Re: Securing Debian Manual too old?

Stephan Seitz writes: > Hi! > > I found the Securing Debian Manual > (https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html). > This version is from 2017. This document is in fact too outdated and not in a shape we should prominently present it on the Debian website, thanks for

Re: c-ares, CVE-2023-31147, CVE-2023-31124

Am Fri, Jun 23, 2023 at 09:59:45PM +0200 schrieb Anton Gladky: > Thank you all for your replies! > > @Moritz, could you please create an issue with a > the possible proposal, how it should look like? Sure, filed as #1039606 Thanks, Moritz

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

Friedhelm Waitzmann wrote: >> For the oldstable distribution (buster), these problems have >> been fixed in version 91.8.0esr-1~deb10u1. > > Where can I get this from for buster and architecture i386? >

Re: about older security advisories

Thomas Lange schrieb: >> On Mon, 28 Oct 2019 17:31:22 +, krishna said: > > > i am going through older security advisories at webpage [z]. i have > found some links are dead, etc.. some security advisory does not contain > "More information" and "Security database references". exampl

Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.

On Thu, Aug 29, 2019 at 09:36:39AM +0200, Moritz Mühlenhoff wrote: > Adding the radare2 uploaders to CC. > > On Fri, Aug 16, 2019 at 11:23:05PM +0200, Markus Koschany wrote: > > >> + NOTE: 20190816: Affected by CVE-2019-14745. Vulnerable code is in > > >> + N

Re: how to deal with widely used packages unsuitable for stable (was Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.)

On Fri, Aug 30, 2019 at 09:17:32AM +0200, Raphael Hertzog wrote: > Hi, > > On Fri, 30 Aug 2019, Pirate Praveen wrote: > > Fast Track repo works exactly like current backports except the packages > > are added from unstable (or experimental during transitions and freeze) > > as they cannot go to te

Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.

Adding the radare2 uploaders to CC. On Fri, Aug 16, 2019 at 11:23:05PM +0200, Markus Koschany wrote: > >> + NOTE: 20190816: Affected by CVE-2019-14745. Vulnerable code is in > >> + NOTE: libr/core/bin.c. Many no-dsa issues in Jessie and Stretch. Should > >> we > >> + NOTE: continue the current

Re: bullseye-security instead of bullseye/updates

Ansgar wrote: > I would like to switch to *-security instead of */updates starting with > bullseye. There will likely be some complications, but they should be > solvable by the time we will publish packages in bullseye-security. Sounds good to me. Cheers, Moritz

Re: Intel Microcode updates

Russell Coker schrieb: > Should it be regarded as a bug in the intel-microcode package that it doesn't > have this update that is "easy enough to source"? Or do you mean "easy to > get > but not licensed for distribution"? This is covered by #929073, which links to a PDF by Intel (which docum

Re: Gaps in security coverage?

John Goerzen schrieb: Hi John, > So I recently started running debsecan on one of my boxes. debsecan hasn't seen any feature work for about a decade and is far too noisy to the point of being useless these days. > It's a > fairly barebones server install, uses unattended-upgrades and is fully

Re: Testers needed for ghostscript update

Jason Fergus schrieb: > On Wed, 2018-09-05 at 08:20 -0400, Celejar wrote: >> On Wed, 5 Sep 2018 11:44:23 +0200 >> Moritz Mühlenhoff wrote: >> >> > Moritz Mühlenhoff schrieb: >> > > There's a number of vulnerabilities found in Ghostscript by Tavi

Re: Testers needed for ghostscript update

Moritz Mühlenhoff schrieb: > There's a number of vulnerabilities found in Ghostscript by Tavis > Ormandy. His research is still ongoing with new issues being found, > but I've created an interim update which addresses most of the recent > issues he found. It works fine i

Testers needed for ghostscript update

There's a number of vulnerabilities found in Ghostscript by Tavis Ormandy. His research is still ongoing with new issues being found, but I've created an interim update which addresses most of the recent issues he found. It works fine in my tests, but my use case is fairly limited (printing via a l

Re: retpoline-enabled GCC build for jessie

Moin, Holger Levsen schrieb: > I have a stupid/uninformed question: is this gcc only useful for > rebuilding the kernel or would it "in theory" (and practice) be better > to rebuild everything with it? (of course the latter is probably not really > practical for Debian, but others could do it mor

Re: retpoline-enabled GCC build for jessie

Fabian Grünbichler wrote: > > > (and is the Stretch / gcc-6 update planned in the same > > > time frame as well?) > > > > Yes, an update for GCC 6 is also in the works, but will probably a few days > > after the jessie update. > > any special reason for that? (out of curiosity, since we had also

Re: retpoline-enabled GCC build for jessie

On Thu, Feb 15, 2018 at 02:55:02PM +0100, Fabian Grünbichler wrote: > > > (and is the Stretch / gcc-6 update planned in the same > > > time frame as well?) > > > > Yes, an update for GCC 6 is also in the works, but will probably a few days > > after the jessie update. > > any special reason for t

Re: retpoline-enabled GCC build for jessie

On Wed, Feb 14, 2018 at 03:26:31PM +0100, Fabian Grünbichler wrote: > is there a debdiff / source available as well? Above URL includes the source, but no debdiff (you can simply debdiff against the latest jessie package). > or is it "just" Jessie's current state plus the 9 patches from hjl's 4.9

retpoline-enabled GCC build for jessie

Hi, I've created a GCC 4.9 package for jessie with backported support for -mindirect-branch (as needed to build kernels with retpoline support). packages are available at https://people.debian.org/~jmm/gcc/. I've run some tests, but would appreciate additional testing feedback; the update is planne

Re: [SECURITY] [DSA 4078-1] linux security update

Frank Nord schrieb: > Peaking at ubuntu: > https://usn.ubuntu.com/usn/usn-3522-3/ > "USN-3522-1 fixed a vulnerability in the Linux kernel to address > Meltdown (CVE-2017-5754). Unfortunately, that update introduced > a regression where a few systems failed to boot successfully. This > update fixes

Re: embedding openssl source in sslcan

Sebastian Andrzej Siewior schrieb: Please use t...@security.debian.org if you want to reach the security team, not debian-security@ldo. > tl;dr: Has anyone a problem if sslscan embeds openssl 1.0.2 in its > source? That's for post-stretch, right? Right now it can simply link against the 1.0.2 c

Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?

te3...@sigaint.org schrieb: > I read somewhere on a forum that for security vulnerabilities that have > "NVD security" ratings of medium or low risk, Debian's security team may > not issue patches/fixes for them. Only high-risk security vulnerabilities > will be fixed. Is that correct? No, the NV

Re: flashplugin-nonfree and latest Flash security updates

Nick Boyce schrieb: > I realise the nonfree plugin is not really supported, but given the > serious (!!!) security implications of running a known-vulnerable Flash > player for a significant time after a fixed version has been released, > and assuming Bart is MIA for some reason, is it possible fo

Re: Will Packaging BoringSSL Bring Any Trouble to the Security Team?

Moritz Mühlenhoff wrote: >> are introducing BoringSSL, a fork of OpenSSL by Google. The latest >> Android OS and its SDK no longer use OpenSSL and they use some APIs >> only provided by BoringSSL, hence we are bringing BoringSSL to Debian. >> You can see the ITP at <htt

Re: Will Packaging BoringSSL Bring Any Trouble to the Security Team?

殷啟聰 schrieb: > Dear Debian Security Team, Our contact address is t...@security.debian.org, not debian-security... > The "android-tools" packaging team > > are introducing BoringSSL, a fork of OpenSSL by Goog

Re: tracking security issues without CVEs

On Sun, Mar 06, 2016 at 06:58:48PM +0100, Salvatore Bonaccorso wrote: > But I think as well that is right now to early to > start adopting these for not yet assigned issues. Agreed, let's stick with the usual "file a bug to get a temporary identifier" procedure for now. Cheers, Moritz

Re: [SECURITY] [DSA 3389-1] elasticsearch end-of-life

Vincent Bernat wrote: > So, it's a bit like MySQL and VirtualBox, isn't it? Except they don't > provide any stable branch. More or less, yes. Cheers, Moritz

Re: [SECURITY] [DSA 3389-1] elasticsearch end-of-life

Ansgar Burchardt schrieb: > That's in the end just pretending the problem doesn't exist? No, from my PoV it's a clear separation between software following our usual standards (what's in main) and the rest (what's going to be in PPAs) > I'm really not a fan of moving stuff out of the official re

Re: [SECURITY] [DSA 3389-1] elasticsearch end-of-life

Vincent Bernat wrote: > There are many tradeoffs recently with projects that do not want to > provide a sensible security track for stable releases: > > - always package the latest release (Chromium) For chromium and iceweasel the vast amount of security issues doesn't leave much other options.

Re: [SECURITY] [DSA 3389-1] elasticsearch end-of-life

Rhonda D'Vine schrieb: > Hi, > > * Moritz Muehlenhoff [2015-11-01 23:22:53 CET]: >> elasticsearch will also be removed from Debian stretch (the next stable >> Debian release), but will continue to remain in unstable and available >> in jessie-backports. > > I'm very disappointed that you mis

Re: [SECURITY] [DSA 3359-1] virtualbox security update

Georgi Naplatanov schrieb: > > Dear maintainer(s), > virtualbox-guest-additions-iso package version is 4.3.18. Are you going > to update the package to version 4.3.30? The security team support doesn't support non-free. The maintainer can update it in a point update if needed. Cheers, Mo

Re: [SECURITY] [DSA 3358-1] php5 security update

Wolfgang Karall schrieb: > > --rQ2U398070+RC21q > Content-Type: text/plain; charset=iso-8859-1 > Content-Disposition: inline > Content-Transfer-Encoding: quoted-printable > > Hello Moritz, > > On 15-09-15 13:58:52, Moritz M=FChlenhoff wrote: >> The upstream security support time frame isn't identi

Re: [SECURITY] [DSA 3358-1] php5 security update

Wolfgang Karall-Ahlborn schrieb: > > --bGR76rFJjkSxVeRa > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > Content-Transfer-Encoding: quoted-printable > > Hello, > > since today marks the end of the security support for PHP 5.4, does > anyone know how the security support

Re: Bug#794466: Virtualbox might not be suitable for Stretch

On Mon, Aug 10, 2015 at 07:16:59AM +, Gianfranco Costamagna wrote: > Yes, otherwise the points remains: > > 1) leave the oracle with CVEs in stable releases > > or > > 2) have an exception from Security Team and/or Release Team > > or > > 3) wait and hope Oracle will change the model or ma

Re: openjdk-7 security updates after JDK 7 End of Public Updates

Francis Devereux schrieb: > Hi, > > According to http://www.oracle.com/technetwork/java/eol-135779.html, Oracle > JDK 7 will reach "end of public updates" status in April. I believe that > OpenJDK 7 will reach EOL at the same time or soon afterwards. > > Will the openjdk-7 packages in wheezy con

Re: [SECURITY] [DSA 3148-1] chromium-browser end of life

Paul Wise schrieb: >> So, what are the alternatives in our case? > > Upgrade to jessie or switch to another web browser. Or use the the (non-free) Chrome DEBs provided by Google. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "uns

Re: [SECURITY] [DSA 3061-1] icedove security update

strumcat schrieb: >> > The Icedove installer seems to be using a script that requires human > interaction (Press Q to quit), but the output isn't visible under > default settings in Synaptic. This makes the install seem to hang > indefinitely, unless the user clicks "View details" in the Synapt

Re: Debians security features in comparison to Ubuntu

herzogbrigit...@t-online.de schrieb: > Hello there, > I'm a new user of the great Debian distro for my Desktop. But when I talked > to a friend and I told him, that I'm using Debian (Wheezy) for my desktop > computer, he told me that I shoudn't use it because it is not secure. He told > me to u

Re: Enhancements/enabled hardening flags in Wheezy pkgs/release.

Michael Gilbert schrieb: > There isn't really any group effort tackling or monitoring the > assortment of useful hardening features. That is something that could > definitely be improved. Here's some concrete issues where people can help out. Many of these tasks will take less than an hour and y

Re: Enhancements/enabled hardening flags in Wheezy pkgs/release.

Daniel Curtis schrieb: > --001a11c223acc55fa604eedd4994 > Content-Type: text/plain; charset=ISO-8859-1 > > Hello everyone, > > Before Wheezy release we could find a web site, which > contained notices about update as many packages as > possible to use security hardening build flags via > 'dpkg-bui

Re: [SECURITY] [DSA 2819-1] End-of-life announcement for iceape

Chris Frey schrieb: > Is this for old-stable? Or for the latest 7.3 Debian? Also for Wheezy. > Was support dropped due to lack of manpower? And what were the main > differences between upstream Seamonkey and the Debian-branded version? > If Seamonkey is still supported, why not just package th

Testers needed for hplip security update

Hi, I've prepared backports for various security issues in hplip. However, I don't have a printer, so I need help with testing. Packages can be grabbed from http://people.debian.org/~jmm/ Please send test feedback directly to j...@debian.org Cheers, Moritz -- To UNSUBSCRIBE, email to d

Re: Testing needed for openjdk-6 security updates

On Mon, Jul 22, 2013 at 10:19:00PM +0100, Lisi Reisz wrote: > On Sunday 21 July 2013 14:21:20 Moritz Mühlenhoff wrote: > > Moritz Muehlenhoff schrieb: > > > As discussed on debian-release some time ago security support > > > for openjdk will be following upst

Re: Testing needed for openjdk-6 security updates

Jens Schüßler schrieb: > * Moritz Muehlenhoff wrote: >> As discussed on debian-release some time ago security support >> for openjdk will be following upstream releases in the future. >> >> The packages for openjdk are generally ready, but I don't use >> Java myself. As such I need some addition

Re: Testing needed: openjdk7 update for stable-security

Moritz Mühlenhoff schrieb: > As discussed on debian-release some time ago security support > for openjdk will be following upstream releases in the future. > The openjdk7 packages available at http://people.debian.org/~jmm/ > have seen initial testing and the testsuite results look

Testing needed: openjdk7 update for stable-security

As discussed on debian-release some time ago security support for openjdk will be following upstream releases in the future. The openjdk7 packages available at http://people.debian.org/~jmm/ have seen initial testing and the testsuite results look good, but some advance testing more setups (includ

Call for testing: rails update

The upcoming rails update is a little more invasive than usual. If you run a rails-based setup, please test the packages from http://howl.nic.cz/rails/ and send your brief test results to t...@security.debian.org (and keep ond...@debian.org in CC) Cheers, Moritz -- To UNSUBSCRIBE, emai

Re: [SECURITY] [DSA 2593-1] moin security update

Salvatore Bonaccorso schrieb: >> Package: moin >> Vulnerability : several >> Problem type : remote >> Debian-specific: no >> CVE ID : not available yet > > This was announced yesterday, but it looks like moin 1.9.3-1+squeeze4. > is not yet present in the security repository. >

Re: flashplugin-nonfree get-upstream-version.pl security concern

On Wed, Dec 12, 2012 at 05:52:31PM +, adrelanos wrote: > Hi, > > I do not want to discuss security implications of the upstream closed > source Adobe Flash plugin. This is about how the Flash plugin is > downloaded and installed in Debian. > > /usr/sbin/update-flashplugin-nonfree downloads get

Re: flashplugin-nonfree : newer Flash Player

Bart Martens schrieb: > Hi, > > Maybe I should do announcements like this : > > | Users of the Debian package "flashplugin-nonfree" can now run > | "update-flashplugin-nonfree --install", since I've now updated the > download url > | and checkums to match the newest Flash Player version. S

Re: [SECURITY] [DSA 2550-1] asterisk security update

On Wed, Sep 19, 2012 at 12:07:15PM +0200, Michael Kozma wrote: > Le 19/09/2012 12:00, Cyril Brulebois a écrit : > >Michael, that should be “chan_sip” apparently? > > Yes, sorry, but i have the same issue than Herman : > > monitoring*CLI> module load chan_sip > Unable to load module chan_sip > Com

Testers needed for OpenJDK update

I've created backported stable-security OpenJDK packages for the latest Oracle security update round. They have passed initial testing, but since the patches are invasive and OpenJDK has many weird applications using it, I need additional user testing before I release the packages (I need at leas

Re: A security bug in Debian Squeeze libtiff (+ non-updated ia32-libs??)

Mikulas Patocka schrieb: > Hi > > There is a security bug in Debian Squeeze libtiff 3.9.4-5+sq. > > When loading corrupted images and with ElectricFence memory debugging > enabled, programs using libtiff crash. > > How to reproduce: Download corrupted images from here: > http://artax.karlin.mff.

Re: [SECURITY] [DSA 2437-1] icedove security update

On Thu, Mar 22, 2012 at 01:15:35PM +0100, Christophe Garault wrote: > Le 21/03/2012 19:58, Moritz Muehlenhoff a écrit : > >For the stable distribution (squeeze), this problem has been fixed in > >version icedove 3.0.11-1+squeeze8. > Hello Moritz, > > The only version available today for stable is

Re: libfreetype6 Security Update w/out DSA?

Wolfgang Karall schrieb: > Hi, > > I'm getting this change but can't see a DSA for it: > > freetype (2.4.2-2.1+squeeze4) stable-security; urgency=low > > * CVE-2012-11[33|34|36|42|44] > > -- Moritz Muehlenhoff Wed, 07 Mar 2012 17:46:07 +0100 > > Is this legit? I guess so, but want to make sur

Re: Testers needed for Tomcat security update

Moritz Mühlenhoff schrieb: > Moritz Mühlenhoff schrieb: >> Hi, >> the changes needed to secure Tomcat against the recent hash collision >> attack are large and instrusive. That's why we decided to update to >> 6.0.35 in the upcoming stable update. >> >&g

Re: Testers needed for Tomcat security update

Moritz Mühlenhoff schrieb: > Hi, > the changes needed to secure Tomcat against the recent hash collision > attack are large and instrusive. That's why we decided to update to > 6.0.35 in the upcoming stable update. > > No breakage is expected, but we need more "be

Testers needed for Tomcat security update

Hi, the changes needed to secure Tomcat against the recent hash collision attack are large and instrusive. That's why we decided to update to 6.0.35 in the upcoming stable update. No breakage is expected, but we need more "beta testers" before we can release the update. The packages can be fetche

Re: Vulnerable PHP version according to nessus

Dave Henley schrieb: > --_08b89ad2-8af0-454c-bd3d-7274adf10707_ > Content-Type: text/plain; charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > > I recently installed a Debian Squeeze system along with apache2 and PHP5. > The system is fully up-to-date and the following php pack

Re: Bug#645881: critical update 29 available

On Thu, Dec 01, 2011 at 09:47:53PM +0100, Florian Weimer wrote: > * Moritz Mühlenhoff: > > > Florian, what's the status of openjdk6 for stable/oldstable? > > I've released the pending update for squeeze. lenny will eventually > follow, and so will the pending upda

Re: Bug#645881: critical update 29 available

On Fri, Oct 21, 2011 at 11:07:30AM +0200, Florian Weimer wrote: > * Moritz Muehlenhoff: > > > As for stable/oldstable: I noticed that Red Hat provided packages for > > update 29 for RHEL 4 (RHEL 5 onwards use OpenJDK): > > http://lwn.net/Articles/463919/ > > If anyone remembers the rationale beh

Re: Debian LTS?

Florian Weimer schrieb: > One person's essential features is another's backwards-incompatible > change. Driver updates to support new hardware are somewhat risky, > but often welcomed. Driver backports would likely be left aside for an initial LTS setup: - One of the use cases of an LTS is to h

Re: Debian LTS?

Yves-Alexis Perez schrieb: > On mar., 2011-10-04 at 11:59 +0100, Dominic Hargreaves wrote: >> Hi all, >> >> I recall coming across the proposal/discussion in >> >> shortly after that wiki page was published, and thought it was something

Re: [SECURITY] [DSA 2287-1] libpng security update

Kurt Roeckx schrieb: > On Thu, Jul 28, 2011 at 06:23:46PM +0200, Luciano Bello wrote: >> For the oldstable distribution (lenny), this problem has been fixed in >> version 1.2.27-2+lenny5. Due to a technical limitation in the Debian >> archive processing scripts, the updated packages cannot be rele

Some missing packages for opensaml2, krb5-appl and qemu-kvm

FYI: Due to a problem related to the key rollover in the buildd network, updated binaries are not available for a few archs. I'm looking into getting it fixed. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? C

Re: libpng CVE-2006-7244/CVE-2009-5063

On Sun, Jul 24, 2011 at 06:08:49PM +0300, Henri Salo wrote: > On Sun, Jul 24, 2011 at 04:54:41PM +0200, Moritz Mühlenhoff wrote: > > Henri Salo schrieb: > > > There is two open vulnerabilities in libpng 1.2.27-2+lenny4 as you can > > > see from: > > > >

Re: libpng CVE-2006-7244/CVE-2009-5063

Henri Salo schrieb: > There is two open vulnerabilities in libpng 1.2.27-2+lenny4 as you can see > from: > > http://security-tracker.debian.org/tracker/source-package/libpng > > The issues I am concerned about are CVE-2006-7244 and CVE-2009-5063. Notes of > the issues are: "package libpng is vul

Re: CVE-2010-4655, CVE-2011-1012 and CVE-2011-1082 fixed in stable

Arne Wichmann schrieb: > > --qMm9M+Fa2AknHoGS > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > Content-Transfer-Encoding: quoted-printable > > CVE-2010-4655, CVE-2011-1012 and CVE-2011-1082 seem to be fixed in stable > [1-3], the security-tracker still reports them as v

Re: CVE-2010-4653 fixed in experimental

Arne Wichmann schrieb: > > --EP0wieDxd4TSJjHq > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > Content-Transfer-Encoding: quoted-printable > > CVE-2010-4653 seems to be fixed in experimental but the tracker does not > reflect this. It does: The table below lists in

Re: [DSA 2160-1] tomcat6 security update

moog schrieb: > Hi, > > DSA 2160-1 is about CVE-2010-3718, CVE-2011-0013 and CVE-2011-0534. It says > "The oldstable distribution (lenny) is not affected by these issues." I > wonder > if that's mistaken, because says: > > CVE-2010-3718 ... Affects: 6.

Re: [SECURITY] [DSA-2154-1] exim4 security update

Du schriebst in gmane.linux.debian.devel.security: > Hi, > > Please do not copy and paste contents of README.debian file. It's > redundant information and significantly add works of translators > for each supported language. It's not. README.debian isn't translated (English only) and people need