Prediction Blind Reset Spoofing DoS > > "It may be possible to send spoofed RST packets to the remote system." > > " . . . vu

Re: UNS: Debian 4.0 Upgrade Path

On Thu, 21 Jan 2010 18:13:03 +, Robert Lemmen wrote: > On Thu, Jan 21, 2010 at 11:20:28AM -0500, Noah Meyerhans wrote: > > In general, skipping major versions has never been supported. An > > upgrade from etch to squeeze should always involve a short stop in > > lenny. > > of course, but doin

Re: is 2.6.26-19lenny1 legit?

On Fri, 23 Oct 2009 11:04:03 -0400, Tom Vier wrote: > I don't seen any annoucement on security-announce or on security.debian.org! > Are these packages legit? > > linux-headers-2.6.26-2-amd64_2.6.26-19lenny1_amd64.deb > linux-headers-2.6.26-2-common_2.6.26-19lenny1_amd64.deb > linux-libc-dev_2.6.2

Re: Xpdf Integer overflow

On Fri, 16 Oct 2009 20:15:50 +0300, Henri Salo wrote: > Is update for Xpdf-vulnerability coming soon for this issue: > > this issue was not disclosed responsibly, and we have just started tracking the problem. you can follow bug #551287. mike --

Re: [SECURITY] [DSA 1885-1] New xulrunner packages fix several vulnerabilities

On Mon, 14 Sep 2009 22:41:23 +0200, Michel Messerschmidt wrote: > On Mon, Sep 14, 2009 at 07:05:35PM +0200, Moritz Muehlenhoff wrote: > > For the experimental distribution, these problems have been fixed in > > version 1.9.1.3-1. > > It seems the update is not yet available for i386 because the bu

Fixes for gaim/pidgin vulnerabilities?

Ubuntu [1] has recently released fixes for CVE-2008-2955, CVE-2008-2957, and CVE-2008-3532 in gaim/pidgin. Can we expect to see these fixes released for Etch soon? Also note that Ubuntu seems to have missed CVE-2008-2956 [2], which also applies to gaim/pidgin. The problem has not yet been fixed

Fixes for HPLIP vulnerabilities in Etch?

Now that ubuntu [1] has released fixes for CVE-2008-2940 and CVE-2008-2941 in HPLIP, can we expect to see the same for Etch soon? Thanks for working to keep Debian secure. [1] http://www.ubuntu.com/usn/USN-674-1 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Tro

re: CVE-2008-0595: possible DoS in dbus

retitle 501443 dbus: CVE-2008-3834, possible DoS thank you hello, now that ubuntu has released fixes for this issue [1], can we hope to see the same action from debian soon? note also that the original report had the wrong CVE in the title (which i've fixed) and has a different wrong CVE in one o

Re: Bug#496851: yelp: does not correctly handle format strings for certain error messages

>> what about a getting a fix for this issue into stable? > > it doesn't affect stable ok, can someone update the tracker [1] to reflect that this issue does not effect etch (yelp 2.14) and sarge (yelp 2.6)? [1] http://security-tracker.debian.net/tracker/CVE-2008-3533 -- To UNSUBSCRIBE, email

Re: Bug#496851: yelp: does not correctly handle format strings for certain error messages

notfound 496851 2.22-1-6 thank you what about a getting a fix for this issue into stable? > yelp (2.22.1-4) unstable; urgency=high > > * SECURITY: New patch, 60_format-string, fixes format string vulnerability; >bump urgency to high; CVE-2008-3533; GNOME #546364; from SVN r3173; >LP: #25

unfixed linux 2.6.24 and python vulnerabilities

now that ubuntu has released an updated 2.6.24 kernel [1] today that fixes a couple CVEs that are as-yet unfixed in debian, and as of 25 days ago had released updates to python to fix quite a few CVEs [2] that are also as-yet unfixed in debian, can we expect to see some updates for these packages e

Re: Bug#492806: libavformat52: does not handle STR file demuxing (CVE-2008-3162)

>> Package: libavformat52 >> Version: 0.svn20080206-11 >> Severity: grave >> Tags: security >> Justification: user security hole >> >> ubuntu just updated their libavformat packages to patch a problem with >> STR file demuxing [1]. does this problem apply to debian as well? the >> CVE number is C

Re: [SECURITY] [DSA 1615-1] New xulrunner packages fix several vulnerabilities

> The correct place to report this is [EMAIL PROTECTED] > Just forward one of the mails and ask that they remove him. I > just did that, so he should be gone shortly. wouldn't it be better to send this person a warning? i'm sure it was just an honest mistake. it seems rather harsh to purge them

Re: Status of CVE-2008-1615 in stable?

On 5/23/08, dann frazier wrote: > On Thu, May 22, 2008 at 11:23:36PM -0400, Michael Gilbert wrote: >> Looks like redhat recently released updates [1] that fix the >> high-severity vulnerability described by CVE-2008-1615 [2]. Will a >> similar fix be pushed out to debi

Status of CVE-2008-1615 in stable?

Looks like redhat recently released updates [1] that fix the high-severity vulnerability described by CVE-2008-1615 [2]. Will a similar fix be pushed out to debian etch any time soon? It looks like it should be pretty straightforward since it is a one-line patch [2]. [1] http://rhn.redhat.com/er